Cookies collect information about users such as their registration information, movements through the website, the url of the site just visited and the site to which the user moves on to. Some information is collected on an anonymous basis without reference to the individual concerned and other cookies collect data from which it is possible to identify individuals. Increasing amounts of personal data are being collected by creating networks of websites which are affiliated so that once a cookie file has been created for one site, it will automatically be activated when an affiliated site is accessed. This information is of great value to website hosts and advertisers as it enables them to collect increasingly personal data on Internet users which can be used for marketing purposes.

Laws vary from country to country on the legality of this type of data collection. It appears that this type of collection is permissible provided the user who is the subject of such data is not personally identifiable. However the Federal Trade Commission in the United States recently conducted informal enquiries into the online data collection activities of a well-known online advertising firm, DoubleClick Inc. These investigations were commenced after a number of lawsuits were filed against the company by individuals. One law suit charged DoubleClick with "unlawful, misleading and deceptive business practices on the Internet that violate the privacy rights of the Plaintiff and the general public".

Initially the information collected by DoubleClick using cookies was anonymous. However when DoubleClick purchased a direct marketing research firm and revealed plans to track Internet users' movements on the Web and combine that data with people's names and addresses, consumers filed complaints questioning the fairness and legality of this kind of tracking. In response to the enquiries and consumer concern, DoubleClick has updated its privacy policy and made it clear that it no longer intends to combine the cookie technology with its marketing database in order to collate personally identifiable information.

In jurisdictions such as Hong Kong where data privacy and protection legislation is in force, the requirements to be complied with when collecting personal data online are even more stringent. Anyone intending to use cookies which collect identifiable personal data should ensure that Internet users are specifically notified of the extent and purposes of the data collection and that the user actually consents to such data collection. Ideally there should be an 'opt in' mechanism whereby consumers are required actively to consent to the data collection rather than requiring them actively to 'opt out' if they do not want data to be tracked online.

The Privacy Commissioner is drawing up a proposal which will make it mandatory for websites to register the type of personal data they collect, the purposes of such collection and the details of their personal data privacy protection policy. The proposal follows an investigation into the alleged breach of privacy laws by 16 websites and under the proposal failure to register could incur fines of up to HK$100,000. The proposal is to be offered for public consultation at the end of this year.

Unsolicited Commmercial E-mail

Unsolicited commercial e-mail, or spam, provides a quick, easy and cheap method of direct marketing. However it can amount to breach of personal data privacy laws and can be misused to bring down computer systems by clogging up the servers. Legal actions have been brought against spammers in various jurisdictions, usually by the ISPs whose servers are being used to distribute the junk mail. Various jurisdictions are considering introducing laws to prohibit spam. However in Hong Kong the government has indicated that it prefers to leave it up to the Internet and other industries to control spamming commercially. The Hong Kong Internet Service Providers Association has launched a code of practice to tackle spamming. The code provides measures for setting up a complaints outlet and restricting the amount of outgoing mail from free or pre-paid e-mail accounts, however it does not list any penalties to be enforced by ISPs.

China also has no regulations or controls on spamming at present and it is feared that as ISPs in the US clamp down on spam, the spammers will turn their attention to potentially vast networks in China for the distribution of their materials. Indeed the increasing quantities of Chinese language spam is seen by experts as an ominous indication of what is to come.

It is therefore advisable for ISPs to include in their standard terms and conditions a power to withdraw their services in the event of misuse of their service by spammers.

PRC Encryption Regulations Clarified

The Chinese government has now clarified the implications of its onerous State Council Order which requires foreign organisations or individuals using encryption products or equipment containing encryption technology in China to apply for permission. In a letter addressed to the US-China Business Council it was announced that the range of products subject to control does not include wireless handsets, scanner software or Windows software.

First published in E-lawasi@ in May 2000.