Why privacy discussions about pervasive online customer profiling should focus on the expanding roles of third-parties

International Journal of Private Law

Volumn 4, Issue 2, 2011, Pages 193-229

  King, Nancy J ^a  

^a OREGON STATE UNIVERSITY   (United States)

Author keywords

Behavioural advertising; Consumer profiling; Data protection; Network advertising; Online customer; Pervasive; Privacy; Third parties

Indexed keywords

EID: 79953727579     PISSN: 17536235     EISSN: 17536243     Source Type: Journal    
DOI: 10.1504/IJPL.2011.039360     Document Type: Article

References (185)

1. Hotaling, A. (2008) 'Protecting Personally Identifiable Information on the internet: Notice and Consent in the Age of Behavioral Targeting', 16 CommLaw Conspectus, pp.537-538 (Hotaling) (explaining the direct marketing practice that segments tracked user history into distinct market segments).
2. Electronic Privacy Information Center (EPIC), Privacy and Computer Profiling (describing profiling practices related to direct marketing and listing numerous profile classifications that marketers may link to individual identities), available at http://epic.org/privacy/profiling/ (accessed on 27 September 2010).
3. FTC and Department of Commerce Workshop, Online Profiling Public Workshop, p.23 (November. 8, 1999), available at http://www.ftc.gov/bcp/ workshiops/profiling/index.shhtm (accessed on 27 September 2010).
4. Council of Europe, recommendation on the protection of individuals with regard to automatic processing of personal data in the context of profiling, the Committee of Ministers to member states (Adopted by the Committee of Ministers on 23 November 2010 at the 1099th meeting of the Ministers' Deputies) (CE recommendation), available at: https://wcd.coe.int/wcd/ViewDoc.jsp?id= 1710949&Site=CM&BackColorInternet=C3C3C3&BackColorIntranet= EDB021&BackColorLogged=F5D383#P5-189 (last accessed, 6 January 2011).
5. Hotaling, note 1, p.536.
6. Hildebrandt, M. and Gutwirth, S. (Eds.) (2008) Profiling the European Citizen, Cross-Disciplinary Perspectives, Springer, p.1 (Profiling the European Citizen).
7. Benoist, E. (2008) 'Collecting data for the profiling of web users', in Profiling the European Citizen, Cross-Disciplinary Perspectives, Springer, note 6, p.172 (Profiling the European Citizen).
8. Profiling is "an automatic data processing technique that consists of applying a 'profile' to an individual, namely in order to take decisions concerning him or her; or for analysing or predicting personal preferences, behaviours and attitudes." CE Recommendation, note 4, Appendix, para. 1(e).
9. Complaint, request for investigation, injunction and other relief: Google et al., Center for Digital Democracy (CDD), US PIRG (a federation of state Public Interest Research Groups), World Privacy Forum (CDD et al.), before the FTC, pp.11-13 (8 Apr. 2010) (CDD profiling complaint), available at http://democraticmedia.org/files/u1/20100407-FTCfiling.pdf (accessed on 27 September 2010).
10. See online targeted advertising, Cabinet Gelly, Avocats a la Cour, p.7, available at http://pg.droit.officelive.com/Documents/ Online%20Targeted%20Advertising%20-%20CNIL%20Report%202009%20- %20Cabinet%20Gelly.pdf (accessed on 27 September 2010) (providing a partial, unofficial and uncertified English translation of the report on online targeted advertising presented by Commissioner Peyrat to the French Data Protection Authority (CNIL Report) on 5 February 2009 and released on 26 March 2009) (CNIL Report). In this paper the term 'publishers' is used to describe providers that are stakeholders benefiting from online advertising and the term includes both types of providers as defined in the CNIL report.
11. Cabinet Gelly, Avocats a la Cour, p.7, available at http://pg.droit. officelive.com/Documents/Online%20Targeted%20Advertising%20- %20CNIL%20Report%202009%20-%20Cabinet%20Gelly.pdf, Ibid.
12. McCarthy, C. (2010) 'Twitter cuts the cord on third-party ad networks', CNET News (24 May 2010) (reporting that Twitter no longer allows third-party ad networks to place ads on its service).
13. Krazit, T. (2010) 'Google discloses AdSense revenue share', CNET News (24 May 2010).
14. Krazit, T. (2010) 'Google discloses AdSense revenue share', CNET News. Ibid.
15. Federal Trade Commission (2009), 'Self-regulatory principles for online behavioral advertising', February 2009, p.28 (note 59) (FTC Guidelines).
16. See also, Federal Trade Commission (2010), 'Protecting Consumer Privacy in an Era of Rapid Change', Preliminary FTC Staff Report, December 2010 (in this preliminary report, the Federal Trade Commission examines the possibilities of Do Not Track mechanisms for internet browsers that would enable users to opt-out of third-party web tracking, including that conducted by online behavioural advertisers);
