Google recently announced that it has begun showing web surfers “interest-based ads”. The new tool serves online ads based on recent search terms or the content of the websites visited. This follows Yahoo’s release in February of its own behavioural advertising application, “Search Retargeting”.

Recent New York Times reports show it is not just search engines that are developing an interest in targeted advertising. Some of the Cable TV companies have started trials in New York where TV ads will be customised based on demographic information held about viewers or subscribers or according to viewing habits. So you see different ads in the “commercial break” from your neighbour based on your data records.

However, the European Commission has just launched formal proceedings against the UK in connection with Phorm, the internet advertising company. Brussels says that UK privacy laws need to be strengthened – in particular, so that internet surveillance (often a key component in online behavioural advertising) is subject to independent regulation.

Regulators, Industry and Campaigners: Different Agendas

Online behavioural advertising has drawn a variety of responses:

  • The UK’s Internet Advertising Bureau published a set of “Good Practice Principles” for online behavioural advertising in March, backed by the UK Information Commissioner. The IAB hopes these standards set a benchmark for the European Consumer Affairs Commissioner, Meglena Kuneva. She has threatened the internet marketing industry with regulation unless it provides “an adequate response to consumers’ concerns on the issue of data collection and profiling”.
  • The European Commission has just launched legal proceedings against the UK in connection with Phorm; this is in relation to BT’s trial of Phorm’s targeted advertising technology.
  • The Open Rights Group has led the charge for the privacy lobbyists – it has asked nine major internet companies (including search engines and social networks) not to use Phorm’s services.
  • The US Federal Trade Commission has revised its privacy principles for online behavioural advertising. The Electronic Privacy Information Centre (a privacy pressure group) has highlighted the risk of advertisers identifying individuals from the demographic information they receive to serve targeted advertisements.

What are the legal issues?

Privacy and Data Protection law is governed by the EU Data Protection Directive (95/46/EC) and, in the UK, the Data Protection Act 1998.

  • Will privacy/data protection law apply to on-line behavioural advertising? – generally yes, as this relies heavily on collection and use of personal information;  
  • Who bears the data protection compliance risk in the EU? – this depends on who acts as data controller and may include the relevant ISP, host website or ad server. If you are a data controller, you will bear the risk of any data protection breach by anyone acting on your behalf as a data processor;  
  • How do you ensure transparency? – this is a complex issue given the technical nature of the information collected and the difficulties in explaining this clearly and simply to users and customers in a short privacy policy;  
  • Do you need user consent? – data protection law will often require consent. Other laws may also apply such as the Regulation of Investigatory Powers Act which prohibits interception of communications without the consent;  
  • What cross-border issues arise? – online behavioural advertising often involves international collection and transfer of data which requires arrangements to legitimise the international transfer of data (for example, from the EU to the US).

Where will the privacy law debate go next?

One key question is whether online behavioural advertising requires explicit user opt-in consent, or is it sufficient for a user to have the right to opt-out of these services? There will be huge pressure to work on an “optout” basis so users get targeted with ads unless they refuse them. However, this issue partly turns on whether the services involve the use of personal data. Recent European guidance has underlined the broad scope of personal data, potentially catching data that online behavioural advertising will use, such as IP addresses. The privacy law issues include the following:

We are likely to see tension between the US position (often at the vanguard of behavioural advertising) and that applicable in the EU. As US companies seek to penetrate European markets they will need to deal with the problem of transferring user browsing data across borders, which brings its own set of legal obligations. ISPs, technology providers, and advertisers, wherever they are based, will need to consider whether tracking user browsing may lead to breaches of the terms and conditions of the websites those users visit.

With the global recession, advertisers will be especially keen to ensure their spending delivers the best possible returns. In this context, online behavioural advertising will be increasingly attractive. Its proponents also argue that anything that undermines it will put at risk the (currently) free content and services available to us all on the Internet, given that it is the advertising revenues that are paying for this.