osborneclarke.com International Online Behavioural Advertising Survey May 2010

osborneclarke.com

International Online Behavioural Advertising Survey 2010 20 May 2010

osborneclarke.com

Contents

1

Executive Summary................................................................................................................... 3

2

What is OBA? ............................................................................................................................ 4

3

What a difference a year makes ................................................................................................ 7

4

Methodology ............................................................................................................................ 10

5

Global trend analysis ............................................................................................................... 11

6

Practical conclusions ............................................................................................................... 14

7

Information and privacy law at Osborne Clarke ....................................................................... 15

2 of 15

© Osborne Clarke May 2010

osborneclarke.com

1

Executive Summary

About this survey In March 2009, Osborne Clarke published findings of a survey which it had conducted across more than 40 different territories (including all EU member states, the US and Canada) on local attitudes towards, and regulation and enforcement of, online behavioural advertising ("OBA").

grouping of MPs and Lords calling for opt-in for OBA and an investigation from the OFT into whether OBA breaches UK consumer laws. The future of OBA

The survey, believed to be the first of its kind conducted by a law firm, highlighted several interesting global OBA trends. It showed that OBA regulation was often out of step with what happened in practice, and that local law OBA compliance requirements were seldom enforced. Interestingly, it indicated that, despite a flurry of dramatic headlines in the tabloid press throughout the preceding twelve months (think Phorm and NebuAd), consumers seemed relatively unconcerned by the growth of OBA. This lack of concern could, to some extent, possibly have been attributable to a lack of education – few consumers (and indeed few regulators) really understood what OBA was or how it worked, let alone its potential privacy implications.

Despite these uncertainties, our survey this year suggests that consumers and regulators continue to get more comfortable with cookie-based OBA as a technology.5 Possibly this is because, as more advertisers adopt cookie-based OBA, consumers are beginning to feel the benefit it has to offer in terms of more relevant advertising. Possibly it is because, after a myriad of tabloid press scare stories, industry trade bodies are now making greater efforts to educate consumers about OBA and how they can control the use of their personal information for OBA (our report indicates that advertisers still have work to do here though). Or maybe it is because regulators are beginning to understand the pressures that website publishers face to offer free or heavily subsidised content to consumers, and that OBA is one way to make this possible.

With this in mind, Osborne Clarke decided to re-run its survey in February this year to find out how the OBA landscape has changed in the past twelve months. Over this period, the OBA industry has taken positive, and proactive, measures to stave off OBA regulation – all looking to enhance consumer notice, choice and education with a view to promoting greater consumer and regulatory acceptance of OBA technology.

Whatever the reason, it is clear that OBA is here to stay and that its use will grow significantly over the coming years. Nevertheless, with the potential threat of legislative regulation continuing to hang over it, the OBA industry would be welladvised to continue – and even ramp up – its efforts to effectively self-regulate in a meaningful, transparent and accountable way.

In the States, the Interactive Advertising Bureau ("IAB US"), working in conjunction with a number of other ad industry groups, launched its "Self-Regulatory Principles for Online Behavioural Advertising"1 and, together with the Network Advertising Initiative ("NAI") proposed a universal OBA icon to notify consumers when they are being served targeted advertising and to provide them easy access to information about how to opt out. Over in the UK, the Internet Advertising Bureau ("IAB UK") has been equally proactive, continuing to gather support for its "Good Practice Principles for Online Behavioural Advertising"2 and looking towards the possible adoption its own OBA icon.

Osborne Clarke 20 May 2010

However, a number of significant developments over the past year highlight just what a state of flux OBA regulation continues to be in: in Europe, the European Union adopted amendments to its Directive on Privacy and Electronic Communications3 introducing a cookie "consent" requirement where cookie opt-outs had previously prevailed (uncertainty remains as to whether local territories will implement this as an opt-in requirement); conversely, in the UK, the Information Commissioner's Office ("ICO") launched an online data collection consultation4 in which it set clear expectations that cookie-based OBA should be allowed on the basis of consumer opt-outs – this despite calls from an influential

If you would like any further information, please contact: James Mullock Head of Technology t: +44 (0)117 917 3322 [email protected]

Stephen Groom Head of Marketing & Privacy Law T +44 (0)207 105 7278 [email protected]

Phil Lee Associate, Digital Business T +44 (0)207 105 7478 [email protected]

1

http://www.iab.net/insights_research/public_policy/behavioral-advertisingprinciples http://www.youronlinechoices.com/good-practice-principles Amendments adopted as part of the European "Telecoms Reform Package" and available online at http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf 4 The "Personal Information Online Code of Practice" available online at http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/pio_consultat ion_200912.pdf 2 3

3 of 15

5 ISP-based OBA remains very unpopular in Europe however, as evidenced by Phorm's withdrawal from the UK market in September 2009.

