Profiling the mobile customer - Privacy concerns when behavioural advertisers target mobile phones - Part I

Computer Law and Security Review

Volumn 26, Issue 5, 2010, Pages 455-478

  King, Nancy J ^a   Jessen, Pernille Wegener ^b  

^a OREGON STATE UNIVERSITY   (United States)

^b AARHUS SCHOOL OF BUSINESS   (Denmark)

Author keywords

Consumer profiling; Data mining; Data protection; Mobile commerce; Mobile phones; Online behavioural advertising; Privacy; Targeted marketing

Indexed keywords

CONSUMER PROFILING; DATA PROTECTION; MOBILE COMMERCE; ONLINE BEHAVIOURAL ADVERTISING; PRIVACY; TARGETED MARKETING;

COMMERCE; CUSTOMER SATISFACTION; DATA MINING; LAWS AND LEGISLATION; MOBILE DEVICES; MOBILE PHONES; MOBILE TELECOMMUNICATION SYSTEMS; SALES; TELEPHONE; TELEPHONE SETS;

DATA PRIVACY;

EID: 77957971111     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2010.07.001     Document Type: Article

References (178)

1. The article is related to the research project Legal Aspects of Mobile Commerce and Pervasive Computing: Privacy, Marketing, Contracting and Liability Issues funded by the Danish Council for Independent Research; Social Sciences. See further information on the project, at: http://www.asb.dk/article.aspx/pid/ 19387.
2. The second article in this two part series on Profiling the Mobile Customer will appear in the next issue of CLSR. The second article looks at alternative approaches to protect consumers privacy and data protection that include legislation, industry self-regulation and technology. It compares two leading self-regulatory codes from the United Kingdom and the United States that have been developed by industry associations for use by their members engaged in behavioural advertising.concluding that there are serious deficiencies in these current self-regulatory approaches in terms of addressing key privacy and data protection concerns of profiling for mobile customers and that current technology is not adequate to protect consumers, it concludes that legislation needs to be adopted in both the EU and the U.S. to close the gaps in the current regulatory frameworks and support stronger industry self-regulation. It offers suggestions for that reform to both protect consumers and enhance the regulatory environment for mobile commerce. available at www.sciencedirect.com www.compseconline.com/publications/prodclaw.htm comp u t e r law & s e c u rity rev iew 2 6 ( 2 0 1 0 ) 4 5 5 e4 7 8 0267-3649/e see front matter 2010 Nancy J. King & Pernille Wegener Jessen. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2010.07.001
3. Hildebrandt, M. and Gutwirth, S. (eds.), Profiling the European Citizen, Cross-Disciplinary Perspectives, Springer, p.1 (2008) (Profiling the European Citizen) (emphasis in original).
4. Council of Europe, Draft Recommendation on the Protection of Individuals with regard to Automatic Processing of Personal Data in the Context of Profiling, The Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, T-PD-BUR (2009) 02 rev
5. Fin, p. 5 (resulting from the 21st Bureau Meeting, Lisbon, 13e15 April 2010) (CE Draft Recommendation on Profiling), available at: http://www.coe.int/ t/e/legal-affairs/legal-co-operation/data-protection/events/t-pd-and-t-pd-bur- meetings/2T-PD-BUR- 2009-02rev5-en-Fin.pdf.
6. Dinant et al., Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data: Application of Convention 108 to the Profiling MechanismdSome Ideas for the Future Work of the Consultative Committee, T-PD(2008)01, Centre de Recherches Informatique et Droit (CRID), p. 5, (Jan. 2008) (Dinant et al.), available at: http://www.statewatch.org/news/2008/aug/coe-profiling-paper.pdf.
7. Dinant et al., note 5, p. 5 (distinguishing consumer profiling by marketers from psychological profiling used by law enforcement to help identify criminal behaviour that attempts to get inside the criminals mind).
8. Profiling the European Citizen, note 3, p.1.
9. Hildebrandt, M., Profiling into the Future: An Assessment of Profiling Technologies in the Context of Ambient Intelligence
10. FIDIS Journal of Identity in the Information Society 5 (2007), available at: http://www.fidis.net/fileadmin/journal/issues/1-2007/Profiling-into-the- future.pdf(alteration in original).
11. According to Hildebrandt:Automated profiling can be described as the process of knowledge discovery in databases (KDD), of which data mining (DM; using mathematical techniques to detect relevant patterns), is a part. KDD is generally thought to consist of a number of steps:(1) recording of data(2) aggregation & tracking of data(3) identification of patterns in data (DM)(4) interpretation of outcome(5) monitoring data to check the outcome (testing)(6) applying the profiles. Ibid. p. 5 (citations omitted). This type of profiling is new in two ways: it is produced by machines and it differs from classical empirical statistics because it results from a hypothesis that emerges in the process of data mining that is then tested on the population rather than a sample. Ibid. p. 6. An advantage of KDD is that it can "trace and track correlations in an ever-growing mass of retained data and confront us with inferences drawn from past behaviour that would otherwise be lost to oblivion". Ibid. (citations omitted).
12. CE Draft Recommendation on Profiling, note 4, p. 2 (para. 10); Hotaling, note 11, pp. 537e538 (explaining how online behavioural advertisers target consumers by acquiring user postings and clickstream data, analyse that data to form comprehensive personal profiles and serve advertisements that best match the interests expressed by the profiles). Hotaling also explains the direct marketing practice that segments tracked user history into distinct market segments. For example, within the broad market of automobiles, a company may create three distinct market segments: auto enthusiast, hybrid car shoppers and European import buyers. Ibid. p. 538. Then, based on a consumers comprehensive personal profile, he or she would be assigned to one of these segments to be used for direct marketing purposes. Ibid. Behavioural advertisers are able to assign consumers to precise market segments (group profiles) based on individual customer profiles
13. Benoist, E., Collecting Data for the Profiling of Web Users, in Profiling the European Citizen, note 3, p. 172 (discussing applications of profiling that include implementation of oneto- one marketing that entails targeting information and special offers toward each specific client). Categories of data used by behavioural advertisers to produce targeted advertising include behavioural data (qualifies consumers based on interests), transactional data (transactions-based behavioural data based on conversations, etc., which may be real-time), and other demographic data (including data derived from user site registration, data verified at the household level, such as age, marital status, home-owner, etc).complaint, Request for Investigation, Injunction and Other Relief: Google et al., Center for Digital Democracy (CDD), U.S. PIRG (a federation of state Public Interest Research Groups), World Privacy Forum (CDD et al.), before the Federal Trade Commission (FTC), pp. 11e13 (8 Apr. 2010) (CDD Profiling Complaint), available at: http://democraticmedia.org/files/u1/ 20100407-FTCfiling.pdf(last accessed, 7 June 2010).