17. U.S. Department of Commerce (2010), "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework", U.S. Department of Commerce Internet Policy Task Force , December 2010.
18. Comments of the Center for Democracy and Technology on the staff discussion draft of Consumer Privacy Legislation (US), p.3 (4 June 2010) (CDT comments on discussion draft of US Consumer Privacy Legislation), available at http://www.cdt.org/files/pdfs/20100604-boucher-bill.pdf (accessed on 27 September 2010).
19. See also, the Fair Credit Reporting Act, governing affiliate sharing of consumer data and allows consumers to opt out of sharing certain data with affiliates and 15 U.S.C. § 1681a(d)(2)(A) (2010) (e.g., more heavily regulated consumer reports exclude communications of information about consumers among persons related by common ownership or affiliated by corporate control).
20. See Network Advertising Initiative, available at http://www. networkadvertising.org/participating/.
21. FTC Guidelines, note 15, p.3 (note 5).
22. FTC Guidelines, p.3, Ibid.
23. FTC Guidelines, p.3, Ibid.
24. FTC Guidelines, p.3, Ibid.
25. CDD profiling complaint, note 9, p.1.
26. CDD profiling complaint, p.1, Ibid.
27. CDD profiling complaint, note 9, p.2.
28. CDD profiling complaint, p.2, Ibid.
29. CDD profiling complaint, note 9, p.12.
30. CDD profiling complaint, note 9, pp.20, 28 (reporting that the Rubicon project serves both the UK and Europe and OpenX is working with Europe's largest ad network operated by Orange of France Telecom).
31. CDD profiling complaint, note 9, pp.4-5 (asking the FTC to investigate behavioural advertisers including Microsoft, Google and Yahoo and leading companies providing auctioning and data collection/targeting systems that support consumer profiling, to determine if they are engaged in unfair and deceptive trade practices under Section 5 of the FTC Act). The Complaint asks the FTC to ensure consumers have meaningful control over their information and asks the FTC to seek appropriate injunctive and compensatory relief).
32. See CNIL report, note 10, p.3.
33. CNIL report, note 10, p.6.
34. CNIL report, p.6, Ibid.
35. Steel, E and Vascellaro, J.E. (2010) 'Facebook, MySpace confront privacy loophole', The Wall Street Journal, (21 May 2010) (reporting that Facebook and MySpace have made subsequent changes such as rewriting some offending computer code that enabled the personal data to be released to advertisers).
36. Steel, E and Vascellaro, J.E. (2010) 'Facebook, MySpace confront privacy loophole', The Wall Street Journal, Ibid.
37. The lawsuit, seeking to represent a class of plaintiffs, claims Facebook breached its privacy policy that promised Facebook would not disclose users' information to advertisers without their consent. Davis, W. (2010) 'Facebook sued for sharing users' names with advertisers', MediaPostNews (2 June 2010).
38. Swartz, J. (2010) 'Facebook walks a tricky line weighing privacy vs. profit', USA Today (source updated 16 June 2010).
39. Swartz note 35, p.2.
40. Sotto, L.J. and McLellan, ML. (2009) 'U.S.: behavioral advertising: legislative steps', Data Protection Law and Policy, July, Vol. 6, No.7.
41. See generally, FTC Guidelines, note 15, pp.46-47. These guidelines urge online behavioural advertisers to follow four fair information practices: 1 transparency and consumer control 2 reasonable security and limited data retention for consumer data 3 affirmative express consent for material changes in existing privacy promises 4 affirmative express consent, or alternatively prohibition against using sensitive data.
42. FTC Guidelines, pp.46-47, Ibid.
43. FTC Guidelines, note 15, pp.26-30. For example, if a consumer is shown an advertisement for travel clothing solely because she has visited a website that sells travel clothing or has used a search engine to find stores that sell travel clothing, this is contextual advertising and is not within the FTC's definition because it does not track the consumer 'overtime'.
44. FTC Guidelines, p. 26-30, Ibid.
45. Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, p.4 (00909/10/EN, WP 171, 22 June 2010) (Art. 29 Opinion 2/2010).
46. Article 29 Opinion 2/2010, note 42, p.5.
