EC data protection threat focuses on online marketing

The UK has fallen foul of European Commission regulations following BT's use of the Phorm internet behavioural advertising tool to track customers. But what are the consequences for online marketers?

By Stuart Lauchlan, news and analysis editor

The European Commission(EC) has threatened the UK with sanctions for allowing an internet service provider to use a new advertising technology to track the web movements of customers - a case that could become a test for the limits of marketing aimed at online behaviour.

The European telecommunications commissioner, Viviane Reding, said that use of a tracking tool created by Phorm and used by BT without customers consent in 2006 and 2007 violated European privacy laws.

The EU directive on privacy and electronic communications requires EU member states to ensure confidentiality of the communications by prohibiting unlawful interception and surveillance unless the users concerned have given their consent. The EU Data Protection Directive specifies that a person must freely give specific consent and be informed before their personal information is processed.

"European privacy rules are crystal clear: a person's information can only be used with their prior consent," said Reding. "We cannot give up this basic principle and have all our exchanges monitored, surveyed and stored in exchange for a promise of 'more relevant' advertising! I will not shy away from taking action where an EU country falls short of this duty.”

According to the EC, the UK has two months to reply to a letter of formal notice sent this week, which marks the first stage of the infringement proceeding. If the UK fails to respond adequately and "fulfil its obligations under EU law", the Commission warned that it will refer the case to the European Court of Justice.

"Technologies like internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules. These rules are there to protect the privacy of citizens and must be rigorously enforced by all member states," said Reding. "We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of the EU rules on the confidentiality of communications. I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications."

Advocates of technologies such as Phorm argue that they will transform advertising by allowing marketers to show internet users only ads that are considered relevant to them, based on their surfing habits. But this will also lead to companies seeking more specific data on individual users, potentially threatening personal privacy say critics.

This month, the Internet Advertising Bureau, a trade association for internet marketers in Britain, asked its members to sign a voluntary code of conduct stating that no web data would be collected without a user's explicit consent, a move endorsed by Ed Richards, the head of the British telecommunications regulator, OfCom.

Investigation

The UK information commissioner Richard Thomas has already mounted an investigation into the use of Phorm by BT and concluded that the technology had adequately eliminated ties to individual users. The Department for Business, Enterprise and Regulatory Reform had said it was satisfied the technology could be implemented "legally, appropriately and transparently" in the UK, as long as internet service providers did not record or store any personal information and users gave their prior consent.

But critics said that the UK does have a case to answer for. "What the UK government has done is lackeyed up to business and as a result we've been breaking EU law and now have this infraction proceeding as a result," said Jim Killock, executive director of the Open Rights Group, an association that has led the protest against Phorm in the UK.

"We have long argued Phorm is a gross invasion of internet users' privacy because it illegally intercepts confidential material. Following our call for intervention, the EU has implicitly recognised the system involves unlawful interception because it does not obtain permission from both the user and the website owner. The UK authorities consistently deny this claim, although its unclear precisely which part of Government is responsible for enforcing related legislation. Fortunately, the EU has also expressed concerns with procedure, which should ensure similar technologies receive proper scrutiny in future.

"There are big legal questions surrounding BT's use of Phorm," he continued, "so we welcome the EU taking the government to task. It's a pity our own government haven't had more backbone and stood up for their voters' rights. BT should respect everyone's privacy and drop their plans to snoop on the internet before they damage their own reputation further. Websites should protect their users and block Phorm now."

Simon Davies, the director of Privacy International in London, said there would be wider implications stemming from any action taken by the EC. "The EU has been attempting to require the UK government to produce a definitive statement on behavioural advertising for more than a year. But the UK government has refused to do that and now we have a total breakdown of regulatory oversight," he said. "The result is intransigence on the part of Britain."

A spokesman for Phorm said the company felt it was being made an example of in a broader regulatory struggle between Britain and the commission. "Phorm is very confident that it is compliant with the relevant UK laws and EU directives," he said.

Online marketing vendors were clearly alert to the possibility of further problems resulting from the threats by the EC and keen to make the point that there is good practice. "Whoever is right about the legality of Phorm's use of targeting, what is clear is that businesses can achieve improvements in customer experience without any need to challenge EU data privacy rules," said Neil Morgan, vice president of EMEA marketing at Omniture.

"There are two criteria that ensure behavioural targeting is implemented in a way that is both legal and ethical: First, to only collect data from visits paid to the businesses own site, something we call on-site targeting. This avoids any concerns of being followed around as you surf the web. Second, to only collect information that is not personally identifiable, just anonymous data that cannot identify the visitor.

"With these it is possible to improve the site experience for visitors in a way which can dramatically increase the rate of conversion for a site, without the need for data collection that creates privacy concerns. The resulting experience is also beneficial to the consumer, particularly in retail sites; just imagine walking into your favourite supermarket to see everything on your shopping list that day in the first aisle."

Akin Arikan, Unica's head of internet marketing, added: "The most important aspect of using behavioural targeting is to ensure that consumers are aware that companies are using it and that their personal data is not being shared. Businesses using behavioural targeting need to ensure they have an open, easy to understand privacy policy. Ideally, customers should be required to opt-in (or at least have the opportunity to opt out) of the service.

"The marketing industry needs to educate and reassure consumers that behavioural targeting can greatly benefit them and it is about providing a service, not spying on their every move. Analysing online customer behaviour allows businesses to provide their consumers what they need, when they are looking for it; much like a personal online shop assistant."

Reding is on something of a crusade to legislate about new forms of internet activity, particularly in relation to social networking providers. "Privacy must, in my view, be a high priority for social networking providers and their users," she said. "I firmly believe that at least the profiles of minors must be private by default and unavailable to internet search engines. The EC has already called on social networking sites to deal with minors' profiles carefully, by means of self-regulation. I am ready to follow this up with new rules if I have to."