Good practice in behavioural advertising?
The Internet Advertising Bureau, a digital marketing trade body, have launched Good Practice Principles for companies that collect and use data for online behavioural advertising purposes, which contain a number of clear problems:
- The guidelines presume that:
“More relevant advertising is beneficial for both users and businesses: users discover more of what interests them and businesses find a better way to communicate with users.” If users want more relevant advertising, and this is to be achieved by allocating them to “segments”, why not let them choose the segments they want to belong to? We do not accept the claim that behavioural surveillance for profiling is a service to users. 
- The guidelines promote the giving of notice to users with opportunities for them to opt out, to the detriment of low-key and qualified references to the need for consent (or “opting in”).
This is particularly problematic, as the sites using behavioural advertising are likely to be operating via cookies. Any ‘opt out’ would be stored by a cookie. So each time a user deletes their cookies, or changes browser or machine, they have to opt out. This makes opting out a repeated procedure, such that which would make all but the most stubborn user simply give their consent. This is not how consent should work, and a system that ‘pesters’ users into opting in is in our view an illegitimate attempt to substitute acquiescence for consent, whereas nothing but consent is acceptable. 
- The guidelines about user choice also focus on allowing users to opt out. Only one is about consent, and that is opaquely expressed: “Each Member shall obtain consent to process data for the purposes of OBA [Online Behavioural Advertising] where the processing of data requires such consent.”
It should be a cardinal and emphatic principle of any such guidelines that every user who is profiled (whether pseudonymously or otherwise) must have given informed prior consent. 
- The guidelines fail to give any warning about the problems of accounts used by multiple users (e.g. family members) who may be sharing machines or accounts. The guidelines must make it clear that the separate specific consent of every individual user must be obtained, and that this requirement is not satisfied by delegating to the account holder the responsibility for obtaining the consent of other users, or by embodying a consent, or a delegation of responsibility, in contract terms.
- The guidelines fail to require the consent of webhosts whose sites are visited by users, thereby encouraging the consequent industrial-scale breaches of webhosts’ copyright and database right involved in the processing, as well as the criminal breaches of the prohibition on interception under section 1 of the Regulation of Investigatory Powers Act 2000.
For last weekend’s Convention on Modern Liberty, we hosted a panel to discuss privacy in an age where the companies we as consumers choose to do business with online (as well as some we don’t) know more about us than ever before. The videos below feature, first, the opening presentations and, second, the Q&A that followed. Our panellists were, from right to left, David Smith (Deputy Information Commissioner (Data Protection), ICO), Iain Henderson (founder, Mydex.org), Jim Killock (Executive Director, Open Rights Group), Caspar Bowden (Chief Privacy Adviser, Microsoft EMEA), Peter Bazalgette (Media consultant and digital investor) and Wendy Grossman (journalist, blogger and folk singer).
The presentations are also available to stream and download in the Ogg format.
The Q&A is also available to stream and download in the Ogg format.