14. See Cleff, E., Mobile Advertising: Proposals for Adequate Disclosure and Consent Mechanisms, PhD Dissertation, Aarhus School of Business, Aarhus University, Aarhus, Denmark, pp. 30e31 (2009) (Cleff, Mobile Advertising Dissertation). Mobile commerce (m-commerce) includes all commercial transactions conducted through mobile communications networks that interface with mobile devices. Ibid. (citing Turban et al., Electronic Commerce 2008: A Managerial Perspective, p. 431 (Pearson Prentice Hall, 2008)). Mobile Advertising (madvertising) is a part of mobile commerce. Cleff, Mobile Advertising Dissertation, p. 31. M-advertising can be defined "as the act of sending electronic advertisements to consumers who carry mobile devices". Ibid. p. 33. There are two major forms of m-advertising: "adsdeliveredin othermedia that feature a call-to-action, e.g.,anmadvertising delivered via text messages, and ads delivered on the mobile device itself, e.g., within a mobileWeb browser". Ibid. p. 34.
15. Cleff, Mobile Advertising Dissertation, note 15, p. 34.
16. See, e.g., CDD Profiling Complaint, note 14, p. 3 (asking the FTC to investigate behavioural advertisers including Microsoft, Google and Yahoo and leading companies providing auctioning and data collection/targeting systems that support consumer profiling, for unfair and deceptive trade practices under Section 5 of the Federal Trade Commission Act). The Complaint asks the FTC to ensure consumers have meaningful control over their information and asks the FTC to seek injunctive and compensatory relief). See also, Press Release, CDD, U.S. PIRG, and World Privacy Forum Call on Federal Trade Commission to Investigate Data Collection Wild West Involving Real-Time Advertising Auctions and Data Exchanges, CommonDreams.org (8 Apr. 2010), available at: http://www. commondreams.org/newswire/2010/04/08-0 (last accessed, June 2010).
17. CDD Profiling Complaint, note 14, p. 1 (para. 1).
18. CDD Profiling Complaint, note 14, pp. 20, 28 (reporting that the Rubicon project serves both the UK and Europe and OpenX is working with Europes largest ad network operated by Orange of France Telecom).
19. Gomez et al., KnowPrivacy Report, U.C. Berkeley School of Information, p. 5 (1 June 2009) (reporting the results of a recent study by graduate students comparing consumer expectations for online privacy with Internet companies data collection practices, including how companies gather information about users web activities using cookies and beacons, finding that despite consumer demand for control over howtheir personal information is collected and used, web analytics tools are used widely, often without users knowledge), available at: http://knowprivacy.org/report/KnowPrivacy-Final-Report.pdf(last accessed 7 June 2010).
20. Gomez et al., note 20, pp. 19e20 (reporting on data collected by TRUSTeaboutconsumer complaints relatedtoitsmemberwebsites). See also 2009 Study: Consumer Attitudes about Behavioural Targeting, TRUSTe (4March2009), available at: http://www.truste.com/pdf/Behavioral-Targeting-Data-Sheet.pdf(last accessed 7 June 2010).
21. See CE Draft Recommendation on Profiling, note 4, p. 2 (paras. 2, 3) (explaining that information and communication technologies (ICTs) allow the collection and processing of data on a large scale, including personal data, in both the private and public sectors, noting that continuous development of convergent technologies poses new challenges regarding collection and further processing of data). Data collection by ICTs may include traffic data and Internet user queries in search engines, data relating to consumer buying habits, data stemming from social networking and geo-location data concerning telecommunications devices, as well as the data stemming from video surveillance cameras, biometric systems and by Radio Frequency Identification Systems. Ibid.
22. See Cleff, E.B., Implementing the Legal Criteria of Meaningful Consent in the Concept of Mobile Advertising, 23-3 Computer Law & Security Report, pp. 262e269 (2007) (Cleff, CLSR).
23. King, N., Direct Marketing, Mobile Phones, and Consumer Privacy: Ensuring Adequate Disclosure and Consent Mechanisms for Emerging Mobile Advertising Practices, 60-2 Federal Communications Law Journal, pp. 239e247 (2008) (King, FCLJ (2008)).
24. Firms Merging Offline, Online Data to Improve Ad Targeting, International Association of Privacy Professionals (15 Mar. 2010), available at: https://www.privacyassociation.org/publications/2010-03-15-firms-merging- offline-online-data-to-improve-ad- targeting/(last accessed 7 June 2010).
25. Mantell, R., Identity theft is top consumer complaint, Market Watch (14 Feb. 2008), http://www.marketwatch.com/story/identity-theft-is-no-1-consumer- fraud-complaint (last accessed June 2010)
26. See CE Draft Recommendation on Profiling, note 4, p. 2. When profiles are attributed to an individual consumer (data subject) it is possible to generate new personal data. Ibid. The data subject has not communicated this new personal data to the controller and cannot be presumed to know about the new personal data generated by profiling, especially since the profiling activity may not be visible to the consumer. Ibid.
27. Use of anonymous data for profiling purposes may satisfy data protection rights under Council of Europe Convention 108 and the Data Protection Directive, but it does not eliminate the individuals privacy rights under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Dinant et al., note 5, pp. 30e31. See also, Article 15 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, 23.11.95 (Data Protection Directive). However, when a profile is "attributed" to a data subject, at least arguably this attribution creates new personal data that the data subject did not communicate to the controller, and therefore the data subjects rights under the Data Protection Directive would apply. See CE Draft Recommendation on Profiling, note 4, p. 2 (para. 7).
28. Scholars have argued that most profiling is done on the basis of anonymized data to which EU data protection legislation does not apply. See, e.g., Wim Schreurs et al., Legal Issues: Report on the Actual and Possible Profiling Techniques in the Field of Ambient Intelligence, FIDIS deliverable 7.3, p. 49 (2005), available at: http://www.fidis.net/resources/deliverables/ profiling/d73- report-on-actual-and-possible-profiling-techniques-in-the- fieldof- ambient-intelligence/doc/26/(last accessed 7 June 2010). In the same way, the application of a group profile to an anonymous person does not generally fall within the scope of EU data protection legislation, although it may have substantial consequences for this person. Ibid.
29. Hildebrandt, note 8, p. 9. A second privacy concern is the risk of unfair discrimination based on refined profiling technologies that allow sophisticated market discrimination, such as price discrimination between groups of customers that is based on undisclosed group profiles. Ibid. p.10. While price discrimination"maybe a good thing in a market economy . fairness again depends on consumers awareness of the way they are categorized". Ibid.
30. Hildebrandt, note 8, p. 9.
31. Hildebrandt, note 8, p. 10.
32. Hildebrandt, note 8, p. 10.
33. Hildebrandt, note 8, p. 16e17 (arguing for regulationthat creates a privacy right to access, in real-time, knowledge profiles being applied to people; including the potential consequences, in order to protect personal autonomy). Hildebrandt argues that Transparency- Enhancing Technologies (TETs), as well as Privacy- Enhancing Technologies (PETs), need to be provided with respect to the use of the smart technologies that enable Ambient Intelligent (AmI) Environments). She lists sensor technologies, RFID systems, nanotechnology and miniaturization as the enabling technologies. Ibid. pp. 7, 15e17
34. See also, Ng, H., Targeting Bad Behaviour: Why Federal Regulators Must Treat Online Behavioural Marketing as Spyware, 31 Hastings Communications and Entertainment Law Journal, p. 374 (2009) (Ng) (commenting that "targeted ads can be highly manipulative, causing consumers to lose autonomy because of the ad companies creationofpsychological profilesbasedonthe companiesperceived notions of the users interest, rather than the users own choices").