47. Network advertising initiative, '2008 NAI Principles, The Network Advertising Initiative's Self-Regulatory Code of Conduct' (2008) (NAI Code); internet Advertising Bureau (UK), Good Practice Principles For Online Behavioural Advertising (IAB Principles), (undated), available at http://www.youronlinechoices.co.uk/wp-content/uploads/2010/01/ IAB-UK-Good-Practice-Principles-for-Online-Behavioural-Advertising.pdf. The NAI defines third-party online behavioural advertising as "any process used whereby data are collected across multiple web domains owned or operated by different entities to categorize likely consumer interest segments for use in advertising online" (emphasis added). NAI Code, p.4. The UK's IAB defines online behavioural advertising as "advertising which is served based on data collected across single or multiple web domains owned or operated by different entities about a user over a period of time in order to create interest segments for the purposes of delivering online advertisements to that user" (emphasis added). IAB Principles, Annex 2 - Glossary.
48. FTC Guidelines, note 15, pp.28-29 (note 59).
49. CDT comments on discussion draft of US Consumer Privacy Legislation, note 16, p.3.
50. A recent empirical study indicates consumers are concerned about website privacy policies that allow websites to share their data with third-parties but may not understand that third-party cookies placed by visiting such sites use technology to track their website behaviour across websites and facilitate data sharing with the third-party company that has placed the cookie. See Jai, Tun-Min (Catherine), 'The impact of unsolicited behavioural tracking practices on consumers' shopping evaluations and attitudes toward trusted online retailers', PhD dissertation, Oregon State University, pp.86 (Spring 2010) (as yet unpublished, on file with author).
51. King N.J., Jessen, P.W. (2010) 'Profiling the mobile customer - privacy concerns when behavioural advertisers target mobile phones - part I', 26 Computer Law and Security Review, pp.455-478;
52. Ciocchetti, C. (2008) 'Just click submit: the collection, dissemination, and tagging of personally identifying information', 10 Vanderbilt Journal of Entertainment and Technology Law, pp.609. By comparison, The Privacy Act of 1974, 5 U.S.C. §552(a), is a law of general application that protects the personal information of individuals in their records that are maintained by government but does not regulate private businesses' collection or use of consumers' personal information.
53. Solove, D.J., Rotenberg, M. and Schwartz, P. (2006) Information Privacy Law, pp.76-102 (2nd ed.) (discussing the tort claim of intrusion into seclusion that generally requires plaintiffs to prove an unreasonable intrusion by the defendant that would be highly offensive to a reasonable person).
54. US scholars have been instrumental in developing arguments that personhood, or the right to define one's self, is a core privacy value to be protected by law that protects the liberty and autonomy of natural persons. Warren, S. and Brandeis, L. (1890) 'The right to privacy', 4 Harvard Law Review, pp.193-195 (arguing individuals have a 'right to be let alone'). However, information privacy has not been recognised as a fundamental right of individuals in the USA and consumers have greater legal rights to information privacy from government than they do from businesses.
55. King, N., 'Fundamental human right principle inspires US data privacy law, but protection are less than fundamental', in Challenges of Privacy and Data Protection Law pp.76, 85-98 (Cahiers Du Centre De Recherches Informatique Et Droit, 2008) (CRID treatise).
56. Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506 (COPPA).
57. Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §§ 6801-6809.
58. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified, as amended, in 42 U.S.C. § 1936 and other sections of the US Code).
59. Fair Credit Reporting Act of 1970, 15 U.S.C. § 1681 et seq.
60. Telecommunication carriers are heavily regulated by the Federal Communications Commission (FCC) and are required to provide privacy protection for subscribers' 'customer proprietary network information' (CPNI). See 47 U.S.C. §222 (c) (requires telecommunications carriers to obtain customer approval to use, disclose or permit access to individually identifiable customer proprietary network information except to provide telecommunications services and related services or as required by law); 47 C.F.R. § 64.2003 (CPNI Regulation); FCC, About the FCC (About FTC), available at http://www.fcc.gov/ aboutus.html.
61. King, N. (2008) 'Direct marketing, mobile phones, and consumer privacy: ensuring adequate disclosure and consent mechanisms for emerging mobile advertising practices', 60-2 Federal Communications Law Journal, pp.276-281 [King, FCLJ (2008)].
62. See Federal Trade Commission Act (FTC Act), 15 U.S.C. §45(1) (Section 5).
63. See generally, CDD profiling complaint, note 9 (asking the FTC to investigate Google, Inc. and other companies engaged in consumer profiling for alleged unfair or deceptive practices and to seek an injunction).