© Osborne Clarke May 2010

osborneclarke.com

2

What is OBA?

The evolution of OBA 2.1

Ever since the launch of the World Wide Web, the Internet has been trumpeted by advertisers as having vast potential as a marketing platform – both in terms of direct marketing (offering a direct relationship with a mass audience at minimal cost) and as a means of gathering valuable information about the interests, likes and dislikes of consumers through online data capture.

2.2

Yet, despite this seemingly limitless opportunity, the truth is that the advertising potential of the Internet has remained relatively nascent and untapped. Primitive marketing technologies such as contextual banner and pop-up advertising have proved unpopular with consumers due, in part, to their obtrusive nature and, in particular, to their lack of direct relevance to most consumers. As a consequence, many browsers have come to offer tools enabling consumers to block these forms of advertising – with disastrous consequences to advertising-funded content on the web.

2.3

Many now believe that the future of advertising on the Internet lies in new, sophisticated marketing technologies that are beginning to emerge. In particular, OBA technologies offer a solution to many of the problems previously encountered by advertisers. OBA refers to marketing platforms that examine information about the surfing patterns of individual Internet users (for example, which websites they visit) and then use that information to deliver advertising to those users that is tailored to their specific interests. By doing so, OBA captures the key benefit of the Internet as an advertising platform (direct marketing to a mass audience at minimal cost) whilst avoiding the major pitfall of lack of relevance.

The different "flavours" of OBA 2.4

But the benefits of OBA come with what many commentators see as a dangerously high – even unjustifiable – price, namely invasion into personal privacy. In order to deliver targeted advertising, it is necessary for OBA providers to explore, at a fairly detailed level, the individual surfing habits of Internet users. The means by which they do this, and the intrusiveness that results, varies depending on the OBA platform. Some OBA platforms, for example, integrate with Internet Service Providers ("ISPs") and employ deep packet inspection technology to explore the content of all Internet traffic passing through the ISP – in effect, analysing the Internet traffic of each and every user connecting to the Internet through that ISP. This type of OBA technology has (in)famously been deployed by companies like Phorm and NebuAd, drawing considerable fire from privacy advocates, the press, consumers and regulators alike.

2.5

Other OBA providers deploy cookies, web beacons and clear gif images through publisher websites to collect behavioural information about visitors to those websites – such as the pages that users visit, the search terms they enter and the adverts that they click on. In some OBA scenarios, the publisher and advertiser may be one and the same entity, with the publisher using OBA technology to better target advertising of its own products and services to its website visitors (known as "first party advertising"). The common example here is the Amazon website, which makes book recommendations based on previous titles you have browsed or purchased. This type of advertising is so prevalent and widely accepted by consumers that it was not until the past couple of years that it even began to be labelled as "behavioural" advertising.

"We use the Internet without a thought that a third party would know what we have just clicked on... Yet the URLs [webpages] people use reveal a huge amount about their lives, loves, hates and fears. This is extremely sensitive information... There will be a huge commercial pressure to release this data... The principle should be that it is not to be collected in the first place" Source: Sir Tim Berners-Lee (Quoted in the Guardian 10/3/09)

4 of 15

© Osborne Clarke May 2010

osborneclarke.com

What is OBA?

2.6

In other instances, website publishers may allow third party OBA providers to deploy their technology through the publishers' websites to advertise third party products and services (known as "third party advertising"). One common example of a third party advertising platform is the "advertising network" (Google Adsense would be an example)6. Under this arrangement, the OBA provider deploys its technology across a portfolio of partnering publisher websites and displays targeted third party adverts across that portfolio. By doing this, information collected about a visitor to one partnering website can be used to target advertising to that visitor when it later visits a different partnering website. This approach has benefits for all players within the OBA ecosystem – advertisers get to deliver targeted campaigns across a portfolio of partnering websites, reaching a wider audience, and using behavioural retargeting techniques to drive conversion and increase revenue; website publishers get access to a wider range of targeted advertising from a plurality of partnering advertisers, increasing the relevance of their website content to consumers and improving the stickiness of their site; and

1.

consumers are delivered with advertising more relevant to their individual tastes across multiple website domains, potentially exposing them to targeted (and retargeted) promotional offers they might otherwise not have received. The controversy 2.7

Despite its obvious advantages, OBA – whatever its flavour – is often fundamentally opposed as a matter of principle by many consumers and privacy advocates (by way of illustration, a 2010 study commissioned by Addvantage Media found 52% of respondents said they would switch off behavioural targeting if possible7). To date, OBA has all too often been implemented in a nontransparent and, some would argue, "sinister" way, adversely impacting its adoption by the general public. In some instances, publishers have chosen to adopt OBA technologies without fully understanding the privacy implications or engaging their legal teams as to disclosures and choices that should be presented to consumers. Likewise, OBA's cause has not been helped by headline-grabbing press reports about "secret" OBA trials conducted with partnering ISPs, that fail to acknowledge that ISP OBA platforms are entirely different from, and much less common than, cookiebased OBA – in effect, tarring the entire OBA industry with the same brush.

