A recent survey1 by Landwell, the correspondent legalpractice of PricewaterhouseCoopers, demonstrated the online market’sweaknesses. Since the mid-1990s, the Internet and the World Wide Web, the mostimportant commercial media to emerge in the 20th Century, have assumedever-greater importance in day-to-day commercial activities.
The increasing number of dotcom difficulties and collapses hastempered the initial market euphoria. The survey brings into question the onlinemarket’s legal awareness and highlighted that dotcoms are, whether unwittinglyor not, exposing themselves to a dangerously high level of risk. The surveyrevealed that 90% of dotcoms are unconcerned by their Web site content; a largeproportion pay scant attention to customer relations; and most are unlikely tobe aware of their duties regarding distance selling.
One major area highlighted by the survey was data protection.Only recently, Consumers International announced its finding on privacy on theInternet2 and, as a result of online non-compliance with basicprivacy legislation, called for stricter privacy legislation to be implemented.Studies have also estimated that privacy concerns may have amounted to US$2.8billion in lost online sales in 1999 for the US alone, rising to a possibleUS$18 billion by 2002 should the consumer’s privacy concerns not be addressed.3
Such findings sit uncomfortably against the dotcoms’confidence that they are compliant with data protection. Over 97% of dotcomssurveyed by Landwell claim confidence in this area. Yet when asked if they havetaken advice in this area, 20% admit they have not. This may, in part, explainConsumers International’s findings. By examining the technology applied andthe manner in which the online industry collects, utilises and processescustomer data, it is easy to see how such confidence is misplaced and where theexposure may lie.
Getting the Technology Right
Advances in technology have long been acknowledged as creatingrisks for personal information: it may now be automatically generated, collated,stored, inter-connected and put to a variety of uses without the individual’sknowledge or consent. However, implementing the correct technology mayultimately affect dotcom business models. The philosophy to apply the ‘righttechnology’ has been adopted with zeal by the dotcoms – over 15% of dotcomssurveyed stated that getting the technology right was of fundamental importanceto their business.
The importance of confidential and secure trading platformscannot be underestimated. The United State’s Federal Trade Commission (FTC)reported that, whilst the online market has grown at an exponential rate, anincreased consumer concern regarding the collection and use (or misuse) ofpersonal information by online businesses is turning into an apprehension whichis likely to translate into lost online sales.
Landwell’s survey has suggested that the implications of usingcertain technology may not have been properly considered. Over 20% of dotcomsare cited as having an alarming complacency towards seeking legal advice –remarkable given the proliferation in recent years of European legislationapplicable to the online industry.
Assessing the Risks
Of course, the online industry uses technology to facilitate itsdeveloping business. Concentrating on the technology often distracts from theconsequences, such as exposure to a raft of data protection and privacy laws.
Users of digital technology produce an abundance of personalinformation. Their electronic footprints are inclined to be detailed,individualised and computer-processable. Simply accessing a Web site makescertain header information available to the server (the Web site host computer)by the client (the user’s computer), and may include:
the client’s Internet Protocol (IP) address, determining the domain name and the name and location of the organisation who registered the domain name through the Domain Name System
information about the client’s browser, e-mail address, operating system and the hardware platform, the time and date of the visit
the Uniform Resource Locator (URL) of the Web page which is viewed immediately prior to accessing the current page including search engine queries.
The online industry has the potential to collate a wealth ofconsumer information that could once only have been collected through a directsales/marketing force normally focusing upon high-value customers. The use oflarge-scale processing methods, such as data warehousing and mining techniques,makes it possible to identify new kinds of purchasing relationships and unusualassociations, make statistical inferences, lower transaction and search costs,and reduce the distance between buyer and seller. Whilst incredibly useful andattractive to any business, in its rawest interpretation this concentration andcollation of personal information inevitably endangers privacy.4 Hasthe online industry considered the legal implications for data protection andprivacy?
The OECD’s recent study5 and the ConsumersInternational’s report examined the means and quality of data collected bycommercial Web sites. Both reports assist in illustrating how, by the use oftechnology, the on-line industry is most likely infringing current dataprotection and privacy laws.
Looking at the most frequently used methods of data collection,it is easy to see how infringements are likely to occur so often in practice.