35. See CE Draft Recommendation on Profiling, note 4, p. 3 (para. 12) and p. 7(C.4.11) (recommending that the processing of sensitive data in the context of profiling be prohibited except if these data are necessary for the lawful and specific purposes of processing and domestic law provides appropriate safeguards). Sensitive data is defined to mean "personal data revealing the racial origin, political opinions or religious or other beliefs, as well as personal data on health, sex life or criminal convictions, as well as other data defined as sensitive by domestic legislation". Ibid. p. 5.
36. See CE Draft Recommendation on Profiling, note 4, p. 2 (para. 7)
37. Advertising and Consumer Rights, EurActiv.com (6 Jan. 2010) (Advertising and Consumer Rights) (reporting a recommendation by Ed May, chief executive of Consumer Focus, to place all childrens websites under the supervision of the UK Advertising Standards Authority as an important step for childrens rights because "At the heart of our request are recent research findings that UK children really do not understand that the company websites they use are designed as a marketing activity to build brand loyalty and to generate sales".) (Summary EU Advertising and Consumer Rights Regulation), available at: http://www.euractiv.com/en/innovation/advertising-consumer-rights/article- 187133 (last accessed 7 June 2010).
38. Advertising and Consumer Rights, note 38 (discussing the need to make allowances for vulnerable groups of consumers through regulation of advertising).
39. The privacy implications of mobile marketing and regulation of mobile marketing practices have been explored in other articles and are generally outside the focus on consumer profiling in this article. See generally, King, FCLJ (2008), note 24 and Cleff, Dissertation, note 15.
40. Countries, U.S., European Commission Trade, available at:http://ec.europa.eu/trade/creating-opportunities/bilateralrelations/ countries/united-states/index-en.htm (last accessed 7 June 2010).
41. Villoch, A., Europes Mobile Opportunity: Can the European Union Legislate Consumer Trust and Compete in the e- Commerce Market with the United States? 20 Pennsylvania State International Law Review, pp. 446e48 (2002).
42. Pavlou, P.A., Consumer acceptance of electronic commerce: Integrating Trust and Risk with the Technology Acceptance Model. 7(3) International Journal of Electronic Commerce, pp. 105e106 (2003) (defining trust in online retailing as "the belief that allows consumers to willingly become vulnerable to web retailers after having taken the retailers characteristics into consideration"); Consumers trust toward an online retailer is influenced by their perception of the likelihood that their personal information will not be abused.
43. Rifon et al., Your Privacy is Sealed: Effects of Web Privacy Seals on Trust and Personal Disclosures, 39(2) Journal of Consumer Affairs, p. 345 (2005).
44. Council Directive 2005/29/EC, OJ L 149/22, 11.06.2005 (Unfair Commercial Practices Directive) (last accessed 15 Jan. 2010); The Federal Trade Commission Act, 15 U.S.C. x 57a(a)(1)(b) (2010) (prohibiting unfair or deceptive trade practices). The European Unions Unfair Commercial Practices Directive, which must be implemented into Member-States laws and allows Member States to adopt national laws that provide additional health and safety protections for consumers, is similar to the Federal Trade Commission Act in the United States (FTC Act). Both EU and U.S. laws apply to unfair and deceptive marketing practices.compare U.S.C. x 57a(a)(1)(b) (2010) (providing FTC enforcement authority that covers unfair or deceptive acts or practices that occur in or affect interstate commerce) and the EUs Unfair Commercial Practices Directive, arts. 3, 11, 19. U.S. law also allows U.S. states to adopt laws that are more protective of consumers than the federal law. FTC, Comments of Verizon Wireless in re Telemarketing Sales Rules Review, FTC File No. P994414 (Fed. Trade Commn 16 May 2006), available at: http://www.ftc.gov/bcp/rulemaking/tsr/comments/ verizon.htm (last accessed 7 June 2010). However, unlike the FTC Act, the EUs Unfair Commercial Practices Directive more specifically defines prohibited business practices. See, for example, Unfair Commercial Practices Directive, arts. 6 (defining misleading actions), 7 (defining misleading omissions), 8 (defining aggressive commercial practices), 9 (prohibiting use of harassment, coercion and undue influence).
45. For an example of a Federal Trade Commission enforcement action against a company that violated its own privacy policy, see Agreement Containing Consent Order, Gateway Learning Corp., File No. 042-3047 (Fed. Trade Commn 2003), available at: http://www.ftc.gov/os/caselist/0423047/040707agree0423047.pdf(last accessed 7 June 2010). See also, 15 U.S.C. x 57a(a)(1)(b); Unfair Commercial Practices Directive, note 44, art. 6(2)(b) (prohibiting, as a misleading action, the non-compliance with commitments made by a business that are capable of being verified (e.g., not merely aspirational) and made by a business in a code of conduct to which the business has agreed to be bound). The situation of businesses adopting privacy policies but failing to follow them is an example of the weakness in relying on industry self-regulation to protect consumers privacy and personal data and why government regulation may be needed.
46. See Eisenhauer, M., The IAPP Information Privacy Case Book: A Global Survey of Privacy and Security Enforcement Actions With Recommendations for Reducing Risks, International Association of Privacy Professionals (IAPP), pp. 53-55 (2008) (discussing the Federal Trade Commissions enforcement action in The BJs Wholesale Club Case from September 2005 which concluded it is an unfair trade practice for a business to collect sensitive personal information, such as credit card numbers, unless reasonable security exists to protect the information). The EUs Data Protection Directive requires data controllers to provide security for personal data whether or not the data is sensitive. Data Protection Directive, note 28, art. 17.
47. King, N., When Mobile Phones Are RFID-Equipped, Finding E.U.-U.S. Solutions to Protect Consumer Privacy and Facilitate Mobile Commerce, 15 Michigan Telecommunications and Technology Law Review, pp. 156e168 (2008) (King, MTTLR (2008)). Under the European Unions regulatory framework, mobile phone devices and mobile communication services are regulated as information society services. See Thematic Portal, Information Society and Media Directorate, European Commission, at: http://ec.europa. eu/information-society/index-en.htm (last accessed 7 June 2010). Regulation of e-commerce is generally addressed as regulation of information society services. See, e.g., Directive of the European Parliament and of the Council 2000/31/EC of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular e-Commerce, in the Internal Market, OJ L 178/1,17.07. 2000, preamble paras. 2, 4e5, 7e9 (E-Privacy Directive). The ECommerce Directive requires that specified types of information be included in promotional offers and that required information be clear. Ibid. art. 6. Advertisements, including m-ads, must be identifiable to the consumer as commercial communications. Ibid. arts. 6(a), 7.
48. King, MTTLR (2008), note 47, pp. 156e168.
49. Summary EU Advertising and Consumer Rights Regulation, note 38, pp. 2e3 (commenting that "in principle, advertisers are bound by the code of conduct set out by the International Chamber of Commerce [ICC code of conduct], but electronic communications is outgrowing the current regulation and raising important questions regarding advertising and consumer rights in the online world".). See ICC International Code of Advertising Practice, Commission on Marketing, Advertising and Distribution (French Version, April 1997) (ICC code of conduct), available at: http://www.iccwbo.org/id905/index.html (last accessed 7 June 2010). In 2008 the Digital Marketing Communications Best Practice guidebook (October 2008) was produced by self-regulatory organizations that included advertising agencies (available at the website of the European Advertising Standards Alliance (EASA), www.easa-alliance.org) (last accessed 7 June 2010). Behavioural advertising was a particular concern raised in the European Commissions European Consumer Summit in 2009. On the topic of behavioural advertising, EU Consumer Affairs Commissioner Kuneva warned: "there is a lack of consumer awareness surrounding the collection of data", yet "personal data is the new oil of the Internet and the currency of the digital world". See Summary EU Advertising and Consumer Rights Regulation, note 38, p. 4
50. Regulation (EC) No 1211/2009 of the European Parliament and scope by defining personal data as information relating to an of the Council of 25 November 2009 establishing the Body of European Regulators for Electronic Communications (BEREC) and the Office; Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users rights relating to electronic communications networks and services; Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws; Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services; 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities; and 2002/20/EC on the authorization of electronic communications networks and services, OJ L 337, 18.12.09, pp. 1-69 (EU Telecoms Reform Package).
51. Federal Trade Commission, Self-Regulatory Principles For online behavioral advertising, February 2009 (FTC Guidelines), available at: http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf(last accessed7 June2010); Shields,M., PatrollingBadBehaviour, New FTC powers, Boucher Bill could crimp Web , MediaWeek (21 Mar. 2010) (reporting that U.S. Representative Rich Boucher is expected to introduce a newconsumer privacy bill that will "impact the entire 25 billion online ad market and that the proposed financial reform bill would greatly expand the regulatory powers of the Federal Trade Commission). To date, draft legislation thatwould regulate the online behavioural advertising industry has been circulatedfor comment.SeeStaff DiscussionDraft,H.R.-,ABill to require notice and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual, In the House of Representatives, 111th Congress, 1st Session (3 May 2010), available at: http://www.boucher.house.gov/images/stories/Privacy-Draft-5-10.pdf(last accessed 7 June 2010).
52. See Treaty of Lisbon amending the Treaty on European Union, the Treaty establishing the European Community, OJ C 306/1, 17.12. 2007 (recognizing Article 8 of the European Convention for the Protection ofHuman Rights and Fundamental Freedoms(ECHR) and requiring Members of the European Union to respect the fundamental rights guaranteed by the Convention), consolidated version, available at: http://eur-lex.europa.eu/JOHtml.do/uriOJ:C:2008:115: SOM:EN:HTML (last accessed 7 June 2010). The Charter of Fundamental Rights of the European Union provides: "Everyone has the right to the protection of personal data concerning him or her". Charter of Fundamental Rights of the EuropeanUnion, art. 8, 2000 OJ C 364/1 (hereinafter EU Charter), available at: http://www.europarl. europa.eu/charter/pdf/text-en.pdf(last accessed 7 June 2010).
53. See Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data including its additional protocol (CETS 108, 1981 and CETS 181, 2001, hereinafter convention 108); Polakiewicz, J, "Smile! Theres a camera behind the ad or Send it to a friend: privacy in light of the new advertising techniques", 31st International Conference of Data Protection and Privacy Commissioners, Madrid, Spain (5 Nov. 2009) (explaining the application of the ECHR and convention to automatic profiling practices including online behavioural advertising), available at: http://www.coe.int/t/e/ legal- affairs/legal-co-operation/data-protection/Intervention% 20Madrid%20Conference%205%20November%202009.pdf(last accessed 7 June 2010). See also, European Court of Justice, In re Bodil Lindqvist Case C-101/2001, recital 27, judgment 6 Nov. 2003 (holding the "act of referring, on an Internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46").
54. See generally, Data Protection Directive, note 28; E-Privacy Directive, note 47.
55. Data Protection Directive, note 28, art. 4.
56. Data Protection Directive, note 28, art. 4. preamble para. 10 (providing that "the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law"). Privacy as a fundamental right is also recognized in international law. See, e.g., International Covenant on Civil and Political Rights and Optional Protocol to the International Covenant on Civil and Political Rights, G.A. Res. 2200 (XXI), U.N. GAOR, 21st Sess., Supp. No.16, U.N. Doc. A/6316 (1966) (ICCPR).
57. Data Protection Directive, note 28, art. 2(a) (including natural persons "who canbe identified, directly or indirectly, inparticular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity"). But see Dinant et al., note 6, pp. 12e14 (stating that, unlike the other provisions in the Data Protection Directive, Article of this directive, which deals with automated individual decisions, may make it unlawful tomake a decision about an individual solely on the basis of automated data processing, even when no personally-identifying information is used in the process, if several cumulative conditions are met). The Data Protection Directive defines the processing of personal data broadly as "any operation or set ofoperationswhichisperformeduponpersonaldata,whether or not byautomaticmeans, such as collection, recording, organization, storage, adaptation or alteration, retrieval,.use,.dissemination, [etc]". Data Protection Directive, note 28, art. 2(b).
58. Data Protection Directive, note 28, art. 10.
59. The eight requirements to process personal data in the EU are: 1) fair and lawful processing; 2) collection and processing only for a proper purpose; 3) that data be adequate, relevant and not excessive; 4) that data be accurate and up to date; 5) that data be retained no longer than necessary; 6) that the data subject (consumer) have access to his or her data from the data controller; 7) that the data be kept secure; and 8) no transfer of personal data to a country that does not provide an adequate level of privacy and personal data protection. See generally, Data Protection Directive, note 28, arts. 6 et seq.
60. Data Protection Directive, note 28, art. 6(1)(b).
61. Data Protection Directive, note 28, art. 7.
62. Data Protection Directive, note 28, art. 12.
63. Data Protection Directive, note 28, art. 6(1)(c).
64. Data Protection Directive, note 28, art. 8 (prohibiting the processing of special categories of personal data without explicit consent, with certain exceptions).
65. See Data Protection Directive, note 28, p. see also National Data Protection Commissioners, http://ec.europa.eu/justice- home/fsj/privacy/ nationalcomm/index-en.htm (last accessed 7 June 2010).
66. E-Privacy Directive, note 47, art. 1 (does not reflect 2009 amendments by the EU Telecoms Reform Package, note 50).
67. E-Privacy Directive, note 47, art. 13(1). It specifically covers telemarketing calls made by autodialing equipment and electronic mail. Ibid. The exception only applies if all of the following conditions are met: (1) the consumer is a customer of the person sending the direct marketing communications; (2) the consumers electronic contact details were obtained by the person sending the direct marketing from the consumer in the context of a sale of a product or service; and (3) the consumer has the opportunity to object, free of charge, at the time the contact details were collected as well as later, to the sending of direct marketing communications. Ibid.
68. E-Privacy Directive, note 47, art. 13(2).
69. The E-Privacy Directive prohibits using electronic communications networks to store information or to gain access to information stored in the terminal equipment of the subscriber or user unless consumers have been given clear and comprehensive information consistent with the Data Protection Directive and the opportunity to refuse processing of their personal data. E-Privacy Directive, note 47, art. 5(3). Recent amendments to the E-Privacy Directive enhance consumers privacy with respect to cookies but are not yet effective. See Section 5.1 of this article (the EUs Telecoms Reform Package).
70. See Concise European IT Law, pp. 169-170 (Alfred Büllesbach et al. eds., 2006).
71. Traffic data is "any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof". E-Privacy Directive, note 47, art.2(b). Location data means "any data processed in an electronic communications network, including the geographic position of the terminal equipment of a user of a publicly available electronic communications service". Ibid. art. 2(c). The definition of location data has recently been amended broadening its scope as follows: "location data means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service". EU Telecoms Reform Package, note 50, at art. 2(c) (emphasis added to highlight the new wording). The scope of the E-Privacy Directive was also amended to clarify that it applies "to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices". EU Telecoms Reform Package, note 50, art. 3.
72. E-Privacy Directive, note 47, art. 6(3). Furthermore, the public carrier must erase or make anonymous such traffic data when it is no longer needed for the purpose of transmitting a communication, unless the subscriber has given consent or another exception applies. Ibid. art. 6(1).
73. E-Privacy Directive, note 47, art. 9(1). Article 9 also gives subscribers the right to withdraw their consent to the use of location data that is personal data. Ibid. art. 9(1)e(3). Location data: "May refer to the latitude, longitude and altitude of the users terminal equipment, to the direction of travel; to the level of accuracy of the location information; to the identification of the network cell in which the terminal equipment is located at a certain point in time and to the time the location was recorded". Ibid. preamble para. 14. Access to location data is essential to providing location-based services through a telecommunications network.
74. See also, Robinson et al., Review of the European Data Protection Directive, Rand Europe, pp. 22-40 (Information Commissioners Office, 2009) (Rand Report).
75. Rand Report, note 74, pp. 45e46.
76. Rand Report, note 74, p. 24.
77. Static IP addresses do not change and the same number is assigned to the same computer over time. Lah, F., Are IP Addresses "personally-identifiable information"? 4 I/S: A Journal of Law and Policy for the Information Society, pp. 689e692 (2008e2009). In contrast, dynamic IP addresses are assigned to a computer for the duration of the users Internet session and a new IP address number is assigned for each subsequent Internet use session. Ibid. Static IP addresses serve as constant identifiers, permitting individuals online behaviour to be tracked over time and creation of individual profiles. Ibid. A third form of IP addresses, sometimes called "hybrid" IP addresses, are dynamically assigned IP addresses that include a static component. Ibid. Like static IP addresses, hybrid IP addresses may enable identification of the user with some degree of accuracy and better support the creation of consumer profiles. Ibid. (reporting that current IP addressing technology can contain a Host ID, or interface identifier, "that remains constant even when the Network ID, or topographic portion, of the address changes" and thus "may be considered a hybrid of the static and dynamic forms of IP addresses, with part of it remaining constant and the other part changing"). This type of "constant interface identifier could potentially be used to track the movement and usage of a particular device as it connects from different locations". Ibid. Further, even with assignment of a dynamic IP address that is not a hybrid IP address, it may be realistically possible to identify an individual user because other data is captured about the users computer system or other personal data is available to enable identification and tracking of the user. Ibid. pp. 692e704.
78. Data Protection Directive, note 28, art. 3(1)
79. CNIL Report, partial English translation, note 10, pp. 10e11. See also, Dinant et al., note 6, pp. 12e14
80. Poullet, Y., Data protection legislation: What is at stake for our society and democracy? 25 Computer Law and Security Review, p. 220 (2009) (discussing secondary identifiers that include IP addresses).
81. Article 29 Data Protection Working Partys, Opinion 4/2007 on the Concept of Personal Data, pp. 16e17, 01248/07/EN/WP 136 (June 20, 2007) [hereinafter Art. 29 Opinion 4/2007], available at: http://ec.europa.eu/justice-home/fsj/ privacy/docs/wpdocs/2007/wp136-en.pdf. Recently the Article 29 Data Protection Working Party sent a letter to three major search engines (Google, Yahoo! and Microsofts Bing) warning them that their "methods of making users search data anonymous", including retention of users IP addresses for periods longer than necessary, were in conflict with the EUs rules on data protection. Internet search engines scolded by EU regulators, EurActiv (27 May 2010), available at: http://www.euractiv.com/en/infosociety/internet-searchengines- scolded-eu-regulators-news-494549/utm-sourceEurActivNewsletter&utm- campaign2bbe971f0e-my- google-analytics-key&utm-mediumemail (last accessed 7 June 2010). Search engine data is an important source of tracking data for behavioural advertising.
82. Art 29 Opinion 4/2007, note 79, p. 17.
83. A German association of data protection authorities has ruled that tracking using IP addresses breaches German law. See Germany rules IP address tracking reaches data protection law, Napier News (9 Feb. 2010), available at: http://www.napiernews. eu/2010/02/germany-rules-ip-address-tracking-breaches- dataprotection- law/(last accessed, 7 June. 2010). In contrast, A French Court
84. Sarajlic, A. and Omerasevic, D., Access Channels in m- Commerce Services, Proceedings of the ITI 2007 29th Int.conf. on Information Technology Interfaces, Cavtat, Croatia, pp. 507e512 (June 25e28, 2007)(describing access channels for mobile users to m-commerce including those in the mobile operator network, WAP (Wireless Application Profile) and WLAN/WiFi (Wireless Local Access Networks). On the other hand, mobile users who access the Internet from a mobile phone using a cellular providers data service or using WAP (Wireless Application Protocol) generally do not reveal their individual IP addresses. Ibid.
85. Clayton, R., Practical mobile Internet access traceability, Light Blue Touchpaper, Security Research, Computer Laboratory, University of Cambridge (13 Jan. 2010), available at: http://www.lightbluetouchpaper.org/2010/01/13/ practical-mobile-internetaccess- traceability/(last accessed 7 June 2010).
86. Eckersley, P., How Unique is Your Web Browser? Electronic Frontier Foundation (undated) (discussing that device fingerprints are a "means to distinguish machines behind a single IP address, even if those machines block cookies entirely"). Fingerprinting algorithms may be applied to databases of information captured when an Internet users browser visits a website in order to produce a device fingerprint that can be used as a global identifier, akin to a cookie, to track the device. Ibid. pp. 1e4.
