Late last year the European Parliament and Council set the scene for a potentially dramatic challenge to the way online advertising is developing, enabling targeting of advertising content based on online activity collected via cookies.
Online behavioural advertising (OBA) uses information to target the consumer with advertising messages that match their interests and presumed buying intentions. Information derived from online activity determines what ad or what version is served to whom (or not), dramatically improving targeting and reducing wastage.
OBA is a game changer, improving the consumer experience, cutting out irrelevant content, and delivering a better marketing return to brand owners.
As well as agreeing a revision of the EU Telecoms Package - designed to update the legal framework for the telecommunications sector – in slipped an e-Privacy Directive that requires consent prior to the setting of cookies on a web browser. EU member states have until next May to implement the package.
At the EU-level, MEPs claimed success in introducing an opt-in regime; industry and some national governments maintain that the wording implies keeping the opt-out. This leaves it to the national governments to specify the meaning of “consent” when implementing the Directive. Plus ca change, and a recipe for wildly differing local implementations as we already have seen with the original Data Protection Directive, where they range from explicit prior consent to implied consent and soft opt-in for customers.
Against this backdrop the Article 29 Working Party published their opinion in the summer. It appears to significantly extend the definitions of personal data and comes down heavily in favour of explicit, prior consent prior to the collection of behavioural online data via browser cookies.
How would subject access requests work in the situation where vast number of cookie IDs containing recent behavioural data used in raw or aggregated form for advertisers from different sectors, nonetheless contain no personal data?
Do legislators really think that cookies are used to spy on consumers? Is there a common (mis)understanding of the benefits cookies offer to faster navigation and better user experiences, delivery of more appropriate offers, and data transparency?
The political dimension isn't helped of course when Wall Street Journal publishes an ‘expose’ on how tracking technologies are designed to share consumers’ secrets.
The WSJs investigation found that the nation's 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning. A dozen sites each installed more than a hundred. The nonprofit Wikipedia installed none.
Tracking technology is getting smarter and more intrusive, they concluded.
“Monitoring used to be
limited mainly to cookie files that record websites people visit. But the
Journal found new tools that scan in real time what people are doing on a Web
page, then instantly assess location, income, shopping interests and even
medical conditions. Some tools surreptitiously re-spawn themselves even after
users try to delete them.”
It’s time to address key concerns of user protection and security, in applying key principles of Data Protection to these burgeoning, global advertising channels.
a) For example, surely we should be insisting that a broad definition of sensitive data be used to ensure that offers such as dietary plans ought to be subject to explicit consent.
b) Deep Packet Inspection (DPI) has caused deep concerns for years, gaining Phorm notoriety, enabling an ISP uses technology to inspect the entire clickstream of a browser, and inevitably will end up subject to an explicit consent regime.
c) Where personal information that identifies a user by name, sex, age, household composition etc. is combined with online behavioural data, the use of that ensuing personal profile ought to be notified as a specific and fresh use requiring consent.
d) Certain uses of non-personally identifiable data collection may need to be proscribed such as using tracking to support discriminatory pricing, an issue of concern to legislators.
e) Lastly, Privacy Enhancing Technologies (PETs), overlooked beyond the basics such as SSL security over the last decade, may well be about to come of age, faced with an internet-wide challenge of incomparable commercial scale.
Technologies that
separate data, that anonymise through splitting or masking and destroy personal
data, as well as those that limit use are urgently needed to demonstrate users
can be exceptionally well protected at the same time as experiencing the
benefits of OBA.
As the market for well-executed OBA starts it’s long road towards maturity, organisations that aggregate user behaviour data are perfectly placed to apply these technologies to their platform, and must prepare to play their forthcoming role of responsible and respected data controllers.
For now the focus is on cookies. Browser settings do at least currently provide a consumer dashboard to express preference. In a recital to the e-Privacy Directive, non-binding guidance suggested that browser settings would indeed serve as a consent mechanism, which was interpreted as a pointer towards an opt out regime. Whilst on the face of it, the Working Party’s guidance blows that interpretation out of the water, no one should conclude that that is the endgame.
This winter looks set to be one of the most significant in the history of the Internet.
Thanks to FEDMA for providing access to many of the source material used for this article, and from which I have borrowed.