64. For example, the FTC used Section 5 of the FTC Act to prosecute a company for breaching its privacy policy by renting its customers' personal information to other companies for advertising purposes. Agreement containing consent Order, Gateway Learning Corp., File no. 042-3047 (FTC, 2003).
65. Since 2001, the FTC has brought at least 23 enforcement actions against companies that failed to provide reasonable protections for sensitive consumer information and since 2004 has brought at least 11 enforcement actions for misuse of spyware. Prepared statement of the FTC on behavioral advertising, before the Senate Committee on Commerce, Science, and Transportation, Washington, DC, p.8 (9 July 2008).
66. Solove et al. (2006), note 49, p.32 (commenting that contracts often function "as a way of sidestepping state and federal law" that is designed to protect consumers' privacy).
67. King and Jessen, note 48, p.470.
68. Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq.; Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq.; Ng, H. (2009) 'Targeting bad behavior: why federal regulators must treat online behavioral marketing as spyware', 31 Hastings Communications and Entertainment Law Journal, p.374-382 (arguing the ECPA, which prohibits interception or unauthorised access to electronic communications, the CFAA or analogous state laws that specifically regulate spyware could be used to regulate online behavioural advertising;
69. Baldas, T. (2009) 'Advertiser tracking of web surfing brings suits', The National Law Journal (2 March 2009).
70. Hotaling, note 1, pp.549-550 (footnote 146). But see a recently filed privacy lawsuit that will give a federal court the chance to address this issue in the behavioural advertising context. This lawsuit was filed by customers of an ISP who claim the ISP installed spyware devices from NebuAd, a behavioural advertiser, without providing adequate notice and that this conduct violated their privacy under the tort of intrusion into the seclusion of their private affairs. They also claim the ISP violated federal wiretap and computer hacking laws. Davis, W., 'Customers Sue ISP for Installing NebuAd 'Spyware', Offering Defective Opt-Outs, MediaPostNews (28 January 2010).
71. See generally, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, 23.11.95 (Data Protection Directive); Directive of the European Parliament and of the Council 2000/31/EC of 8 June 2000 on certain legal aspects of information society services, in particular e-commerce, in the internal market, OJ L 178/1,17.07.2000 (E-Privacy Directive). The national data protection laws in the EU Member States have been amended to meet the minimum standards of the Data Protection Directive and are administered by local data protection authorities.
72. See Treaty of Lisbon amending the Treaty on European Union, the Treaty establishing the European Community, OJ C 306/1, 17.12.2007 (recognising Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and requiring members of the European Union to respect the fundamental rights guaranteed by the Convention), consolidated version, available at http://eur-lex.europa.eu/JOHtml.do?uri=OJ:C:2008:115:SOM:EN:HTML (accessed on 27 September 2010).
73. The Charter of Fundamental Rights of the European Union provides: "Everyone has the right to the protection of personal data concerning him or her." Charter of Fundamental Rights of the European Union, Article 8, 2000 OJ C 364/1 (hereinafter EU Charter), available at http://www.europarl. europa.eu/charter/pdf/text-en.pdf (accessed on 27 September 2010).
74. Convention for the protection of individuals with regard to automatic processing of personal data including its additional protocol (CETS 108, 1981 and CETS 181, 2001 (Convention 108).
75. Data Protection Directive, note 65, Art. 10. This Directive defines the processing of personal data broadly as "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, ⋯ use, ⋯ dissemination, [etc]." Ibid. Article 2(b). See European Court of Justice, In re Bodil Lindqvist Case C-101/2001, recital 27, judgement 6 November 2003 (holding the "act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes personal data processing within the meaning of Article 3(1) of Directive 95/46").
76. The eight requirements to process personal data in the EU are: 1 fair and lawful processing 2 collection and processing only for a proper purpose 3 that data be adequate, relevant and not excessive 4 that data be accurate and up to date 5 that data be retained no longer than necessary 6 giving the data subject (consumer) access to his or her data 7 keeping data secure 8 no transfer of personal data to a country that does not provide an adequate level of privacy and personal data protection. See generally, Data Protection Directive, note 65, arts. 6 et seq.