87. See also, Complaint and Request for Inquiry and Injunctive Relief Concerning Unfair and Deceptive Mobile Marketing Practices, Center for Digital Democracy and U.S. Public Interest Research Group, 13 January 2009 (CDD Complaint of Unfair or Deceptive Mobile Marketing Practices) (amending November 2006 petition to the FTC requesting an investigation into and relief from tracking and targeting practices in online advertising), available at: http://www.democraticmedia.org/current-projects/privacy/analysis/ mobile-marketing (last accessed, 7 June 2010). Currently certain browsers on mobile devices make them more difficult to fingerprint, however these devices lack good cookie control options so they are readily tracked by other means such as mobile cookies. Eckersley, p. 9.
88. Hildebrandt, note 8, p. 13 (arguing profiles "may be protected from access via intellectual property rights of the profiler or be considered part of the companys trade secrets)
89. Data Protection Directive, note 28 (art. 15)
90. Hildebrandt, note 8, p. 13. See also, Rand Report, note 74, p. 27 (Information Commissioners Office, 2009) (pointing out that one of the main weaknesses in the Data Protection Directive is that the link between the concept of personal data and real privacy risks is unclear).
91. Compare CE Draft Recommendation on Profiling, note 4, p. 5 and FTC Guidelines, note 51, p. 42
92. Data Protection Directive, note 28 (art. 8) (prohibiting the processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life unless the data subject has given their explicit consent or there are other legitimate grounds for processing the data).
93. In the Matter of BJs Wholesale Club, Inc., Federal Trade Commission, FTC File No.042 3160 (Sept. 2005) (finding the companys failure to adequately secure sensitive credit card information including customers credit card numbers was an unfair practice under Section 5 of the FTC Act).
94. CE Draft Recommendation on Profiling, note 4, p. 3.
95. These privacy gaps are further addressed in the second article in this series on Profiling the Mobile Customer that will appear in the next volume of the CLSR.
96. Warren, Samuel and Brandeis, Louis, The Right to Privacy, 4 Harvard Law Review, pp. 193e195 (1890) (arguing individuals have a "right to be let alone"); King, N., Fundamental Human Right Principle Inspires U.S. Data Privacy Law, But Protection Are Less Than Fundamental, in Challenges of Privacy and Data Protection Law p. 76 (Cahiers Du Centre De Recherches Informatique Et Droit, 2008) (CRID treatise) (discussing the evolution of privacy law in the U.S. and concluding U.S. privacy law falls short of protections data privacy as a fundamental human right).
97. See generally, CRID Treatise, note 93, pp. 85e87, 97e98. As the U.S. Supreme Court said, "choices central to personal dignity and autonomy are central to the liberty protected by the Fourteenth Amendment [of the U.S.constitution]. At the heart of liberty is the right to define ones own concept of existence, of meaning, of the universe and of the mystery of human life". Ibid. p. 85 (quoting Planned Parenthood of So. Pa v. Casey, 505 U.S. 833, 851 (U.S. S. Ct., 1992).
98. Solove, Daniel J., Rotenberg, Marc and Schwartz, Paul, Information Privacy Law, pp. 76e102 (2nd ed., 2006) (Solove et al.) (discussing numerous court opinions considering tort claims of intrusion into seclusion including wiretapping and other forms of electronic surveillance). To prevail in such a tort case the plaintiff must show both the unreasonable intrusion by the defendant and that the intrusion would be highly offensive to a reasonable person, but need not prove that the defendant publicly disclosed private information. Ibid, p.76; CRID Treatise, note 93, pp. 90e92.
99. Ciocchetti, Corey, Just Click Submit: The Collection, Dissemination, and Tagging of personally-identifying information, 10 Vanderbilt Journal of Entertainment and Technology Law, p. 609 (2008) (describing U.S. federal privacy law as "sectoral, protecting only certain individuals in certain economic sectors against certain privacy-invading threats") (Ciocchetti (2008). By comparison, The Privacy Act of 1974, 5 U.S.C. x552(a), is a law of general application that protects the personal information of individuals in their records that are maintained by government, however it does not regulate private businesses collection or use of consumers personal information.
100. Beginning in 2008, Congressional subcommittees have been holding hearings to explore whether there is a need to regulate behavioural advertising, but no legislation has been adopted as of the date of this writing. Schatz, Amy, Lawmakers Examine Privacy Practices at Cable, Web Firms, Wall Street Journal (23 April 2009) (reporting that House of Representatives subcommittee hearings focused on efforts by Internet providers to collect and share data on consumers behaviour to target online advertising and cable companies to target ads at subscribers via their set top boxes), available at: http://online.wsj.com/ article/SB124050539070948681.html (last accessed 7 June 2010); Noyes, Andrew, House Internet privacy, data breach bills could merge, CongressDaily (5 June 2009) (reporting that consumer privacy bills currently in Congressional subcommittees could be merged and that if adopted would give Web users greater protection in how information collected online is stored and used), available at: http://www.nextgov.com/nextgov/ng-20090506-2018.php (last accessed 7 June 2010).
101. For example, unlike the U.S.constitution, Californias state constitution provides more privacy protection than the federal constitution because it applies in business to consumer contexts that do not involve government actions. Cal.const. art. I x 1; Hill v. NCAA, 865 P.2d 638 (California, 1994).
102. Interview, NYMITY, Mary Ellen Callahan, Behavioural Advertising, Hogan & Hartson LLP (January 2009) (Callahan Interview), available at: http://www.nymity.com/Free-Privacy- Resources/Privacy-Interviews/2009/Mary- Ellen-Callahan.aspx (last accessed 7 June 2010).
103. Childrens Online Privacy Protection Act of 1998, 15 U.S.C. xx 6501-6506 (COPPA).
104. GrammeLeacheBliley Act of 1999, 15 U.S.C. xx 6801-6809.
105. Health Insurance Portability and Accountability Act of 1996, Pub. L. No.104-191, 110 Stat. 1936 (codified, as amended, in 42 U.S. C. x 1936 and other sections of the U.S.code).
106. Fair Credit Reporting Act of 1970, 15 U.S.C. x 1681 et seq.
107. See Federal Communications Commission, About the FCC (About FTC), available at: http://www.fcc.gov/aboutus.html (last accessed 7 June 2010).
108. U.S.C. x222 (c) (requires telecommunications carriers to obtain customer approval to use, disclose or permit access to individually identifiable Customer Proprietary Network Information except to provide telecommunications services and related services or as required by law); 47 C.F.R. x 64.2003 (CPNI Regulation).
109. King, FCLJ (2008), note 24, pp. 276e281.
110. King, FCLJ (2008), note 24, pp. 280e281.
111. U.S.C. x222(a)
112. Federal Trade Commission Act (FTC Act), 15 U.S.C. x45 (Section 5). Deceptive practices include material misrepresentations or omissions that are likely to mislead reasonable consumers. Unfair practices are those that involve substantial harm to consumers where the harm is not reasonably avoidable by consumers and practices benefits to consumers do not outweigh the harm. Callahan Interview (2009), note 99.
