Saturday 26 June 2010

Behaving – well, perhaps not so badly after all

The Article 29 Working Party has recently issued quite a useful Opinion on behavioural advertising. It’s a handy document, just 24 pages in length, which sets out what behavioural advertising currently is, how it works, how different players are involved at different stages in the process, and finally what the current legal rules might require the various to do to ensure that the process remains lawful. By lawful, perhaps a better phrase would be “fair and transparent”.

I still have one fundamental approach with the whole concept of behavioural advertising, though. In a nutshell, these technologies are very much in their infancy, but to a large extent depend on someone pressing keys on electronic devices. While a link can quite easily be made between the electronic device and the profile that is being built up by the pressing of the keys, it’s really hard to notice when a new person starts pressing these keys. After all, how many people have pressed the keys which have created just these two paragraphs? Is it really just one? Or did I ask my neighbour to add a thought too? How will anyone (other than me and my neighbour) ever know?

Anyway, back to the plot. The Working Party considers that “Behavioural advertising entails the tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertising matching their interests. While ... [it] ... does not question the economic benefits that behavioural advertising may bring for stakeholders, it firmly believes that such practice must not be carried out at the expense of individuals' rights to privacy and data protection.”

In particular, advertising network providers are obliged to ensure that the practice of placing cookies or similar devices on users' terminal equipment or obtaining information through such devices is only allowed with the informed consent of the users. The Opinion notes that settings of currently available browsers and opt-out mechanisms only deliver consent in very limited circumstances. Therefore, the advertising network providers have been asked to create prior opt-in mechanisms which requiring a positive action by users, indicating their willingness to receive cookies or similar devices and the subsequent monitoring of their surfing behaviour for the purposes of serving tailored advertising.

The Opinion recognises that no-one wants to surf the internet and be faced with a snowstorm of consent pop-up boxes each time they log onto a new web site. Therefore, a single acceptance to receive a cookie may also entail the user’s acceptance for the subsequent readings of the cookie, and hence for the monitoring of their internet browsing.

But – and this appears to be quite a big but - to keep users aware of the monitoring, ad network providers should:

• limit in time the scope of the consent;
• offer the possibility to revoke it easily and
• create visible tools to be displayed where the monitoring takes place.

This requires the “privacy by design” approach, and will no doubt take a little time to work. Let’s hope that the most significant stakeholders try to get together and deliver an approach that is consistent across the behavioural advertising ecosphere. If they were to be able to jointly develop, say the same types of logos to notify users about when behavioural advertising is taking place, and they presented users with similar ways of accepting and objecting to cookies, everyone’s lives would be much easier.

Data controllers have, over time, developed common techniques of displaying “fair obtaining” notices. Users generally see a link to a “privacy policy” at the foot of a home page, and they know what “unsubscribe” means when they get marketing emails. Can behavioural advertisers create similarly easily understood concepts? They ought to be capable of working amicably and constructively in this area. After all, it's a non-competitive issue, so the competition authorities are unlikely to prevent the big players from talking to each other.

I became more concerned when I read the parts of the Opinion which argued that as behavioural advertising is based on the use of identifiers that enable the creation of very detailed user profiles, in most cases these will be deemed personal data. Accordingly, users should benefit from the protections afforded them by the EU Data Protection Directive.

I think that the advertisers will face very considerable difficulties in working out how they might deal with a user who demands to exercise rights of access, rectification, erasure, retention, etc. This is a real minefield, and a lot more work needs to be done to explore this issue.

The Opinion notes that publishers may share certain responsibility for the data processing that takes place in the context of behavioural advertising, so they should share with ad network providers the responsibility for providing information to users.

Lots of creativity and innovation will be required here. But, as the Opinion rightly points out, “Given the nature of the practice of behavioural advertising, transparency requirements are a key condition for individuals to be able to consent to the collection and processing of their personal data and exercise effective choice.”

This debate will continue for a good while to come, and I’m sure that many stakeholders will use this document as a basic text on which they will explain why their views and interpretations differ from those of the Working Party.

For those who want to read more, the Opinion can be found at