Out-Law News 4 min. read

Behavioural advertising is fair if users can opt out, says privacy watchdog


There is nothing "intrinsically unfair" about behavioural advertising but website operators should offer visitors the option of using their services without any activity being recorded, privacy watchdog the Information Commissioner has said.

The Information Commissioner's Office (ICO) has published its first code of practice for the gathering and processing of personal data online. It gives companies guidance on how to treat the information they gather when offering services on the internet.

Some internet users and privacy groups have expressed concern about the increasingly common practice of tracking users' behaviour and showing them advertising based on that activity in a bid to increase its relevance and effectiveness.

The ICO's new guide has said that there is nothing wrong with that practice when it is conducted fairly.

"[Behavioural advertising] involves the processing of personal data and the [Data Protection Act (DPA)] applies," it said. "However, using personal data in this way is not intrinsically unfair or intrusive, and the DPA provides various options for processing this information legitimately."

The guidance advises web publishers to give users the option of not being tracked. "Some individuals may want to visit a website without any record of their online behaviour being retained," it said. "Therefore it is good practice to provide a simple means of disabling the targeting of advertising using behavioural data."

"It is a legal requirement under the Privacy and Electronic Communications Regulations (PECR) to tell the individual when information is to be stored on their equipment, for example in the form of a conventional cookie, a Local Shared Object or flash cookie, and to give them the opportunity to refuse this," it said.

The guidance does allow publishers to simply refuse to offer their service on a non-tracked basis, though.

"Where the use of cookies is strictly necessary for the provision of goods and services, organisations are under no obligation to provide the service to individuals who refuse the necessary cookies," it said.

Organisations which collect any personal data must do so in a way that complies with the DPA. That law also requires the ICO to promote good practice. It said that this is what motivated it to publish the code of practice.

"This code is the Information Commissioner’s interpretation of what the DPA requires when personal data is collected and used online," it said. "It gives advice on good practice, but compliance with our recommendations is not mandatory where they go beyond the strict requirements of the Act. The code itself does not have the force of law, as it is the DPA that places legally enforceable obligations on organisations."

It is often difficult for organisations to tell which data counts as the 'personal data' protected by the DPA and which does not when it comes to online services. Courts, data protection authorities and users have argued over whether internet protocol (IP) addresses are 'personal data' or not.

The code said that organisations should err on the side of caution in relation to information that might qualify.

"When you cannot tell whether you are collecting information about a particular person, it is good practice to treat all the information collected as though it were personal data," the code said.

The DPA gives especially strong protection to certain kinds of information that it deems sensitive. The ICO said that this should never form the basis of behavioural ads.

"The threshold for processing sensitive personal data to deliver advertising is high. The DPA provides no obvious alternative to obtaining the individual’s explicit consent to the use of sensitive personal data for this purpose," it said. "Particular problems could arise when a visit to a sensitive website leads to ads related to its content being displayed on a different website."

"Where a device, for example a home PC, is shared between family members, this could allow one person to deduce that another has been accessing websites about, say, a sexual health problem. The key to managing this is for the publisher of the website to obtain explicit consent for the advertising in the first place," said the code.

Organisations are increasingly using remote computing power, called cloud computing, as a basis for their services. Their responsibility to protect privacy is not affected by that outsourcing, the ICO said.

"Your use of an internet-based service must not lead you to relinquish control of the personal data you have collected, or expose it to security risks that would not have arisen had the data remained in your possession in the UK," said the code. "There must be a written contract in place. This can be an electronic one, requiring the internet-based service provider to only act on your instructions and to have a level of security equivalent to yours."

Any body processing personal data should at the very least make it easy for people to track that processing and complain about or change it, the guidance said.

"Organisations operating online should work towards making it easy for individuals to find out who is responsible for an ad, for example by clicking on it," it said. "It is bad practice to make people contact you by letter or telephone if you provide services to them online. It is also bad practice to expect individuals who have reached your homepage to follow a large number of links or to navigate a number of different pages before they can access your contact details."

“Organisations must be transparent so that consumers can make online privacy choices and see how their information will be used," said Information Commissioner Christopher Graham. "Individuals can take control by checking their privacy settings and being careful about the amount of personal details they post to social networking sites and elsewhere online."

"The code clarifies the law in a number of key areas, in particular organisations will welcome the additional guidance on behavioural and targeted marketing, which has become a hotly debated area in recent years," said William Malcolm, a privacy law expert at Pinsent Masons, the law firm behind OUT-LAW.COM.

"Although there is nothing controversial in the ICO's guidance, organisations should bear in mind that consumer expectations and the regulatory environment have changed in recent months," he said. "Consumers rightly expect organisations to be more transparent about how data is used for marketing purposes and the ICO now has the power to fine those who wilfully flout the rules in a way that causes damage to consumers up to £500,000."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.