Machines Behaving Badly

June 28, 2010

Mark Watts and Eduardo Ustaran stirred up the debate on an increasingly hot topic, one on which just about everyone who has received it has an opinion – direct marketing.  

In a world where online advertising is big business (with revenue of $5.9billion in quarter one 2010), more and more advertisers are turning to new (and often controversial) methods to identify and target potential customers.  Mark and Eduardo used case studies and real life examples in order to uncover the often hidden world of the agents and advertisers who use and promote online direct marketing.  They then went on to discuss the impact of privacy law on this topic and considered the question of how to determine the point at which online advertising becomes direct marketing (as opposed to indirect marketing), a question which even the Information Commission has been unable to answer. 

I offer an overview of some of the key themes coming out of the 27th May session.

Methods of online direct marketing 

Search: advertisements are determined by the context of the search terms used.  Advertisers will bid for the right to display their ad, for example a banner ad, when certain terms are searched for. 

Contextual: Ever noticed how the adverts on a particular web page usually fit in with the content of that webpage, for example, adverts for business class travel on the business pages of newspaper web sites?  This is contextual marketing.  Here the publisher’s web site is cached and indexed for ‘key words’ and advertisers bid for their ads to be served on web sites containing relevant key words. 

Behavioural: Information is collected on a user’s web-browsing behaviour, such as the sites they have visited, in order to determine which advertising channel a particular user falls into.  ‘Cookies’ are used to track user or browser behaviour.  Once this network cookie is set, a profile can be built up based on sites visited and time spent there. This can be combined with other information such as location or demographic, as well as specific ‘identifying data’ such as log-in information, to choose the most relevant advertising.    For example, someone who visits the web sites for Maxim, Wired and Men’s Health may be targeted with advertising for gadgets aimed at younger men.  

Phorm (OIX or Webwise) & NebuAd:  these programmes are behavioural tracking services which use deep packet inspection to examine traffic across the internet as a whole, as opposed to just across a particular network. The software intercepts a user’s web-page requests and digests this information, allowing a detailed and continuous behavioural profile to be built up.  This in turn allows even better targeting of advertisements. The software is often installed by ISPs in exchange for a proportion of the advertising revenue generated.  This type of tracking is the subject of much criticism.  Phorm, however, is quick to respond that the information used is completely anonymous, ie it is collected from particular users but it is impossible to personally identify a particular user. 

Directed Marketing: here the information is not inferred, but is based upon the information users give away about themselves, for example on social networking sites.


Legal Response 

European Union 

Data Protection Directive: Currently, online direct advertising is binary as far as data protection goes.  Online Behavioural Data such as this should only be subject to regulation if it is ‘personal data’.  The EU are currently reviewing this directive and in particular are considering  online behavioural advertising regulations, qualifying cookies as personally identifiable information (PII), and a possible extension of EU jurisdiction over non-EU based companies.

Privacy and Electronic Communications Directive:  Previously, cookies and tracking devices could be set on PCs so long as the user was given clear and comprehensive information about why a cookie was being used by a particular web site (the ‘notice element’) and offered the right to refuse (the ‘opt-out’ element). However, the newly amended Directive appears to replace the ‘notice and opt-out’ system with a notice and ‘opt-in’ system.  Now cookies and tracking devices can only be set if a user has given prior consent, having been provided with clear and comprehensive information.  This has raised questions as to how advertisers should obtain confirmation of consent without disrupting the user’s browsing experience, particularly for multiple and regularly updated cookies (given that consent might be required for each new cookie) and for third-party cookies (given that the user is unlikely to directly visit the web site of an ad broker). Recital 66 of the Amended Directive suggests that this consent may be inferred from the settings which a web-user has selected on their browser or another application; however, this is yet to be tested. The ICO has said that the amendments are unlikely to change the current UK position, however France has already tabled the issue of prior consent for cookies (although this was subsequently shelved).

Article 29 Working Party:The Working party has expressed concern about what it perceived as being a ‘watering down’ of the Privacy and Electronic Communications Directive and, at the time of the meeting, was shortly going to issue an Opinion on Online Behavioural Advertising (it is now available).


ICO:  the ICO has said that is often difficult to tell whether the data gathered and used in this form of marketing is ‘personal data’ or not.  However, it advises that if in doubt, this information should be treated as ‘personal data’. 

Consumer Protection and Unfair Trading Regulations: The OFT is a good source of information on this subject.  As per its report of 25 May 2010, its view is that it is proportionate to focus on improving and supporting self-regulation. The report however warns that ‘should industry action prove ineffective, the OFT and the Information Commissioner’s Office (ICO) are strengthening the effectiveness of regulation by seeking to agree a memorandum of understanding to establish in which circumstances the ICO or the OFT would take enforcement action.’


Congress: A draft US bill has just been released that – if passed – could introduce online and offline privacy rules at a federal level across the US, including notice and choice requirements (generally on an opt-out basis).   

Market Response

Internet Advertising Bureau (IAB) Good Practice Principles: these self-regulatory guidelines aim to set good practice for companies that collect and use data for online behavioural advertising purposes. These guidelines contain three core commitments in relation to transparency, user choice and education.  All companies that sign up to these principles have six months in which to conform to the core commitments.  Furthermore, the IAB is encouraging the use of an IAB kitemark to signify good practice for online behavioural targeting.

US Federal Trade Commission (FTC): the FTC has issued fantastic guidance as to what works and doesn’t and this has been adopted across various bodies.  Overall, the FTC is urging meaningful and rigorous self-regulation in the hope that Congressional legislation may be avoided. 

Kirsten Whitfield is a Senior Associate at Wragge & Co: