The growth of the Internet and e-commerce has enhanced the capacity of on-line companies to collect, store, transfer and analyse vast amounts of data from and about customers who visit their websites. Despite the introduction of data protection legislation in Europe and elsewhere in the world, this increase and use of data has raised consumer concerns about on-line privacy. In fact, studies by the US Federal Trade Commission1 have estimated that concerns over privacy may amount to US$18 billion in lost on-line sales by 2002 if they are not addressed in the near future.
Given these facts, one would imagine that website operators would be seeking to address these concerns as soon as possible. However, this does not seem to be the case and a recent report issued by Consumer International2 found, in its assessment of over 750 European and US websites, that most sites fell "woefully short of international standards on data protection." This is despite the fact that many on-line businesses feel that they are compliant with the relevant legislation.3
In the hope, perhaps, of allaying some of these privacy fears, the UK Information Commissioner has just released new guidance (the "Guidance") relating to the collection, use and transfer of data on websites and compliance with the Data Protection Act 1998 (the "Act"). 4 This article highlights some of the issues raised in that Guidance.
Affected Web Sites
The Act will apply to any data controller who processes personal data (as such terms are defined in the Act) provided that it is either (a) established in the UK and the data are processed in the context of that establishment or (b) not established in the UK (or any other EEA5 state) but uses equipment in the UK for the processing of data other than for the mere transit of data through the UK.
A data controller is someone who determines the "purposes and manner" in which personal data are processed and a business can make this determination jointly or in common with other businesses. The Guidance states that a "website operator" is likely to fall within the definition of a data controller and as we understand it, this means the owner of a website (rather than a host of a website who is likely to be processing data on behalf of the website operator). If the website operator uses a separate data processor, then it must ensure that it has a written contract with the processor under which the processor is required to act only on the instructions of the website operator and to have in place appropriate technical and organisational security measures.
The Guidance does not expand on what the concept of "establishment" means for website operators. The general rule however is that there must be the "effective and real exercise of activity through stable arrangements" which is likely to include limited companies, branches or subsidiaries. If website operators are not established in the UK but elsewhere in the EEA, then they will be subject to the data protection laws of the countries in which they are established.
As set out above, in some circumstances, website operators established outside the EEA might also be subject to the Act if they use equipment in the UK to process personal data. The Guidance does include some comments on the effect of this provision for website operators. Since the data controller does not even have to own the equipment on which the processing takes place, this provision may apply where the operator's site is hosted in the UK or where the operator places a "cookie" on the computer of a UK internet user. If the website operator is using equipment in the UK (but is not itself established in the UK) then it must appoint a representative established in the UK.
If a data controller falls within the scope of the Act, it is required to notify its processing to the Office of the Information Commissioner on an annual basis unless exempt. Failure to do so where necessary is a criminal offence.
Fair and Lawful Processing
Under the Act, there are eight key obligations for data controllers. One of these is that personal data shall be processed fairly and lawfully.
In order for the processing to be fair, a website operator who collects personal data directly from individuals must always ensure that individuals are provided with the following information before it collects any personal data from them:
- The identity of the person or organisation responsible for operating the website and anyone else who collects personal data through the site;
- The purposes for which they intend to process the personal data;
- Any other information needed to ensure fairness to individuals, taking into account the specific circumstances of the processing. This will include informing individuals of any disclosure of information about them to third parties.
In addition to the above, personal data may only be processed where certain statutory preconditions are satisfied. A website operator must be able to satisfy at least one of the conditions in Schedule 2 to the Act for all personal data which it processes. In some cases, the only condition that a website operator will be able to fulfil (in order to allow it to carry on processing ) is to ensure that the site users consent to any processing before it occurs. Therefore, many sites ask the user to actively indicate that he/she accepts the purposes for which his/her data are going to be used.
Where sensitive personal data6 are being processed, then a further condition in Schedule 3 of the Act must also be complied with. Again, the most relevant condition to a website operator is that the user must have given his/her explicit consent to the processing of personal data.
Methods of Data Collection
Most websites will collect data in two ways: (i) by placing "cookie" files on users' PCs and (ii) by collecting information from various forms completed by users. However, information may also be obtained from other sources which may have data protection implications.
(a) Cookies8 and similar devices
In simple terms, cookies are small pieces of computer code which are sent to a user's computer and are used as a means of building up a profile of a particular user (often without the user knowing that it is happening).
In the Guidance, the Information Commissioner has taken the view that profiles based on cookies that are used to deliver targeted marketing messages to particular individuals are personal data. As such, in order to ensure that data collection is fair, a user must be informed wherever a cookie or other tracking system enables the collection of personal data. This could be done either via the website's privacy statement or via an on-line notification that appears before the data collection begins.