113. See About FTC, note 104.
114. See Federal Trade Commission Act (FTC Act), 15 U.S.C. x45(1) (Section 5).
115. See generally, CDD Profiling Complaint, note 14.
116. Regulation of specific marketing practices such as telemarketing and spamming further restrict marketing by behavioural advertisers to mobile customers. These marketing laws have been explored in other articles and are generally outside the focus of this article. See generally, King, FCLJ (2008), note 24 and Cleff, Dissertation, note 15.
117. For example, the Federal Trade Commission used Section 5 of the FTC Act to prosecute a company for breaching its privacy policy by renting its customers personal information to other companies for advertising purposes. Agreement Containing Consent Order, Gateway Learning Corp., File No. 042-3047 (FTC, 2003), available at: http://www.ftc.gov/os/caselist/0423047/040707agree0423047. pdf(last accessed 7 June 2010).
118. Since 2001 the Federal Trade Commission has brought at least twenty-three enforcement actions against companies that failed to provide reasonable protections for sensitive consumer information and it has brought at least eleven enforcement actions since 2004 that relate to misuse of spyware. FTC, Prepared Statement of the FTC on Behavioural Advertising, Before the Senate Committee on Commerce, Science, and Transportation, Washington, D.C., p.8 (9 July 2008) (FTC Congressional Testimony), available at: http://ftc.gov/os/2008/ 07/P085400behavioralad.pdf(last accessed 7 June 2010).
119. Solove et al. (2006), note 95, p. 32 (commenting that contracts often function "as a way of sidestepping state and federal law" that is designed to protect consumers privacy). For example, contractual language to acknowledge consumers consent to receive m-advertising or to use consumers personal data to generate advertising could be inserted in standard form contracts that consumers have little choice but to sign in order to receive the desired service.
120. Electronic Communications Privacy Act (ECPA), 18 U.S.C. x 2510 et seq.;Computer FraudandAbuse Act (CFAA), 18 U.S.C. x 1030 et seq.; Ng, note 35, pp. 374-382 (arguing the ECPA, which prohibits interception or unauthorized access to electronic communications but does not directly address online behavioural advertising (OBA), and the CFAA or analogous state laws that specifically regulate spyware could be used to regulate OBA). See also, Baldas, T., Advertiser tracking ofWeb surfing brings suits, The National LawJournal (2 Mar. 2009), available at: http://www.law.com/jsp/nlj/PubArticleNLJ.jsp? id1202428674349&slreturn1 (last accessed 7 June 2010).
121. Hotaling, note 11, pp. 549e550 (footnote146)
122. Davis, W., Customers Sue ISP for Installing NebuAd Spyware, Offering Defective Opt-Outs, MediaPost News (28 Jan. 2010), available at: http://www.mediapost.com/publications/faArticles. showArticle&art-aid121522 (last accessed, 7 June 2010).
123. Ciocchetti (2008), note 96, p. 610.
124. Ciocchetti (2008), note 96, p. 610. pp. 612e615 (commenting that Congress has chosen not to mandate the posting of privacy policies for most companies operating Websites and that the threat of FTC scrutiny on broken privacy promises gives companies incentives to fail to post a privacy policy or to create a privacy policy that includes legalese and loopholes designed to avoid breaking any promises).
125. California Business and Professional Code x 22575 (requiring anyone collecting PII from a resident of the state to post a privacy policy, identify types of PII collected, disclose categories of external parties that information may be disclosed to, describe any policy allowing review or requested changes to PII, provide notice of how the company may alter its policy and include the effective date of the policy). See also Cal. Civ.code x 1798.83 (requiring, upon request, companies that disclose PII to third parties for direct marketing purposes to disclose the categories of PII the company has disclosed to third parties and the names of all third parties that received PII from the company for direct marketing purposes).
126. Ciocchetti (2008), note 96, p. 597 (reporting the study of 25 most visited e-commerce websites in the U.S. which showed the vast majority reserve the right to collect PII and disseminate the information to unrelated third parties). He believes federal legislation is needed to require companies to either post a clear and conspicuous privacy policy that describes seven key PII practices in plain English or to associate (tag) their name to each piece of data they disseminate, with purchasers of the tagged PII being legally required to identify the seller whenever they solicit individuals identified by the purchased PII. It is argued such legislation will result in social pressure that will lead companies to draft and post better privacy policies. Ibid. p. 627.
127. U.S.C. x 222 (h)(1) (defining the scope of CPNI to include information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service . and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship). CPNI does not include collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed. 47 U.S.C. x 222 (h)(2).
128. See Telecommunication Carriers Use of Customer Proprietary Network Information and Other Customer Information, Report and Order and further Notice of Proposed Rule-Making, 22 F.C.C.R. 6927, pp. 22e23 (2007) (2007 CPNI Order) (discussing the modification of the FCC rules to require carriers to obtain opt in consent n the form of express prior authorization from a customer before disclosing that customers CPNI to a carriers joint venture partner or independent contractor).
129. King, FCLJ (2008), note 24, at pp. 276e280.
130. EU justice chief plans civil code, privacy laws, EurActiv.com (21 Dec. 2009)
131. Commission forms industry body to solve behavioural advertising problems, OUT-LAW News (16 Nov. 2009) (reporting the formation of the Stakeholder Forum on Fair Data Collection, a collection of businesses who have to outline their plans for protecting consumers information), available at: http://www.out-law. com/page-10526 (last accessed 7 June 2010)
132. As mentioned earlier in this paper, a formal complaint was filed with the FTC in April 2010 by consumer privacy organizations asking the FTC to investigate businesses engaged in consumer profiling practices that are alleged to be unfair or deceptive practices in violation of Section 5 of the FTC Act. The scope of the requested investigation includes behavioural advertisers, third-party data providers, and other businesses providing ad-exchange systems that support the behavioural advertising industry and facilitate real-time consumer profiling. See generally, CDD Profiling Complaint, note 17. The Complaint provides a comprehensive description of the behavioural advertising industry and the development of real-time profiling technologies. The Complaint is still pending as of the publication date of this paper.
133. News Release, European Commission welcomes European Parliament approval of sweeping reforms to strengthen competition and consumer rights on Europes telecoms markets, Brussels, IP/09/1812 (24 Nov. 2009).
134. See EU Telecoms Reform Package, note 50 (incorporating E-Privacy Act Amendments, Art. 5(3)). These amendments expand the requirement to give notice and obtain the users consent to access or store information on the users terminal equipment to all situations where this occurs, even if the access or storage does not involve using an electronic communications network. Exceptions permit any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user of the service. Ibid (based on comparison of Art. 5(3) of the E-Privacy Directive as adopted in 2002 with the amended version of Art. 5(3) as adopted in the EU Telecoms Reform Act).
