How businesses use our online personal data: look and learn

Despite an EU directive and growing public concern about how big business uses our personal data, the companies that track online behaviour – and their advertiser clients – seem confident that the culture of ‘implied consent' will prevail, writes Jennifer Scott.

Concerns that surveillance has gone too far are hardly new, but at times, Big Brother feels more prominent than ever. From the CCTV watching the bins at the end of your street to the extra three hours any traveller has to add on to a trip to Heathrow, one can begin to get paranoid about the numbers of eyes watching your every move.

The physical and virtual world seem to agree on this monitoring process. Make one click online and your browsing history shoots down the network and onto the screen of companies founded to use it to its full potential.

Where you may notice it most in your day-to-day internet activity is targeted advertising. Browsing Facebook, you could come across that DVD you were planning to buy, but on special offer, or cheap flights to the city you were researching just a few days ago. On eBay, you are likely to find numerous options for the one product you have been searching endlessly for.

Sites all over the web use this tracking technology – or cookies – to boost their display advertising and make brands drool with joy at the idea of appearing straight on the screen of an apparent fan of their product.

Those who created the technology, and those who use it to bolster sales, argue that it works to the advantage of both the website and the consumer, offering, for the latter, easy access to the products they want. But is it right that consumers' browsing habits are made explicit to such firms without their prior consent?

The cookie collectors
The company that created the technology to turn browsing into a marketer's dream is Criteo. Consumers are unlikely to have heard the name as it manages to keep its head down when it comes to the press quite nicely, but they will be subject to its design every time they go on the web.

Criteo formed around five years ago in Paris and was the brainchild of two ex-Microsoft ‘architects' and an investor who felt e-commerce sites weren't putting enough cash into display advertising. At that point, advertisers were paying out for search ads. These had higher ‘conversion rates' – turning a click on an advert into a sale – which was an area where display ads suffered.

However, the three founders took the model of on-site recommendation, performed exceptionally well by the likes of iTunes and Amazon, to a wider audience, providing this technology to display ads and raising the conversion rates – putting more money in the pockets of both website owners and their advertisers.

So, the websites that use Criteo can collect cookies showing your browsing activity and engineer the adverts you see to those you would be interested in, rather than irrelevant ones.

“It is about relevance in advertising,” Mihiri Bonney, UK managing director of Criteo, says. “You will see at least 50 ads online in your daily browsing, and it is about trying to make sure that the advertising you see is relevant to you.

“What we see in terms of the click-through rates shows people do engage with the adverts. It is not a click because they are annoyed by it but because it is something they are interested in – which we see through their buying habits.”

Bonney has a point. You only have to watch an episode of 24 on Sky to understand how continuous irrelevant advertising can ruin the experience. Consumers don't enjoy being bombarded by ads when they have no interest in the products on offer.

If you have already been searching the web for particular items, it can make it much easier to find what you want if the advertisers already know about it, and can save you the hassle of going on an extended hunt yourself.

“Advertisements online are inescapable,” says Rik Ferguson, director of security research at Trend Micro. “It makes sense to have adverts relating directly to your interests being displayed, rather than, say, horse saddles to an ardent motorcyclist.”

Too much information?
Although relevant advertising may be of some use to consumers, it is the gathering of the information that gets many people's backs up.

Rather than consumers asking to have their online searches tracked, the Criteo technology takes the information without any permission; it calls this “implied consent”, meaning big websites such as Facebook and eBay can collect your browsing activity without any warning.

The defence from the advertising side is that there is the ability to opt out and either stop being shown one particular ad or remove yourself from the effects of Criteo's system entirely.

But Ferguson says this lack of choice for the consumer at the beginning “grates strongly” with his thoughts on personal information protection. “My browsing habits and interests are my own and it is my choice whether I choose to share them,” he says.

Ferguson adds: “While there are portals that enable you to opt out en masse from the advertising cookies of all the major networks, perhaps the most effective defence is to run your browser in private browsing mode or use the browser settings to opt out of tracking, where available.”

Should we be concerned about the information they hold, though? Although Bonney says she can't speak on behalf of the large websites for what they do with the gathered data, she claims the information isn't personal and could not be used to identify individuals.

“We don't collect personal information,” says Bonney. “There is no name, email, or personal address, it is just the cookie for that browser and the browsing behaviour.”

What if the user opts out then? Do Criteo or websites using it get to keep our information? “With the data we collect, if you delete your cookie, we don't have any of that information stored any more in our databases,” Bonney adds. “If you opt back in, then we start building afresh and it is just browsing behaviour, we don't have static data such as your name.

“Also, in the way our product works, it is about your most recent behaviour – that is what our engine is most interested in. So holding your back data is not a priority for our database, and if you delete your cookie, then we respect that decision.”

New law looming
Vinod Bange, a data protection and information law expert at law firm Taylor Wessing, says the consent issue has been lurking for some time. “The landscape for marketing communications and profiling customer/user data has to date been dominated by an opt-out and passive-permission culture,” he explains. “The various laws on data privacy and electronic marketing have allowed such a culture to thrive in the vast majority of scenarios.

“It is arguable that in those fewer scenarios where current laws require more to be done, for example when that passive permission is not enough for such profiling and targeting, some organisations undertaking such profiling and targeted activity have rarely chosen to take a proactive stance on transparency. This is set to change.”

In the UK, it is the Information Commissioner's Office (ICO) that is responsible for ensuring the Data Protection Act is upheld. It tells SC Magazine that Criteo's technology is in accordance with current law, but urges consumer concerns to be taken into account.

“Behavioural advertising can be used in a way that is compliant with the Data Protection Act but must be sensitive to the concerns of users,” a spokesperson says. “Information must be provided to individuals to enable them to make a meaningful choice about whether or not to be involved in the use of behavioural advertising technology.

“If an individual opts out of using a service and there is no genuine business need for their personal information to be held, then it should be deleted or amended so that it no longer relates to that individual.”

However, the argument has spread wider, and now the European Union is getting involved, with its own directive on cookies. In May 2011, the EU Commission ruled that websites had to gain the permission of users to track their cookies and would face fines of up to £500,000 if they did not comply.

Websites in the UK were given one year to get their houses in order before the legislation comes into effect. An organisation called The Cookie Collective has been established to help companies with the move, and the ICO has offered its support to anyone needing more clarity on the law.

Criteo's response has been to work on plans to implement a logo on its clients' advertising, showing users where it has come from, explaining that their data is being tracked and making it easier for them to opt out. This is an improvement in transparency, but will still mean users having their information tracked if they don't opt out.

Ferguson claims that the EU directive has a loop-hole that will effectively allow sites to continue to track user behaviour without their knowledge or consent. “The Department of Culture, Media and Sport has made clear in a letter that either the modification or the leaving at default of browser settings can be interpreted to signify consent as long as the user is adequately informed,” he says.

“If you consider the kinds of [terms and conditions] we are already expected to read and consent to before using various services, it is clear that ‘adequate information' can easily be buried in small print or 72-page documents, which again will leave in the ‘allow everything' culture.”

Informed choice
The one thing both sides of the argument seem to agree on is the need for education. The likes of Criteo and the websites using their technology want users to know what information they are gathering to ally fears that they are keeping the details of everything from email addresses to shoe size.

Ferguson and the EU, meanwhile, want users to know they are giving information away in the first place – and have the explicit chance to stop it.

The culture of ‘implied consent', and the fact that an entire industry has been built around it, are not the only barriers to change – there are technical issues too.

“Current browser-based choices are deemed insufficient to meet the new legal requirements, so relying on a generic solution behind the scenes looks unlikely in the foreseeable future,” says Bange.

“But even when it does appear, it will require more upfront, easily understandable access to choices and preference settings that need to be observed by all who seek to undertake user profiling.”

He concludes: “Thankfully, it looks like organisations will have a two-year period to work out how to meet such compliance challenges, but satisfying the court of public opinion is another challenge altogether.”

Learn about your browsing

While regulators and internet companies fight over what is best, the one thing businesses must do is take responsibility for their websites and advertising.

After reading this article, you should understand how you can get in front of the right people through knowledge of their general browsing habits, as well as the pitfalls of being too aggressive with your sales style.

The key is finding a balance being making yourself known and not angering prospective customers.

But, before you embark on any of that, understand the law – especially the new EU directive due to come into force in May – and get your house in order before the ICO comes knocking at your door.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US