First party OBA (the Amazon approach  Publisher places cookies on its own website  Collects user information about pages visited/searches made  Uses information to display adverts on its own website (no third party data disclosure

2.

Less Risk

Less Intrusive

Third party OBA (the AdSense approach)  OBA provider places cookies on third party partnering website  Collects user information about pages visited/searches made  Uses information to display adverts on partnering websites

3.

ISP traffic monitoring (the Phorm approach)  OBA provider intercepts user data traffic passing through ISP  Collects user information about pages visited/searches made  Uses information to display adverts on partnering websites

More Risk

More Intrusive

Summary of key types of OBA and perceived intrusiveness / likely risk

6

http://googleblog.blogspot.com/2009/03/making-ads-more-interesting.html

5 of 15

7

http://addvantagemedia.com/index-7.html

© Osborne Clarke May 2010

osborneclarke.com

What is OBA?

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time." Source: Mark Zuckerberg, CEO Facebook, speaking at the Crunchie awards in San Francisco, January 2010.

The future of online advertising? 2.8

Nevertheless, the advertising industry is clearly embracing OBA wholeheartedly. eMarketer reports that US advertising spend on OBA will increase from $775m in 2008 to a predicted $2.6bn in 20148. The biggest challenge now faced by the OBA industry is to encourage legal, regulatory and consumer acceptance of the technology. Respecting individuals' rights to privacy, as enshrined in the European Convention of Human Rights and in territorial data protection laws, remains one of the biggest hurdles for online advertisers to overcome. Despite in theory having a harmonised approach to data protection law, individual member states of the European Union have often adopted different attitudes and standards towards individual privacy rights.

2.9

Moving further afield outside of Europe, territorial data protection and privacy laws can vary from the practically non-existent to the very strict. The next section of this report examines national regulatory and consumer attitudes towards OBA and explores whether global harmony – or disharmony – prevails.

8

http://www.emarketer.com/Reports/All/Emarketer_2000636.aspx

6 of 15

© Osborne Clarke May 2010

osborneclarke.com

3

What a difference a year makes

Introduction 3.1

Since we commissioned our last OBA survey in January 2009, OBA regulation has firmly established itself as one of the most complex, challenging, and fast moving areas of data privacy law. The past year has seen significant self-regulatory strides taken by the OBA industry in an attempt to ward off unwanted and unnecessary regulation. The stakes could not be higher: in an age when consumers have come to expect free online content, website publishers find themselves forced to look to new technologies to monetise their online offering. OBA promises great rewards, with one study by the Network Advertising Initiative in the US claiming that behavioural adverts are clicked on 670 per cent more often than ordinary Run of Network ("RON" or untargeted ads) and result in conversion rates that are twice as high as RON adverts9.

"Effective self-regulation is also vital. The Internet Advertising Bureau’s good practice principles for providers who collect and use data for behavioural advertising mirror best practice in the USA adapted for the E.U.'s data protection framework."14 3.4

Self-regulation in the UK and US 3.2

3.3

"I am gratified that a group of influential associations – representing a significant component of the Internet community – has responded to so many of the privacy concerns raised by my colleagues and myself. These associations have invested substantial efforts to actually deliver a draft set of privacy principles, which have the potential to dramatically advance the cause of consumer privacy. I commend these organizations for taking this important first step."16

Self-regulation of OBA began in the US in February 2009, when the Federal Trade Commission (the "FTC") published its "Self-regulatory Principles for Online Behavioural Advertising", following an investigation into the consumer privacy issues raised by OBA10. FTC Commissioner, Jon Leibowitz, threw down the gauntlet to the industry, warning that Congressional legislation could be imminent11 if the OBA industry did not effectively self-regulate: "Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our Commission. Put simply, this could be the last clear chance to show that self-regulation can – and will – effectively protect consumers' privacy in a dynamic online marketplace."12

European regulators unmoved 3.5

This was closely followed in the UK by the publication of "Good Practice Principles for Online Behavioural Advertising" by the IAB UK (the "Good Practice Principles") in March 2009.13 The Good Practice Principles promoted the adoption by the OBA industry in the UK of three key principles: user notice, choice and education. The Good Practice Principles count among their signatories Google, Microsoft Advertising, Yahoo!, AudienceScience and Adconion. The Good Practice Principles received a strong reception in the UK, including in a major policy review focussing on the Government's plans for Britain's digital future – Lord Carter's Digital Britain Report – published in June 2009:

14

10

15

7 of 15

But not everyone is happy. Despite these proactive steps towards effective self-regulation, calls for strict "opt-in" requirements for OBA continue unabated. In October 2009, the UK All Party Communications Group ("ApComms"), an influential cross-party grouping of MP and Lords, published its findings of an inquiry into OBA stating: "We do not believe that it is at all appropriate to consider the deployment of any type of behavioural advertising system without explicit, informed, “opt-in” by everyone whose data is to be processed, and whose behaviour is to be monitored and whose interests are to be deduced. We do not believe that “opt-out”, however commercially convenient, is the way that these systems should be run. To that extent, the Good Practice Principles promoted by the Internet Advertising Bureau are insufficient to protect people."17

9

http://www.networkadvertising.org/pdfs/Beales_NAI_Study.pdf. http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf 11 Indeed, it may still be imminent following the release of a draft federal privacy bill in the US, discussed at paragraph 3.16 bellow. 12 http://www.ftc.gov/opa/2009/02/behavad.shtm 13 http://www.youronlinechoices.co.uk/good-practice-principles

Building on this solid bedrock of self-regulation, the IAB US (in conjunction with the American Association of Advertising Agencies, the Association of National Advertisers, the Council of Better Business Bureau, and the Direct Marketing Association) published its own "Self-Regulatory Principles for Online Behavioural Advertising" in July 2009. This built on, and expanded, the FTC principles, promoting education, transparency, consumer control, data security, consent for material changes to OBA policies, careful treatment of sensitive data and accountability.15 These were warmly received by the FTC, with Commissioner Pamela Jones Harbor saying:

16

http://www.culture.gov.uk/images/publications/digitalbritain-finalreport-jun09.pdf http://www.iab.net/insights_research/public_policy/behavioral-advertisingprinciples

http://www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release /pr-070209 17 http://www.apcomms.org.uk/uploads/apComms_Final_Report.pdf

© Osborne Clarke May 2010

osborneclarke.com

What a difference a year makes

3.6

A few days prior to the publication of the ApComm report, the UK Office of Fair Trading ("OFT") announced its own investigation into OBA (expected to conclude in the summer this year). Although ostensibly into the use of OBA for pricing, the OFT's own statement of scope indicates that their investigation will look at wider OBA issues generally:

3.11 However, as amended, the language PEC Directive seems to require prior "opt-in" consent to place cookies – ringing alarm bells for the OBA industry. As amended, Article 5(3) of the PEC Directive reads: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing." (our emphasis)

"Our study is focused on the use of consumer information to create individual profiles or to place consumers into narrow segments in order to target advertising, prices or products."18 3.7

3.8

Over on the continent, an association of German data protection authorities issued a resolution in November 2009 that – to the surprise of many commentators – IP addresses are personal data and that the creation of user profiles and use of web analytics tools to analyse IP address data is, without user consent, illegal.19 Meanwhile, the European Commission's legal proceedings against the UK continue to rumble on in the background. Although incorrectly reported by many as being a legal action against Phorm, the proceedings did in part arise out of concerns that the UK's implementation of the European Data Privacy Directive20 did not adequately protect consumers from unwarranted intrusion by ISP-based OBA technologies. European opt-in requirements for cookies?

3.9

The biggest surprise over the past twelve months, however, came when the European Union adopted changes to its Directive on Privacy and Electronic Communications21 in December 2009 (the "PEC Directive"). Amongst other things, the PEC Directive sets out the European rules for deploying cookies on end user computers.

3.10 Prior to adoption of the changes, the PEC Directive made quite clear that publishers could place cookies provided that users were given notice of the cookies (for example, in a privacy policy) and an opportunity to refuse them (i.e. to opt out). Before amendment, Article 5(3) of the PEC Directive previously read: "Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller." (our emphasis) 18

http://www.oft.gov.uk/shared_oft/business_leaflets/659703/Statement-of-Scope.pdf http://www.marketinglaw.co.uk/articles/2010/12638.asp Directive 95/46/EC 21 Directive 2002/58/EC 19 20

8 of 15

3.12 There has been a lot of discussion amongst industry stakeholders about whether the European Commission really was looking to introduce an "optin" requirement to place cookies.22 Some commentators note that large commercial websites typically deploy tens of cookies for a variety of web analytics and advertising purposes and, if a strict prior consent requirement were imposed, visitors would be presented with a bewildering display of multiple pop-up dialogue windows inviting the user to accept each individual cookie. Others point to the fact that the recitals of the Directive indicate that user consent can be obtained through website browser settings23 – although whether indicating acceptance of cookies through browser settings is in keeping with the Data Protection Directive's requirement that consent must be "freely given, specific and informed" is doubtful. 3.13 At the moment, it can only be said that the jury is still out on this issue (although note the results of our survey on this specific point at paragraphs 5.9 - 5.11 below). The UK OBA industry will no doubt take some comfort from ICO's draft code of practice on online data collection (the "Personal Information Online Code of Practice"24), which – at present at least – seems to endorse an opt-out, rather than an opt-in, regime for OBA: "‘Turning it off’ Many individuals will want to visit a website without any record of their online behaviour being created. Therefore it is good practice to give individuals a simple means of disabling the targeting and profiling process. It is a legal requirement to tell the individual when information is being stored on their equipment,

22

Exemptions from this "consent" requirement exist for cookies whose sole purpose is "carrying out the transmission of a communication over an electronic communications network" or which are "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service". This is expected to exempt, for example, session cookies used to store online shopping basket contents up to the point of purchase. 23 Recital 66 24 See footnote 4, supra.

© Osborne Clarke May 2010

osborneclarke.com

What a difference a year makes

for example in the form of a cookie, and to give them the opportunity to refuse this"25 3.14 Nevertheless, while regulators in several countries (including the UK) have indicated that they do not see this amended language changing the current opt-out regime for cookies, uncertainty remains as to how this Directive will be transposed into national law (the deadline for implementation falls in mid-2011). Only time will tell. Enhanced notice 3.15 A further major step taken by the OBA industry in the US was the proposal to offer consumers enhanced notice, by requiring advertisers to display a universal OBA symbol – a small, lower-case "i" encased in a circle26 – when serving OBA targeted advertising. The symbol, proposed by the IAB US and the NAI, would appear as an overlay in the corner of any targeted adverts and, when clicked on by the user, would provide information about which organisation served the advert, where to find their privacy policy, and how to opt out of OBA by that organisation in future.27 The intention is to prevent publishers and advertisers simply burying OBA information deep within privacy policies that are never read, and instead to require consumers to be notified in a meaningful, transparent way about how their data is used and their ability to control that use. The IAB UK is reported to be considering its own universal OBA symbol. Summary 3.16 The above summarises just some of the OBA developments over the past year, but there are many more: ranging from the launch of Google Dashboard and Google Ads Preferences28 (which enable Internet users to see what data Google holds about them and the advertising profiles that have been created about them) to rulings in France29 and Ireland30 that IP addresses may not, after all, constitute personal data – rulings that will be welcomed by the OBA industry (and which contrast with the German data protection authorities' resolution discussed at paragraph 3.7 above). Most recently, a draft US bill31 has just been released that – if passed - could introduce sweeping online and offline privacy rules at a federal level across the US, including notice and choice requirements (generally

on an opt-out basis) when collecting personal information from users online. 3.17 One development that it sure to attract a lot of attention over the next year will be the potential for integration of OBA into social media platforms. Many social media sites ("SMS") attract huge volumes of data rich subscribers but, as yet, continue to lack effective ways to monetise their subscriber base. Some are already looking to mechanisms that allow them to collect more information about subscribers' behaviour, in particular when they visit third party partnering websites (for example, by having buttons on partnering websites that subscribers can click on to indicate that they like that site32). There will be a huge commercial incentive to find ways in which to monetise this information, and OBA is one obvious way to do this – few sites can boast having as much behavioural data at their fingertips as SMS websites. 3.18 What is clear is that global regulation and enforcement of OBA continues to be ad hoc, inconsistent and complex, while OBA technology continues to develop at breakneck speed. In this report we examine what, if any, global regulatory trends are beginning to emerge and the lessons that the industry can take away from this.

"Behavioural targeting on the internet will become increasingly pervasive and consumers understandably feel uncomfortable. Today I want to send one very clear message to those involved in all aspects of the digital world consumer rights must adapt to technology, not be crushed by it. The current situation with regard to privacy, profiling and targeting is not satisfactory." Source: Meglena Kuneva, European Consumer Commissioner (Keynote speech at Brussels Roundtable on Online Data Collection, Targeting and Profiling, 31 March 2009).