135. EU Telecoms Reform Package, note 50, at para. 66. The preamble of the EU Telecoms Reform Package anticipates that the users consent to processing of personal data may be expressed by appropriate browser settings or other applications where this is technically possible. Ibid.
136. Nauwelaerts, W., EU E-Privacy Directive and Cookies: The Consent Requirement May Not Be as Broad as Believed, Hogan & Hartson (16 Nov. 2009), available at: http://www.hhdataprotection.com/2009/11/articles/international- compliance-inclu/eu-eprivacydirective- and-cookies-the-consent-requirement-may- not-be-asbroad- as-believed/(last accessed 7 June 2010). But see Article 29 Data Protection Working Partys, Opinion 2/2010 on Online Behavioural Advertising, pp. 8,9 (00909/10/EN, WP 171, 22 June 2010) (Art. 29 Opinion 2/2010) which states that it is the private sphere of the data subject that triggers the obligations in Article 5 (3), not the fact that information is, or is not, personal data.
137. Marshall, J., EU Proposal Could Cripple Common Web Ad Practices, ClickZ News UK & Europe (6 Nov. 2009).
138. Europe Approves New Cookie Law, The Wall Street Journal Blogs (11 Nov. 2009), available at: http://blogs.wsj.com/digits/2009/11/11/europe-approves-new- cookie-law/(last accessed 7 June 2010); Member states shall adopt and publish by 25 May 2011 the laws, regulations and administrative provisions necessary to comply with the directive 2009/136, see EU Telecoms Reform Package, note 50, article 4(1).
139. See generally, CE Draft Recommendation on Profiling, note 4.
140. CE Draft Recommendation on Profiling, note 4. p. 4 (para. 2).
141. CE Draft Recommendation on Profiling, note 4. p. 4 (para. 3).
142. CE Draft Recommendation on Profiling, note 4, pp. 1e10.
143. CE Draft Recommendation on Profiling, note 4, p. 5 (para. 1(e))
144. CE Draft Recommendation on Profiling, note 4, p. 5 (para. 2).
145. CE Draft Recommendation on Profiling, note 4, p. 6 (para. 3).
146. CE Draft Recommendation on Profiling, note 4, p. 6 (para. 3.3)
147. CE Draft Recommendation on Profiling, note 4, p. 10 (para. 8)
148. CE Draft Recommendation on Profiling, note 4, p. 7 (para. 4.7)
149. CE Draft Recommendation on Profiling, note 4, p. 7 (para. 4.8)
150. CE Draft Recommendation on Profiling, note 4, p. 7 (para. 4.11).
151. CE Draft Recommendation on Profiling, note 4, pp. 6, 7 (para. 4. 4, C. para. 4.11).
152. CE Draft Recommendation on Profiling, note 4, p. 8 (para. 5.1).
153. CE Draft Recommendation on Profiling, note 4, p. 8 (para.5.1 (h)).
154. CE Draft Recommendation on Profiling, note 4, p. 6 (para. 4.4). Whether opt in or opt out consent is required is not addressed by the Council of Europes Draft Recommendations, but presumably interpretations of these terms would be consistent with the requirements of the Data Protection Directive
155. CE Draft Recommendation on Profiling, note 4, p. 2 (para. 7) (commenting that "profiles, when they are attributed to a data subject, make it possible to generate new personal data").
156. See earlier discussion that adequate protection of personal data and privacy requires consumers to have access to the profiles applied to individual consumers, text accompanying notes 32e35.
157. CE Draft Recommendation on Profiling, note 4, p. 9 (para. 6.7).
158. Member States of the European Union transfer national legislative and executive powers to the Council of the European Union, the European Parliament and the European Commission in specific areas under European Union law. In contrast, Member States that are members of the Council of Europe commit themselves through conventions developed by the Member-States working together at the Council of Europe that are instruments of public international law. Non-EU countries may sign such conventions so the membership of the Council of Europe is broader than EU membership.
159. CE Draft Recommendation on Profiling, note 4, p. 9 (para. 7)
160. CE Draft Recommendation on Profiling, note 4, p. 10 (para. 9) (providing that Member States may require advance notification or prior checking to the supervisory authority for processing that uses profiling and entails special privacy and data protection risks).
161. "[I]n the brave new digital world where data collection opportunities are many and data use opportunities are rich, "notice" is failing when it comes to privacy". On notice, consent, and radical transparency, The Privacy Advisor, p. (Sept. 2009) (no author provided). See also, Lukovitz, K., FTCs Focus Re Privacy Issues Emerging, MediaPost News (29 Jan. 2010) (reporting that the FTC is exploring whether a more complete solution to protect consumers privacy is needed that goes beyond an approach based on the "notice and choice" concept of information privacy).
162. "Operating without consumers knowledge or authorization, [behavioural targeting or BT] technology undermines the ability of users to consent by failing to provide effective notice of its existence". Hotaling, note 11, pp. 551-560.
163. The question of whether notice and choice mechanisms are adequate to protect consumers privacy in ubiquitous computing environments and this era of autonomic computing is an important question and one that deserves much discussion and analysis. See generally, sources referenced in note 160; Sterritt et.al, A concise introduction to autonomic computing, 19 Advanced Engineering Informatics, pp. 181e187 (2005). As such, it is beyond the scope of this paper.
164. See generally, Article 29 Data Protection Working Partys, Opinion 2/2010 on Online Behavioural Advertising, pp. 3,4 (00909/10/EN, WP 171, 22 June 2010) (Art. 29 Opinion 2/2010) (based on the amended E-Privacy Directive to be implemented by May 2011).
165. Art. 29 Opinion 2/2010, note 163, pp. 7e9.
166. Art. 29 Opinion 2/2010, note 163, pp. 7e9.
167. Art. 29 Opinion 2/2010, note 163, pp. 13e15.
168. See generally, FTC Guidelines, note 51.
169. FTC Guidelines, note 51, pp. 46e47.
170. FTC Guidelines, note 51, p. 46.
171. FTC Guidelines, note 51, pp. 21e26 (adopting the view that the principles in the FTC Guidelines apply to any data collected for online behavioural advertising that could reasonably be associated with a particular consumer or with a particular computer or device, even if the data if non-PII).
172. See generally, Dinant et al., note 5, pp. 30e31.
173. FTC Guidelines, note 51, pp. 26e30.
174. "Ads from network advertisers are usually delivered based upon data collected about a given consumer as he or she travels across the different Websites in the advertising network. An individual network may contain hundreds or thousands of different, unrelated Websites and an individual Website may belong to multiple networks". FTC Guidelines, note 51, p. 3 (note 5).
175. FTC Guidelines, note 51, p. 3.
176. FTC Guidelines, note 51, pp. 26e30.
177. FTC Guidelines, note 51, p. 47.
178. See Telecommunication Carriers use of Customer Proprietary Network Information and Other Customer Information, Report and Order and Further Notice of Proposed Rule-making, 22 F.C.C. Record. pp. 6927, 6948 (2007) (Federal Communications Commission characterizes "opt out" notices and consent as vague and ineffective).