Legal Eagle
Q1 The targeted advertising offered by Facebook and other Web 2.0 websites relies on very detailed user profiling and looks very effective. Is it legal in the UK?
In the UK almost 80 per cent of the online population uses social networking websites. Facebook is the fifth most popular website in the UK, while MySpace has over 200 million users worldwide. As these websites contain detailed information about user's tastes, interests, location, contact details and network of friends they have an enormous potential for targeted advertising based on user profiling.
Facebook's Beacon system, part of the social network’s ad system, sends data from external websites to Facebook to allow for targeted advertising, was launched in the US in 2007 with a number of partner websites.
Websites that sign up to the Beacon program provide customer transaction information to Facebook. In exchange, those transactions are publicised on the Facebook website. For example, the message "John Smith has just purchased 'British Cooking' from Bookie.com" will appear on the Facebook page for John Smith and also the page of every friend within his Facebook network.
Beacon created controversy after its launch because it did not seek users’ permission to publish their activity from other websites.
As yet only available to US-based websites, there are plans to introduce Beacon in the UK in Spring 2008. Although Beacon is now opt-in, so that the prior consent of the user is required before the transaction can also be publicised on Facebook, it is not yet clear if it complies with UK data protection laws.
It will largely depend upon how clear and fair the information given to users is; unless made sufficiently clear, it is likely to be unlawful if the transaction information for a user who opts out of Beacon is still shared with Facebook for profiling purposes even though the transactions for that user are not publicised on Facebook.
Q2 If we sign up as an affiliate website to take advantage of such user profiling what sort of information, will we need to tell our users to ensure we comply with the law?
For UK websites wishing to use such products for marketing, the main requirement will be that users of their own website are provided with an accurate picture of how their transaction information will be used. This is to avoid falling foul of the laws on data protection and where relevant the direct marketing rules. Such a "fair obtaining" notice will include details of:
• the information shared;
• the recipients of the information;
• how the recipients will use the information; and
• whether the recipients are outside the EU.
Although arguably an opt-out system for users will be sufficient, the safer course for affiliate websites will be to obtain the prior consent of users by requiring them to opt-in to the sharing of their data in this way. This can be done simply with the commonly used "tick box".
Both the EU and UK data protection regulators have now taken a keen interest in user profiling. Using the opt-in approach will "future proof" the fair obtaining notice pending clarification by the regulators of their approach to marketing based on user profiling.
Mark Turner is a partner in the Technology Media and Telecommunications (TMT) Group at Herbert Smith LLP.