Cookie files
Cookies, often associated with the placement of ad-bannersmanaged by marketing agencies, recognise user details and preference information(such as passwords) or direct users to preferred destination pages in Web siteseach time the user re-visits.
Such monitoring, collation and subsequent identifications willresult in potentially high-value user information. But matching thecookie-collected data with personal data gathered by other sources (possiblylinked to identification files incorporated into browsers and transmitted toservers) challenges compliance with Articles 6 and 8 of the EU’s DataProtection Directive, and the commonly held principles set out in the OECD’sPrivacy Guidelines. Users potentially can lose their anonymity and reveal dataof a sensitive nature – such as reading material indirectly revealing theirsexual, political or religious inclinations. Where ‘persistent’ cookies6have been placed, the problem increases further.
Some data collection will be compliant. The EU’s DataProtection Directive’s First Data Protection Principle allows for thecollection which is open and fair. Data collection through cookies can be madeopen and fair where users opt to be notified when Web sites wish to placecookies and consent to their operation. However, where browsers are set toaccept cookies without notification, it is questionable whether this is theuser’s unambiguous consent, or explicit consent in the case of sensitive data,as required by the EU’s Data Protection Directive. Notwithstanding this, somebrowser developers have only just started offering the notification facilitiesto users,7 and it is still unclear whether the user will always benotified that cookies are being placed.8
The proposition that the use of cookies makes obtaining thenecessary consent difficult was supported when the FTC reported that the purposeof the collection via cookies is rarely notified. If dialogue boxes appearduring navigation for the placing of cookies, it is unlikely to contain anyindication of the cookie’s purpose. When cookie policies are provided, threefairly neutral purposes are invariably stated:
automatic recognition when a visitor re-visits for the user’s ease and convenience
to keep track of articles selected during the purchase session up to the completion of payment
analysis of the clickstream data, or mouse droppings, in order to develop a Web sites’ content in response to user demand.
In contrast to some voluntary disclosures, where the completionand submission of (often optional) data is explained as necessary to a user’sactivity (such as participation in competitions, or for social-demographicstudies or visiting habits), it is remarkable that cookie objectives9invariably fail to be openly explained. Despite promulgating this argument andclaiming that tailored targeting of advertisements is the market benefit,DoubleClick’s use of such data-gathering techniques was recently subjected toa particularly severe investigation by the FTC. To demonstrate the concern thatcookies were generating, DoubleClick, the Internet’s biggest banneradvertising supplier, could, if it chose, combine the surfing habits andoff-line detailed personal profiles of up to a staggering 88 million consumersas a result of its acquisition of Abacus, America’s largest off-line database.
Further, in the light of the FTC’s findings that only 41% ofWeb sites notify consumers that third parties (such as network advertisingcompanies engaging in online profiling) may be placing cookies, it must bepresumed that the majority of Web sites do not adhere to the provisions of theEU’s Data Protection Directive. In relation to the obligation to data subjectsto identify the data controller, it is therefore possible that in excess of 50%of Web sites breach established data protection principles.
Unquestionably, concerns about cookies are running high. Theirability to collect Web site audience data by tracking user behaviour wasimaginatively brought to the fore in legal papers filed against Yahoo! Inc. In aclass-action status on behalf of 50 million Yahoo! users, economic damages inexcess of US$50 billion are now being sought for violation of Texananti-stalking laws.10 The outcome is still awaited in which it iscontended that cookie technologies are ‘surveillance-like’ schemes,monitoring and stalking users without their full knowledge or consent, andinvolve a direct threat to a computer user’s property. Accordingly, Yahoo! isable ‘to watch, to spy, to conduct surveillance, to analyse the habits,inclinations, preferences, and tastes’ and to monitor ‘identified persons’visiting its Web sites ‘without consent, agreement or permission of[users],’ thereby improperly benefiting financially from the collection of theconfidential information.
Voluntary Disclosure: Forms
The second of the most common form of data collection is viavoluntary disclosure by the data subject. Generally, such voluntary submissionmust be in accordance with established principles that the collection of datamust be with the subject’s consent. However the amount of detailed personaldata elicited voluntarily must also be of concern. Users wishing to register,subscribe or complete transactions are required to provide information, bycompleting registration forms, or often extensive questionnaires, usuallyrelevant to the user’s activity. Typical data requests include the user’sname, address, telephone numbers and e-mail addresses.