25

At page 11 of the consultation. The consultation has now closed and the final code of practice is expected to be published over the summer months. 26 The "CLEAR" ad notice ("Control Links for Education and Advertising Responsibly"). Use of an icon as a means of serving enhanced notice was first proposed in the IAB US "SelfRegulatory Principles for Online Behavioural Advertising" discussed at para 3.4, supra. 27 The technical specifications for the CLEAR ad notice can be found at http://www.iab.net/clear 28 www.google.com/dashboard 29 See, for example, http://www.edri.org/edrigram/number8.4/french-court-ip-address 30 EMI Records (Ireland) Ltd and others v Eircom Ltd [2010] IEHC 108 31 The "Boucher Bill" available online at http://boucher.house.gov/images/stories/Privacy_Draft_5-10.pdf

9 of 15

32

Facebook is one example: http://news.bbc.co.uk/2/hi/8590306.stm

© Osborne Clarke May 2010

osborneclarke.com

4

Methodology

Survey scope 4.1

To better understand local regulatory and consumer attitudes towards OBA, we approached local data privacy experts in our affiliate and best friend firms across more than 40 jurisdictions (covering an aggregate population of 4,436,006,812 people!). The scope of our survey was such that it covered all member territories of the G20 group of nations as well as all European Union member states.

Trend analysis 4.3

In each case, local counsel were asked to select answers from a range of possible options and to provide further information where this was necessary. By looking at these results, and comparing them with the responses we received to our OBA survey in 2009, we were able to identify certain trends worthy of further analysis, and the results of this analysis are set out at section 5 below.

Questions asked 4.2

We asked local counsel to answer the 7 questions set out below, which we believed to be most pertinent to help enable us assess local attitudes. Questions 1-4 and 6-7 previously appeared in our 2009 OBA survey and were repeated to help us assess how local requirements have changed in the period leading up to this latest survey.  Question 1: What is the attitude of your national data protection authority ("NDPA") towards cookiebased OBA?  Question 2: How would you describe the attitude of consumers in your country towards the use of cookie-based OBA?  Question 3: In practice, how transparent are advertisers that use OBA being with consumers in your country?  Question 4: What position is taken by your NDPA on whether cookie-based OBA requires prior opt-in consent from consumers?  Question 5: If your answer to question 4 was that opt-in consent is not required, do you think that could change soon? (For example, as a result of recent changes to Article 5(3) of the Privacy and Electronic Communications Directive 2002/58/EC requiring users to "consent" to cookie use.)  Question 6: Is there any danger that the use of OBA in your country could be illegal and attract fines from your local NDPA? If so, what is the maximum level of fine that could be imposed?  Question 7: Have there been any reported cases in your country in which your NDPA or any court or other body has dealt with complaints by consumers or others relating to the use of OBA?

10 of 15

© Osborne Clarke May 2010

osborneclarke.com

5

Global trend analysis

Introduction 5.1

of respondents who reported regulators as being "very concerned".

The responses received from local counsel indicate some interesting global trends in the deployment of, and regulatory and consumer attitudes towards, OBA. Our detailed analysis is set out below, and practical conclusions that can be drawn from this analysis are set out at paragraph 6.

Consumer concern about OBA

Not very concerned

Possible softening of regulatory and consumer attitudes to OBA?

A bit concerned Very concerned

5.2

Comparing the results of this year's survey against those of our 2009 survey, there has been a slight reduction in the number of respondents reporting regulatory and consumer concern about OBA. The number of respondents indicating that their local regulators are "very concerned" about OBA has fallen by 10%; likewise, the number of respondents indicating this level of concern amongst consumers has fallen by 14%.

Other

5.6

Regulatory concern about OBA Not very concerned A bit concerned Very concerned Other

Transparency vs. opt-in requirements 5.7

5.3

5.4

5.5

11 of 15

The reason for this potential softening in regulatory and consumer attitudes is open to debate. Some of this movement may be within a normal margin of error when polling local attitudes of this nature. However, it may also be indicative of a wider phenomenon: that as consumers and regulators become more exposed to – and better educated about – OBA technology, they begin to get more comfortable with it. If this is the case, then it bodes well for the future of the OBA industry and its ongoing self-regulatory efforts. Nevertheless, it is worth remembering that this is a downwards movement from an initially high peak. Notwithstanding this potential softening among regulators, the overall level of regulatory concern remains quite high. Over three-quarters of the survey respondents reported that their NDPA is either "very concerned" (30%) or "a bit concerned" (47%) by OBA.

This discrepancy between regulatory and consumer concern inevitably begs the question whether regulators are responding to tabloid scare-stories rather than real consumer worries. However, it is also the function of regulators to guard against risks even where these are not recognised by consumers (consider, for example, how many consumers understand the complex financial regulatory rules that apply to banks). Whatever the case, it sets the scene for an interesting tension between the interests of OBA providers, consumers and regulators that will undoubtedly continue to play out over the coming year.

