What is Behavioural Targeting?
Behavioural targeting of Internet advertising is the process of displaying advertisements to a user, based on certain data about that user’s Internet browsing activity on one or more Internet sites. The ultimate goal is to increase the rate of ‘conversion’, ie the number of users who see an advertisement and click on it (and, ultimately, buy the item advertised).
The behavioural targeting process may be either site-based or network-based. Site-based behavioural targeting involves assigning a unique identity to the user by setting a ‘cookie’ to the user’s browser and/or hard-drive in order to track the user’s journey on a web site. The cookie sends certain data about the user’s journey to a rules engine that determines which content to serve to the user. Software, analytics and other services may be used by the web site owner or operator to ascribe users to channels and profiles to users.
Network-based behavioural targeting involves an advertising network service provider serving advertisements to users based on data about that user’s journey across multiple participating web sites. That data may be obtained from cookies and/or by inspecting the user’s browsing traffic as it passes through a participating Internet service provider’s servers (‘Deep Packet Inspection’ or ‘DPI’).
Cookies may be either ‘Session cookies’, which are temporary and deleted as soon as you close your browser; or ‘Persistent cookies’ that are stored on your computer hard drive until they expire or you remove them. The latter tend to store and send information, such as your login details or your answer to a previous question. You can configure your browser to warn you whenever a new cookie is about to be stored; clear the cookies that have previously been set; and/or block specific cookies in advance.
DPI enables ISPs to inspect their subscribers’ and other users’ browsing data, and to pass certain data about the contents to the ad service provider to determine which ads to serve to each user. In order to inspect only the browsing data of consenting users, the ISP may switch each user’s browsing request to another internal computer to ensure that certain cookies are set, before sending the browsing request to desired site. This may involve the ISP’s internal machine ‘pretending’ to be the real destination site[1].
It is important to consider that web sites, ad network providers and ISPs may store other data obtained from users, such as Internet Protocol (IP) addresses and transactional data in connection with the provision of other services (e.g. search or e-commerce). That data may not be essential to the behavioural targeting process, but may be used in connection with that process as a result of a user’s consent to use that data for marketing purposes.
Why Consent is an Issue
An advertiser is attempting to build a level of trust or acceptance amongst potential consumers. Gaining a web site user’s consent to see advertising based on the user’s Internet activity is part of engendering that trust. There is often a tension between the commercial demands for a ‘frictionless user experience’ to aid conversion, and legal requirements (covered below) that consent be explicit, implicit, or presumed with an opportunity to refuse, or that it be unambiguous, freely given, specific and informed. Hence it becomes important to consider why consent might not be given, or that it may be withdrawn. The sources of users’ resistance may be technical or cognitive, cultural, behavioural, emotional or political. A user may not understand how the service works or how it is secure or lawful; he or she may not like advertising at all; or the frustrated user may opt out of everything to avoid interruption, or out of an aversion to capitalism. Resistance may be overcome by providing more data (explanation), creating demand (compensation or other perceived value) or by demonstrating how others have used a service beneficially. Consent is a dynamic involving conflicting and competing forces, so constructive engagement with users is critical to obtaining and maintaining their consent.
The UK regulatory requirements for consent may be found in the following Acts and regulations, which tend to protect consumers and web site publishers and cast obligations on advertisers, ad network providers and ISPs, particularly in the context of DPI-based behavioural targeting (see Table 1):
1. Data Protection Act 1998
2. Privacy and E-communications Regulations 2003
3. Regulation of Investigatory Powers Act 2000
4. Fraud Act 2006
5. Computer Misuse Act 1990
6. Copyright, Designs and Patents Act 1988
It should also be mentioned that laws designed to ensure that contracts and other dealings with consumers are clear, fair and not misleading[2] often underpin these requirements for users’ consent. For example, a contractual term may not be binding on a user who is not given a ‘real opportunity of becoming acquainted’ with it before the contract is concluded[3]; and it may be an offence to omit material information that causes or is likely to cause the average consumer to take a transaction decision he would not have taken otherwise[4]. Various industry codes also attempt to ensure that product providers treat consumers fairly, in addition to complying with the law[5].
Table 1: Rights, risks and obligations relating to behavioural targeting of Internet advertising under UK regulation. The Table can also be downloaded from the panel opposite. It shows the UK regulatory requirements under the specified Acts and regulations.