The collection of IP addresses may also require a similar notification although it can be harder to build up personal profiles from such addresses particularly if they are dynamic. If the collection of the IP addresses is simply to analyse aggregate patterns of website use, they will not be personal data unless the website operator can link an address to a particular individual. Often, this information will not be available to a website operator.
In addition, a new technique for collecting data has been developed known as a "web-bug". A web -bug is a graphics file, generally only 1 x 1 pixel in size that is designed to monitor who is reading a web page or email message. As with the use of a cookie, the use of such a device may result in personal data being processed without the knowledge of the user. The Information Commissioner recommends that if a web-site operator intends to use a web bug or similar device, the user should be informed that such monitoring is taking place, who it is being performed by and the purposes of the monitoring. The user should also be given the opportunity to refuse or disable the device prior to any personal data being collected through it.
(b) Registration/Order Forms
Most commercial websites will also require users to complete various forms in order to register, or order goods or services from the site. Often, the data will include the user's name, address, telephone numbers and e-mail addresses. However, many websites may also request additional information such the age, sex, health, occupation of their users and as such may find themselves unintentionally collecting sensitive personal data which are subject to a higher level of consent. For example, a website may include an option to make a preferred type of reading material that may, for example indirectly reveal the sexual preferences of the visitor or their religion.
Direct marketing is defined in the Act as " the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals." This may therefore include telephone and email marketing. The Act gives individuals the right to object to their personal data being used for direct marketing purposes.
As with the processing of any personal data, if a website operator is processing personal data for the purposes of direct marketing, then it will be required to comply with the data protection principles and most notably the principle to process fairly and lawfully. This will therefore include telling the users of a website that their data would be used for direct marketing purposes. The website operator must also satisfy the statutory pre-conditions discussed in section 2 above. In our view, (which is supported by the Direct Marketing Association), the most relevant pre-conditions in Schedule 2 of the Act for direct marketing are that (i) the users have given consent to the processing or (ii) the processing is necessary for the purposes of the legitimate interests pursued by the website operator or by third parties to whom the data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. Whichever ground is relied on, the Guidance suggests that in order to ensure compliance with the Act, a website operator should provide the user with an opportunity to opt-out of the use or disclosure of his/her personal data for direct marketing. An opt-out has several functions including (i) providing consent (ii) taking account of the rights, freedoms or legitimate interests of the data subjects and (iii) allowing individuals their right to object to the use of their personal data for direct marketing.
The Guidance is helpful on this point, as traditionally, there has been some considerable debate in direct marketing circles over the use of opt-in and opt-out consent (i.e. whether it is necessary to have an individual tick a box and positively require themselves to be added to a list for marketing purposes (opt-in), or whether it is sufficient to place on a form a box allowing an individual to tick a box and be removed from a marketing list (opt-out)). Neither the Act nor the Directive upon which the Act is based (Directive 95/46/EC) provide any definitive guidance about whether an individual needs to opt-in or opt-out.
The Information Commissioner acknowledges that the opt-out position differs from that in many other European countries where the general standard is an opt-in clause but nevertheless provides the following opt-out wording which could be adopted by website operators:
"We would like to e-mail you with offers relating to products of ours that we think you might be interested in. Click here is you object to receiving such offers."
However, the Guidance also states that where sensitive personal data is collected, such a statement will not be sufficient and an individual's explicit consent will be needed. The sample wording suggested is as follows:
"We keep information you have provided us with about your health in order to send you offers of vitamin supplements we think you are likely to be interested in. Click here to show that you agree to this."
This article highlights some of the major issues discussed in the Guidance. However, the Guidance covers further topics including information relating to websites aimed at children, the disclosure of data in the event of a take-over or merger and the transfer of data to third parties and outside the EEA. We will be discussing these topics in our next article.
1 Privacy On-line: Fair Information Practices in the Electronic Market Place, A Report to Congress: May 2000.
2 Privacy@net, an International comparative study of consumer privacy on the Internet, Consumers International, January 2001: www.consumersinternational.org/news/pressreleases/fprivreport.pdf
3 A recent survey conducted by Landwell found that 97% of dot coms interviewed felt that they were already compliant with data protection legislation: Time for Law & Order: European dot-coms and the law, www.landwellglobal.com
4 The Guidance is entitled Compliance Advice: Website frequently asked questions and is available from www.dataprotection.gov.uk
5 The Member States of the EU together with Norway, Iceland and Liechtenstein
6 "Sensitive" data, as defined in the Act are information as to a person's racial or ethnic origin; political opinions; religious or similar beliefs; trade union membership; physical or mental health; sexual life; commission of criminal offences; or involvement in criminal proceedings
8 A more detailed discussion about the nature of cookies appeared in the June issue written by Sarah Gwyndaf-Roberts.
9 For further information on this topic, please see the Article in the April/May 2001 issue by Hazel Grant
Written by Hazel Grant and Elizabeth Brownsdon. First published in Privacy & Data Protection Volume 1, Issue 8 in September 2001.