Interestingly, and consistent with last year's results, the majority of our privacy expert respondents (53%) reported that prior opt-in consent is a legal requirement for the operation of OBA in their territories – but that, despite this, no respondent described local advertisers as being "very transparent" when using OBA (we defined "very transparent" in our survey questions to mean that the advertiser collects opt-ins to OBA).

Prior opt-in consent required Prior opt-in consent required No need for opt-in consent provided consumers can opt-out No need to collect opt-in consent or offer an optout Other

As with our 2009 survey, consumers continue to be more relaxed about OBA than do regulators. Only 12% of survey respondents reported consumers as being "very concerned" about OBA. This contrasts with 30%

© Osborne Clarke May 2010

osborneclarke.com

Global trend analysis

5.8

Two things can immediately be read into this result. Firstly, there continues to be a clear difference between the reported local law opt-in requirements and what advertisers actually do in practice – namely offer optouts33 (perhaps as a result of lack of enforcement for non-compliance - see paragraphs 5.12 - 5.13 below). Secondly, reported industry practice is consistent with moves by the OBA industry to self-regulate on an optout basis, and may therefore suggest broad compliance with these industry self-regulatory standards. However, if self-regulation is to succeed on a truly global basis, then there clearly needs to be changes to some existing local law opt-in regimes.

If opt-in is not currently required do you think that could change soon

Yes

No

Actual transparency of OBA advertisers

Not transparent

Moderately transparent

Other

Continued low risk of enforcement 5.12 The picture on enforcement is also much the same as last year. Although the vast majority of respondents stated that breaching their country's legal requirements surrounding OBA carried a potential risk of fines (86% in total), the number of reported cases of actual enforcement is surprisingly low (just 7%). Risk of fines for breaching rules on OBA No risk of fines

Changes afoot for European consent requirements? 5.9

One third of respondents who reported that opt-in consent is not currently a legal requirement for OBA in their territory indicated that they expect this to change in the near future.

5.10 Interestingly, all but one of these respondents were based in EU countries (5 European respondents in total). This suggests that this move to opt-in may well be the result of recent amendments to the European PEC Directive which, on a black letter law reading, require website publishers and advertisers to collect visitor "consent" to cookie use. If some European member states do implement opt-in requirements for OBA, it could potentially hamper OBA deployment across Europe and be a crushing blow to the OBA industry – who may find themselves forced either to accept risk in deploying cookies on an opt-out basis or to block website access from territories with opt-in regimes. 5.11 On a more reassuring note, it appears that elsewhere the status quo on OBA consent requirements will broadly remain.

33

In our survey questions, we defined "moderately transparent" to mean that advertisers generally disclose OBA in their privacy policy and offer consumers the ability to opt-out of OBA.

12 of 15

Possible risk of fines Significant risk of fines Other

5.13 Of these reported cases:  China: In March 2009, regulators "named and shamed" a number of e-commerce enterprises for misuse of personal information collected online.  Denmark: Danish respondents indicated that "many" cases relating to OBA have been referred to the local Consumer Ombudsman for consideration.  UK: Phorm weathered a tabloid storm and massive consumer backlash before finally withdrawing from the UK market in September 2009 and concentrating on opportunities overseas.  USA: In late 2008, fifteen co-plaintiffs issued civil proceedings in the District Court of Northern California against OBA technology user NebuAd and

© Osborne Clarke May 2010

osborneclarke.com

Global trend analysis

six ISPs with which NebuAd had worked. The claim cited NebuAd's (now discontinued) use of deep packet technology for the purposes of OBA, allegedly without the plaintiffs' prior consent. Damages in excess of $5 million were claimed. The causes of action include violation of the California Electronic Communications Privacy Act of 1986, California's Computer Crime Law and the federal Computer Fraud and Abuse Act. NebuAd subsequently filed for Chapter 11 bankruptcy.

Any reported cases relating to OBA Yes

No

Other

13 of 15

© Osborne Clarke May 2010

osborneclarke.com

6

Practical conclusions

Interpreting the survey results 6.1

Charts and statistics are all well and good, but what does this mean in practice? Based on the survey responses we received, we believe it is possible to identify the following global trends: 

14 of 15

Commission – are looking at very closely. Whilst the furore sparked by Phorm's OBA technology undoubtedly serves as a strong caution for the OBA industry, it is interesting to note that even that case did not result in actual enforcement action being taken against Phorm, either by ICO or by the UK Home Office (the other relevant regulator in that instance). However, while non-compliance in individual cases may currently attract a relatively low risk of enforcement, it would be wrong for the industry to adopt a "make hay while the sun shines" attitude towards compliance, which could seriously hamper self-regulatory efforts and encourage direct regulation.