It is when additional identifying data, such as age, sex,marital status, occupation etc and, in the case of purchasing forms, credit carddetails, is also requested that the online industry risks encroaching andinfringing upon regulatory controls requiring a higher level of consent, such asunder Article 8 of the EU’s Data Protection Directive.11
The OECD study also revealed a huge potential for the collectionof sensitive information. Web sites often include an option to mark preferredtypes of reading material that may, for example, indirectly reveal the sexualinclinations of the visitors or their religion. It is not only the smaller Website operators who may unintentionally collate sensitive data; largerorganisations, such as airlines that operate loyalty schemes, in noting acustomer’s dietary habits, such as a preference for Kosher food, may also becollating sensitive data.
Voluntary Disclosure: Automatic Data Collection
Automatic data collection is the second form of voluntarydisclosure that has the greatest opportunity to infringe existing legislativeframeworks. For example, two technical components present in browsers, Java orActiveX, had serious anomalies threatening the security of the personal data andfiles present on users’ PCs. Netscape Navigator’s earlier versions permittedWeb sites to capture visitors’ e-mail addresses without their knowledge.However, the Internet Protocol address, which identifies the user’s domainname and access provider, still permits the most obvious means of automaticcollection. In addition, data contained within identification forms that a PCuser is invited to complete during browser configuration, often containingfields for the user’s name, home, work and e-mail addresses, telephone and faxnumbers, and occupation, will transfer automatically if browsers are notconfigured to notify when a Web site wishes to access these personal identitycards. The use of the term voluntary in these circumstances does risk confusion,since users may not necessarily be aware of these data-gathering techniquesoperating and the submission of personal data may not be so much voluntary asunintentional.
Whilst such submissions may be relevant for some activities, therequirement to provide data just to access Web sites, or where the purpose forthe collection or processing is not specified, questions whether theseactivities amount to fair and lawful processing compliant with certainregulatory frameworks.
Future Risks
The above examples of data collection are now, to some extent,potentially passé. Software is now being developed to have a ‘phone-home’capability, which will no doubt be adopted by the online industry but will haveeven greater implications for privacy and data protection. A technique, known asa ‘web bug’, takes advantage of the fact that images in some documents takeup considerable memory. The inclusion of Internet addresses in documents, whichcall up images from host computers when documents are opened, will often involvethe transmission of data about location, ie the IP address. Web bug’spotential arises out of the fact that it could be as small as a single pixelmaking it nearly invisible. By marrying such technology with cookies, it couldbe possible to monitor who, where and when images and documents are received andhow they subsequently spread. The application of such technology only makes thedebate on whether data subjects have received and given all the correctinformation and consents more intense.
The Subsequent ProcessingThe issue of the collation of personal data in thesecircumstances cannot be examined in isolation. It is equally important that thesubsequent use of data is also considered. Two categories of processing must bedistinguished at this juncture: marketing purposes, intended to establish Website visitor profiles; and clickstream data, making it possible to match visitoridentification and profile data collected during registration and data generatedby either log analysis software12 present on the server platforms, orwith the aid of cookies. With respect to one-to-one marketing, this informationis obviously a high-value commodity for advertising agencies, space purchasersand advertisers.
As the EU Data Protection Directive, Article 2, defines datacontroller to include bodies which alone, or jointly with others, determine thepurposes and means of the processing of personal data, how do techniques ofprocessing operate within the current regulatory frameworks? Has the datasubject’s consent been obtained, or merely implied? This must be a particularconcern following research by both the FTC and OECD that established a limitedacknowledgement that the online industry engages in data-matching processes.And, should such transfers be trans-border, will the EU’s prohibition on datatransfers to jurisdictions without adequate data protection be applicable?Without conforming or taking into consideration such requirements, the onlineindustry may (and probably is) infringing legislative safeguards – Web siteoperators will most likely be within the ambit of the Directive when, say,placing, or permitting others to place cookies.
If the online industry believe that such operations, sometimesundertaken by specialised agencies, is not their concern, that is a standpointthat perhaps should be reconsidered, particularly as the Landwell surveyhighlighted a worrying complacency towards legal compliance.
