How will permission concerns reshape online behavioural tracking?

Behavioural tracking enables organisations to tailor the online experience to the individual customer. However, the privacy lobby has raised the issue of the user’s awareness of – and agreement to – their web behaviour being tracked. After recently exploring the matter of privacy and permission in marketing, Nick Fuller examines how the new integrated marketing environment is now creating issues for digital marketers that off-liners have faced for years.

By Nick Fuller, Jaywing

The growth of web personalisation techniques reflects a developing focus on providing users with information that is relevant to them during their visit, rather than their having to seek it out. Techniques such as behavioural targeting (BT) represent a logical extension of permission marketing principles that are most usually applied to media such as email and telemarketing. It’s only now though that the methodologies behind site-based personalisation are taking centre stage.

The principle of BT has always been simple – show users content and ads based on what they have previously looked at rather than simply where they currently are, or from some general site user profile (the dreaded ABC1 syndrome). Its rise was driven from two ends of the advertising spectrum.

"In the same way that behavioural tracking usage started in the States and spread, privacy concerns have followed the same pattern. Now the European Union's advisory body on data protection matters has focused its sights on the subject."


Nick Fuller, Jaywing

Firstly, brands wanted more flexibility in finding their audience; why should a car company be limited to advertising on ‘What Car’ when they could identify someone interested in buying a car within a news site for instance? Then publishers and site owners on the other hand, wanted to generate premium rates and could justify this by offering a level of targeting way beyond traditional general user profiles. Both ends of the spectrum saw a third beneficiary – the user - who saw more relevant advertising and had a better experience overall. So far so good.

However, the privacy lobby (especially in the US) raised the issue of the user’s awareness of – and agreement to – their web behaviour being tracked. For those companies using ‘in-site’ BT (i.e. where a user’s behaviour within a site is used to drive content within that same site) the issue seemed far less contentious than those using cross-site or network BT (where a user’s behaviour on one site could be used to target ads and content on many other sites that they visited across a network).

In the same way that BT usage started in the States and spread, privacy concerns have followed the same pattern. Now the European Union's advisory body on data protection matters (known as the Article 29 Working Party) has focused its sights on the subject.

So the BT companies have acted. Since content and display ads on a site are not personally targeted (unlike say email and mobile messages), a permission policy had hitherto been seen as unnecessary – now the industry has had to think again. Relying on the fact that consumers can disable cookies is not enough – we all know in the real world that many don’t or don’t know how to and, more to the point, this is in effect an opt-out process, and not a very transparent one. At the moment it looks like the BT networks are going for a more specific and upfront opt-out rather than opt-in principle, but it’s a start.

Little more than recklessness?

And yet several of the more contentious privacy concerns are examples of little more than recklessness. Take for example Google’s public ‘suggestion’ that it would create a super-database by matching consumer data from its search business to that of its newly acquired ad serving business, Doubleclick. This may have sounded like a great valuation press release, but it stirred up a mighty hornets nest in privacy circles; ironically it’s doubtful that such a process could ever have practically happened anyway despite the later very public climb-down.

Or take Facebook’s ‘Beacon’ programme in which users were told what their related Facebook connections had just been bought from a third party site. Volunteering such information without the user first agreeing to it was bound to cause a furore – and to what end? All it seemed to do was to show that Facebook could make such a connection if and when it so wanted.

Examples like this have little to do with the majority of tracking used online anyway, which are mostly anonymous. They may use a cookie which identifies a machine, but not a user. Or they may use an IP address which does the same but often on a temporary (and frequently less than accurate) basis. This is far removed from linking known individuals.

Indeed, the European legislation that governs electronic communications (the European Directive on Privacy and Electronic Communications) is very clear on what constitutes ‘personal data’ (i.e. something that directly or indirectly links to an individual), but also on what permission is required before such data can be used anyway.

Newer market entrants such as Wunderloop and Phorm emphasise the anonymity of their data. Take Phorm for example. The company uses a random number based ID created directly from the ISPs which redirect a page request to their own cookie allocation process and then on to the requested page. It stresses that no personal data is known to it or its ISP partners and that no data at all is stored.

Phorm’s position is that all tracking data is immediately deleted once the key attributes - from words used within the page (e.g. "flight" or "holiday" denoting a page relevant to travel) - are identified. Phorm also stresses an undeniably positive use of its tracking in that it posts a warning message to users who visit known phishing pages. Moreover, Phorm and its partner ISPs point to a Home Office opinion that their technology does not necessarily constitute illegal ‘interception’ as defined by the Regulation of Investigatory Powers Act 2000.

Positive interactions

Despite all of this, there is a view that the user’s permission to participate may not be transparent. The Office of the Information Commissioner is currently ‘reviewing’ Phorm whilst a Cambridge University security researcher is calling for a prosecution of behavioural tracking for undertaking a 2006 test of the technology without the permission of customers on the basis that interception and tracking was illegal. Since the product has not yet launched, even with one ISP, the truth is that the debate is currently largely theoretical.

It’s good to see that the discussion and debate is supported by real action in the form of the Internet Advertising Bureau's establishment of a group to look at the issue – this will no doubt lean heavily on the US Network Advertising Initiative (NAI) and maybe its outcome will similarly be a central opt-out register to supplement the ad networks’ own. One way or the other however we need strong self regulation – otherwise we may face legislation (probably of the ill-advised kind).

It’s interesting that the NAI experience shows that it is the industry that is driving openness rather than the consumer. Whilst we all agree that education and awareness is important to address the public’s very genuine and legitimate questions, we should be remember that this works only for those who want to listen.

For many of us in the industry, the basic principles of privacy and permission are always front of mind and driving all our work from media planning through creative and multi-channel execution. Take the new principle of ‘synaptic marketing’, where real-time online data is combined with stored offline data. It’s based entirely on providing a better service by tracking a consumer’s behaviour only across the brand’s site and incorporating personal data only as it relates to the consumer’s relationship with the brand – and then only with their permission.

Central to this is the principle that a ’positive interaction’ must be at the heart of the brand/consumer relationship. The underlying techniques of data collection may vary but the principle of being transparent with the consumer and ensuring that data is used only to deliver an improved service remain constant.

It’s no coincidence that our view is based on experience of traditional direct marketing where the privacy, suppression and opt-out debate has raged for years. Despite the fact that new media works with far less sensitive data than names and addresses, the new integrated marketing environment is now producing issues for digital marketers that off-liners have faced for years - and continue to face today.

Nick Fuller is a consultant at Jaywing.

Related stories