Consumers and regulators are "cautious", not "disinterested": Overall, consumers and regulators seem to be getting more relaxed about OBA technology. However, it would be inappropriate to characterise consumers and regulators as "disinterested" – "cautious" would be a more accurate label: the majority of respondents indicated that some level of concern existed amongst consumers and regulators. Potentially, these concerns could go either way: if the selfregulatory efforts of the industry gather a head of steam, they may be warmly welcomed by regulators which, in turn, may help to allay consumer concern. However, if greater strides towards effective self-regulation (in particular, towards transparency, control and accountability) are not made, then legislators may look towards more direct regulation – with the resultant negative press and regulatory and consumer alarm that this will inevitably attract.



Local legal regimes could inhibit effective selfregulation: The majority of respondents continue to indicate that opt-in is a requirement for OBA. This is at stark odds with industry practice and, in particular, the direction that industry self-regulation is heading (both of which favour opt-outs).



Possible move towards opt-in in some territories: Interestingly, respondents in some territories that currently permit OBA on the basis of opt-outs anticipate that this may change in the near future. All but one of these respondents were based in European territories, possibly suggesting that the recent amendments to the PEC Directive introducing a "consent" requirement for cookies could usher in an opt-in regime for OBA in some European member states – potentially leading to a patchwork of different territorial requirements across Europe. The consequence of this would be OBA providers finding themselves forced to adopt a highest common denominator approach to European compliance or else to implement costly technical measures to address compliance on a territory-by-territory basis.



Compliance is not currently policed effectively: Whatever the technical legal position, actual enforcement for breach of local data protection laws by OBA activities (of any flavour) remains virtually non-existent (or, at least, unreported) at present. However, it is clearly an area that regulators – in particular, the European

OBA at a tipping point? 6.2

The above trends all point to one thing: OBA regulation is at a tipping point. There are clear tensions between current and anticipated local legal regimes, the cautious attitude of consumers and regulators, and the industry's desire to self-regulate on an opt-out basis. As this report has discussed, the industry has worked hard to promote a self-regulatory regime and ward off direct regulation – not least through the adoption of UK and US good practice principles and proposals for "enhanced notice" in the US. However, there is clearly more that can and must be done if direct regulation is to be averted. Direct regulation in a single major territory – such as the US – could start a global regulatory domino effect and the industry must work hard if it is to avoid this.

© Osborne Clarke May 2010

osborneclarke.com

7

Information and privacy law at Osborne Clarke

7.1

Osborne Clarke’s Information & Privacy Law team takes the headache out of dealing with data privacy matters, offering up-to-date, clear advice that is relevant to your business. We offer specialist privacy advice and audit services for a wide range of national and international businesses.

7.2

With a team of over 20 Osborne Clarke lawyers with expertise in every area of information and privacy law we have the capability to handle substantial and complex data protection projects. The team includes specialists in information management, IT, HR, marketing, outsourcing, financial services, freedom of information and environmental information law, ensuring that every angle is covered.

7.3

7.4

The UK team at Osborne Clarke works regularly with colleagues in Germany and Silicon Valley, as well as with data protection experts across our European network of Osborne Clarke Alliance and best friend firms. This means that, unlike many law firms, we offer genuinely pan-European solutions to data protection, privacy and technology security issues. Our specialist website www.marketinglaw.co.uk provides free monthly updates to all registered users, with articles often covering data protection aspects of marketing. Members of the team have authored The Data Protection Act Explained (originally published by the Stationery Office) and the UK law

chapter in Global Privacy & Security Law (published by Wolter Kluwers in Autumn 2009), are regular contributors to Data Protection Law & Policy, Privacy Laws & Business and World Data Protection Report, and are members of the International Association of Privacy Professionals. Our lawyers also contributed to www.dataguidance.com, the first website to offer a truly international approach to privacy guidance.

'[Osborne Clarke] provides “external expertise with an in-house outlook” for a number of household names' 'Clients find the firm “excellent at explaining issues and guiding us through this complex area.”' '[Osborne Clarke's] cross-discipline approach means the firm “understands the legal issues implicitly and can offer business-focused solutions.” ' Chambers UK, A Client's Guide to the UK Legal Profession, 2009

We hope that you find the global trends and attitudes highlighted by this report as interesting and useful as we have. If you would like further information or advice, then please do not hesitate to contact:

James Mullock Head of Technology T 0117 917 3322 [email protected]

Stephen Groom Head of Marketing & Privacy Law T 0207 105 7278 [email protected]

Phil Lee Associate, Digital Business T 0207 105 7478 [email protected]

For monthly UK and international reports on legal developments in online behavioural advertising and all other commercial communications law news, subscribe to Osborne Clarke's specialist website www.marketinglaw.co.uk.

15 of 15

© Osborne Clarke May 2010