Transfer of Data to Third Parties
Generally, two distinctions (as the OECD established) should bemade at this stage: those in the online industry explicitly declaring (throughprivacy statements) that they do not pass personal data to third parties; andthose who in generally careful terms explain that they may have occasion toprovide subsidiaries or outside partners with personal data with a view toadvancing commercial offers.
In relation to the latter case, it is questionable whether datasubjects have in fact been granted a fair opportunity to refuse to have theirpersonal data processed for commercial purposes or transmitted to third parties.Whilst, as the OECD study acknowledged, opt-outs are granted, many Web sitepolicies fail to state specifically the procedure by which to effect this.Invariably, it is only on receipt of subsequent e-mails that data subjects willbe informed that they in fact have the opportunity, by sending repliesrequesting removal, to be removed from mailing lists. Such cases of deferredopt-outs can hardly be deemed to comply with the EU’s Directive.
A further issue of compliance with developing data protectionand privacy laws arises as a result of Article 25(1) of the EU’s Directive.The much-publicised prohibition on the exportation of personal data tojurisdictions outside the EEA, unless such third countries have adequate levelsof protection, introduces a new dimension for the free flow of data. However,this provision would appear to presume that international data traffic (whichwould undoubtedly encapsulate the online industry) follows a precise andpredictable routing, a presumption fundamentally at odds with the manner inwhich the Internet conveys information. The use of packet switching to divideand send data by the most efficient routing, and the fact that e-mail and Websites may be viewed anywhere in the world, challenge this prohibition. As aconsequence, online industries must therefore evaluate whether they areoperating in accordance with Article 26’s exceptions. Landwell’s survey hasquestioned whether this has even entered some of the online industry’s radarscreens.
The Future
Whether the online industry will address the developing dataprotection and privacy legislation remains to be seen; there is a growing bodyof evidence indicating that it has not so far. However, if the online industryis to succeed, adapting and incorporating what amount to basic practices ofgood-housekeeping when dealing with personal data will enhance its reputation.In the long term, those online operators that reassure consumer confidence thatdata is handled in compliance with legislative safeguards will enhance theirbrand and market position and, ultimately, if the various studies prove correct,improve revenue streams. The next step must be one where, as technologyadvances, it will become second nature automatically to consider the legislativeimplications for its application.
Endnotes
1. Timefor Law and Order: European dotcoms and the law. Can be downloaded at www.landwellglobal.com.
2. Privacy@net,an International comparative study of consumer privacy on the Internet,Consumers International, January 2001 www.consumers.international.org/news/pressreleases/fprivreport.pdf.Consumers International is an organisation that represents and links some 260consumer groups and agencies in over 120 countries.
3. PrivacyOn-line: Fair Information Practices in the Electronic Market Place, A Report toCongress; May 2000, US Federal Trade Commission.
4. Afact demonstrated by American Express in the pre-Internet era; see Dwyer vAmerican Express, No. 1-92-3944, Illinois Court of Appeal, 30 June 1995.
5. OECD,Practices to Implement the OECD Privacy Guidelines on Global Networks, 4 January1999 – though acknowledged as neither statistically significant norrepresentative of the full range of online services.
6. Thosethat remain on the user’s computers even after he or she has left the Website.
7. CriticsDisagree on Merits of New Microsoft Cookie Policy, New York Times, 22 July 2000.
8. OnlinePrivacy Move Raises New Antitrust Concerns for Microsoft, New York Times, 3August 2000.
9. Namely,to enable one-to-one advertising communications by precisely targeting visitorsaccording to individual profiles.
10. LawsuitSays Web Cookies Allow Illegal Stalking, New York Times, 18 February 2000.
11. Theconsent required in order to process sensitive data, such as racial or ethnicorigins, political opinions, etc.
12. LogAnalysis Software is server-side software, used by Web sites to analysecookie-collected data by combining it with server collected information instandard server log files. Log file data is obtained when users connect to Websites and is also used for in-depth analysis of Web site traffic.
James Catchpole is a Solicitor at Landwell in the UK, thecorrespondent legal practice of Pricewaterhouse Coopers.