Data Protection Act 1998
It is important to determine whether a behavioural targeting service involves processing users’ personal data. Owing to the complexity of deciding which data to collect and what it might be combined with, it may be worth structuring the behavioural targeting to either avoid such processing entirely, or always to obtain consent where that is feasible. Essentially, ‘personal data’ relates to an individual who can be identified from that data, either alone or in combination with other data accessible to the person who determines the purpose and manner of processing (the ‘data controller’). It is lawful to process personal data if (relevantly), (i) the data subject has given his consent to the processing; or (ii) the processing is necessary for performing a contract to which the data subject is a party, for taking steps at the data subject’s request with a view to a contract or for any non-contractual legal obligation on the data controller.
‘Sensitive personal data’ is defined to include information as to a person’s (a) racial or ethnic origin, (b) political opinions, (c) religious or similar beliefs, (d) membership of a trade union, (e) physical or mental health, (f) sexual life (g) commission, or alleged commission, of any offence, or (h) proceedings for any offence. Such data may be processed if (relevantly) the data subject explicitly consents or information contained has been made public by steps deliberately taken by the data subject.
‘Consent’ is not defined in the Act, but rules of interpretation implicate Directive[6]: an ‘unambiguous’ (Art 7), ‘freely given, specific and informed indication…by which data subject signifies his agreement to processing’ (Art 2(h)).
Privacy and Electronic Communications (EC Directive) Regulations 2003
These regulations purport to implement Directive 2002/58/EC, which creates an obligation of confidentiality for ‘communications and the related traffic data’ on public communications networks (Article 5(1)). It appears that the UK also intended the Regulation of Investigatory Powers Act 2000 (‘RIPA’) to deliver this protection (see below). The Directive allows service providers to use traffic data (data processed for conveying a communication – e.g. routing, timing, duration) for marketing purposes with the user’s consent (Article 6). ‘Consent’ means the same as in Personal Data Directive (although that definition is absent in the UK implementation of both Directives).
The European Commission has alleged[7] that the UK has not adequately implemented the Directive to effectively ensure confidentiality of the relevant communications and to require an opt-in by users to the use of their traffic data for marketing purposes. The results of this complaint are not yet known, and its resolution will create uncertainty for a considerable length of time.
These regulations also cover the use of cookies. They prohibit the use of a public network to store or access information stored in subscriber’s or user’s computer unless clear, comprehensive information about the purposes of storage and access is given, with an opportunity to refuse permission. ICO guidance[8] allows presumed consent, with a clearly displayed privacy policy or other means of opt-out to enable a user’s refusal (reg. 6).
RIPA
RIPA seeks to protect the confidentiality of communications on public networks by prohibiting them from being intentionally intercepted in the course of transmission and made available to a third person (s 2). The EC has alleged that this fails to deliver the confidentiality required by Article 5(1) of Directive 2002/58/EC (see above), particularly as it only deals with intentional interception. Even so, it is not clear whether DPI-based filtering involves the interception of a communication in the course of transmission; whether the data is made available to a third person, albeit temporarily, when filtered; or whether transmission has ceased by the time an ad is served to the user’s web page.[9]
Even if there is an intentional interception, behavioural targeting may be lawful without a warrant if:
1. there are reasonable grounds for believing the communication is one the sender and recipient have consented to being intercepted (s 3(1)) – yet, to the extent that ISPs rely on clauses in terms covering the user’s Internet connection, consent may not be given freely; and where there is no commercial contact between the ISP and web site publisher, it is difficult to see how the publisher’s consent could be obtained (or presumed);
2. the targeting is connected with the provision or operation of the telecommunications service (s 3(3)) – but, even if a DPI-based behavioural targeting service also has an operational benefit, it seems unlikely that this should excuse serving ads to the user.
Fraud Act 2006
The Fraud Act creates three offences that may apply to DPI-based behavioural targeting, to the extent that servers ‘pretend’ to be a user’s intended destination in order to earn advertising revenue, where consent to such pretence cannot be proved. The first offence is dishonestly making a representation of fact or law, express or implied, that you know is or might be untrue or misleading, intending to make a gain for yourself or another, or to cause loss to another or expose another to a risk of loss (s 2). The second, is dishonestly failing to disclose information you are under a legal duty to disclose, intending to make a gain for yourself or another or to cause loss to another or expose another to a risk of loss (s 3). The third is making, adapting, supplying or offering to supply any program or data in electronic form knowing it is designed or adapted for use in the course of or in connection with fraud or intending it to be used to commit or assist in committing fraud (s 7). Careful consideration would need to be given to the facts of each case to ensure that no offence is likely to be committed.
