During our internet surfing experience, we must have certainly encountered an instance whereby a pop-up window, containing an advertisement, automatically takes centre screen without our direct or indirect intervention. Funnily enough, the advert will most probably be a personalised one and which entices the user to acquire a product or service similar to the one which had been recently shopped around or purchased online.
The most common question which springs to mind is: how come that this advertising website actually knows my personal details and, moreover, how does it know what I have been interested in buying, for instance, one month earlier? The answer is a practice commonly known as online behavioural advertising.
Behavioural advertising is advertising based on the observation of the behaviour of individuals over time. It seeks to study the characteristics of the behaviour through the actions such as, repeated site visits, interactions, keywords and online content production, in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their inferred interests.
Given that behavioural advertising is based on the use of identifiers that enable the creation of very detailed user profiles, which in most cases are deemed to constitute personal data, the data protection directive applies. At a European level, the data protection working party is committed to ensure that such practice is not carried out at the expense of individuals' rights to privacy.
Online advertising is a key source of income for a wide range of online services and is an important factor in the growth and expansion of the internet economy. However, the specific practice of behavioural advertising raises important data protection and privacy related concerns. Basic internet technology allows advertising network providers to track data subjects across different websites and over time. Information gathered on the surfing behaviour of data subjects is analysed in order to build extensive profiles about data subjects’ interests to whom tailored advertising is sent.
Most tracking and advertising technologies involved in the delivery of behavioural advertising, does certainly make use of client-side processing. It uses information from the users’ browsers and terminal equipment. In particular, the main tracking technology used to monitor users on the Internet is based on ‘tracking cookies’. Cookies provide a means to track user browsing over an extensive period of time and theoretically over different domains.
It usually works as follows: typically, the ad network provider places a tracking cookie on the data subject’s terminal equipment when the user first accesses the website. The cookie is a short alphanumeric text which is stored, and later retrieved, on the data subject's terminal equipment by a network provider. In the context of behavioural advertising, the cookie will enable the ad network provider to recognise a former visitor who returns to that website or visits any other website that is a partner of the advertising network. Such repeated visits will enable the ad network provider to build a profile of the visitor which will be used to deliver personalised advertising.
Most internet browsers offer the possibility to block third party cookies. Some browsers do even support ‘private’ browsing sessions which will automatically destroy all created cookies when the browser window is closed. Some ad networks are replacing, or supplementing, traditional tracking cookies with new enhanced tracking technologies such as ‘Flash Cookies’ which cannot be deleted through the traditional privacy settings of a web browser. It has also been reported that flash cookies have been used explicitly as a tool to restore traditional cookies that were refused or erased by the data subject.
The European Parliament and the Council of the European Union, on 25 November 2009, have adopted Directive which amends, inter alia, concerning the processing of personal data in the electronic communications sector. Given that the latter directive has been, in part, transposed under the Data Protection Act, currently, this Office is in the process of transposing such amendments in the local legal statute.
One of the most important amendments particularly addresses the privacy issues related to online behavioural advertisement. It provides that a data controller, in such case being an ad network provider, who wishes to store or gain access to information stored in a user's terminal equipment may solely be allowed to do so by: (i) providing the user with clear and comprehensive information about the purposes of the processing and; (ii) obtaining the user's consent to the storage of or access to information on the terminal equipment.
Consent, which is defined as a freely-given, specific and informed indication of the data subject’s wishes, must be obtained before the cookie is placed and stored on the user's terminal equipment empowering the controller to retrieve valuable information. By adopting a literal interpretation of this provision, an ad network provider shall be obliged to seek the user’s prior consent before the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user.
However, there are still a number of grey areas concerning the implementation of this amended article, for instance, how shall users’ consent by sought by website operators? Would a change in browser’s privacy settings constitute prior consent? What shall be the validity period of consent? How can a user revoke the consent? What shall happen in cases of minors who are legally incapable to granting consent?
The implementation of this revised regulation is still the subject of various discussions at European level in view of the European Commission’s call for the promotion of a harmonised approach amongst national authorities.