Computer Misuse Act 1990 (CMA)
The Computer Misuse Act 1990 creates two offences that may apply to DPI-based filtering for behavioural targeting, where it could be proved that the operator of the filtering service knew that a web publisher had not consented to the filtering. The first is where you cause a computer to perform a function with intent to secure or enable access to any program or data held in any computer (including causing it to be displayed), and you know the access is unauthorised (s 1). The second is where you cause or enable an unauthorised change or addition to the contents of any computer at a time when you intend the modification to impair the operation of the computer, or prevent or hinder access to any program or data in any computer (perhaps to displace a rival’s advertising), knowing the same is unauthorised (s 3). Again, careful consideration would need to be given to the facts of each case to ensure that no offence is likely to be committed.
Copyright, Designs and Patents Act 1988
Copyright subsists in various types of original works, including computer programs and computer-generated works. It is infringed by engaging in certain restricted acts in relation to a copyright work, including copying a substantial part of it (s 16). It would seem unlikely that the cookie process described above infringes copyright. But it would be conceivable that substantial copying could occur where a flow of copyright material is being copied by a user whose browsing is in turn being filtered in the course of DPI-based behavioural targeting.
Further, a ‘database right’ is protected under Databases Regulations where the maker has invested substantially in obtaining, verifying or presenting the contents of the database. This right may be infringed by repeated and systematic extraction and/or re-utilisation of even insubstantial parts of the contents of a database (even if from the public domain), the cumulative effect of which would be to seriously prejudice that investment, where all or a substantial part of the database was reconstituted[10]. It may be that temporary copies for targeting ads could have this effect, if it deprived the database owner of income. Even the potential for such a loss may be a reason for site publishers to challenge or withhold their consent to DPI-based behavioural targeting.[11]
By virtue of s 28A there is no infringement when making a temporary copy that is transient or incidental, and an integral and essential part of a technological process, the sole purpose being to enable (a) transmission of the work in a network between third parties by an intermediary; or (b) a lawful use of the work; and it has no independent economic significance. DPI-based behavioural targeting may not benefit from this exemption where it is unlawful under one of the other bases discussed earlier, since it has independent economic significance in terms of the advertising revenue that is supposed to accrue to the ISP and the ad network provider.
Conclusion
Behavioural targeting of Internet advertising may have the effect of increasing the rate at which the users of a Web site click-through Internet ads. However, transparency about the targeting process used, as well as constructive engagement with users regarding potential sources of their resistance, is critical, not only to obtaining and maintaining users’ consent to the targeting process but also to engender trust in the advertiser and its products. The UK regulatory requirements for consent protect the interests of both users and Web site publishers, and cast obligations on advertisers, ad network providers and ISPs. DPI-based network behavioural targeting carries the most risk (to ISPs and their ad network providers), owing to the way the process works and the regulatory restrictions on accessing and using communications and traffic data on public telecommunications networks. Unfortunately, the precise impact of these restrictions is uncertain, which increases the risk of operating a process that may result in the commission of certain offences and/or infringement of the rights of users and Web site publishers. The European Commission has challenged the UK to address certain alleged shortcomings under UK data protection and privacy regulation, specifically in the context of DPI-based behavioural targeting. It is hoped that this results in the clarification of how the overall regulatory framework discussed in this article applies to behavioural targeting generally.
Simon Deane-Johns is a Consultant Lawyer at Axiom: email: sdeane-johns@axiomlaw.net
[1] Clayton, R. ‘The Phorm Webwise System’, May 2008 http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf
[2] E.g. the Unfair Terms in Consumer Contracts Regulations 1999 and the Consumer Protection from Unfair Trading Regulations 2008.
[3] Regulation 5(5) of and Sch 2(1)(i) to the Unfair Terms in Consumer Contracts Regulations 1999.
[4] Regulations 6 and 10 of the Consumer Protection from Unfair Trading Regulations 2008.
[5] E.g. http://www.iabuk.net/en/1/iabstandardsandguidelines.html; and http://www.asa.org.uk/asa/codes/cap_code/ShowCode.htm?clause_id=1653
[6] EC Directive 95/46/EC
[7] http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/570
[8] http://www.ico.gov.uk/upload/documents/library/privacy_and_electronic/detailed_specialist_guides/pecr_guidance_part2_1206.pdf
[9] For a more detailed discussion of these issues, see Bohm, N. ‘The Phorm ‘Webwise’ System – a Legal Analysis’ 23.04.08 http://www.fipr.org/080423phormlegal.pdf
[10] British Horseracing Board Ltd v William Hill Organisation Ltd, ECJ Case C-203/02
[11] For a detailed discussion of the Intellectual Property implications of DPI-based behavioural targeting, see Bohm, N. & Harrison, J. ‘Profiling Web Users – Some Intellectual Property Problems‘ SCL, 05/09/2008