77. Data Protection Directive, note 65, art. 6(1)(b).
78. Data Protection Directive, note 65, art. 7.
79. Data Protection Directive, note 65, art. 12.
80. Data Protection Directive, note 65, art. 6(1)(c).
81. Data Protection Directive, note 65, art. 8 (generally prohibiting the processing of special categories of personal data without explicit consent).
82. Data Protection Directive, note 65, art. 2(a) (including natural persons "who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity"). But see Dinant et al., Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data: Application of Convention 108 to the Profiling Mechanism - Some Ideas for the Future Work of the Consultative Committee, T-PD(2008)01, Centre de Recherches Informatique et Droit (CRID), p.12-14 (January 2008) (stating that Article 15 of the Data Protection Directive dealing with automated decisions may make it unlawful to make a decision about an individual solely on the basis of automated data processing even when no personally-identifying information is used in the process) (Dinant et al.), available at http://www.statewatch.org/news/2008/aug/ coe-profilingpaper.pdf.
83. E-Privacy Directive, note 65, art. 1 (does not reflect 2009 amendments).
84. E-Privacy Directive, note 65, art. 13(1) (specifically covers telemarketing calls made by autodialing equipment and electronic mail).
85. E-Privacy Directive, note 65, art. 13(2).
86. The E-Privacy Directive prohibits using electronic communications networks to store information or to gain access to information stored in the terminal equipment of the subscriber or user unless consumers have been given clear and comprehensive information consistent with the Data Protection Directive and the opportunity to refuse processing of their personal data. E-Privacy Directive, note 65, art. 5(3).
87. Regulation (EC) No 1211/2009 of the European Parliament and of the Council of 25 November 2009 establishing the Body of European Regulators for Electronic Communications (BEREC) and the Office; Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services; Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws; Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services; 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities; and 2002/20/EC on the authorisation of electronic communications networks and services, OJ L 337, 18.12.09, pp.1-69 (EU Telecoms Reform Package).
88. Art. 29 Opinion 2/2010, note 42, pp.13-14.
89. See Concise European IT Law, pp.169-70 (Alfred Büllesbach et al. (Eds) 2006).
90. Traffic data is "any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof." E-Privacy Directive, note 65, art. 2(b). Location data means "any data processed in an electronic communications network, including the geographic position of the terminal equipment of a user of a publicly available electronic communications service." E-Privacy Directive, art. 2(c).
91. E-Privacy Directive, note 65, art. 6(3). Traffic data must be erased or made anonymous when it is no longer needed for the purpose of transmitting a communication, except when subscribers give consent or another exception applies. E-Privacy Directive, art. 6(1).
92. E-Privacy Directive, note 65, art. 9(1). Article 9 also gives subscribers the right to withdraw their consent to the use of location data that is personal data. Ibid. art. 9(1)-(3). Location data is essential to providing location-based services.
93. See Robinson et al., 'Review of the European Data Protection Directive', Rand Europe, pp.22-40 (Information Commissioner's Office, 2009) (Rand Report).
94. Lah, F. (2008-2009) 'Are IP addresses "Personally Identifiable Information"?', 4 I/S: A Journal of Law and Policy for the Information Society, pp.689-704 (discussing static, dynamic and hybrid IP addresses and the fact that with all of these types of IP addresses it may be realistically possible to identify an individual user).
95. Data Protection Directive, note 65, art. 3(1); CNIL Report, partial English translation, note 10, pp.10-11;
96. Dinant et al., note 75, pp.12-14;
97. Poullet, Y. (2009) 'Data protection legislation: What is at stake for our society and democracy?' 25 Computer Law and Security Review, pp.220, (discussing secondary identifiers that include IP addresses).
98. Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, pp.16-17, 01248/07/EN/WP 136 (June 20, 2007) (Art. 29 Opinion 4/2007), available at http://ec.europa.eu/justice-home/fsj/privacy/docs/wpdocs/ 2007/wp136-en.pdf. The Article 29 Data Protection Working Party sent a letter to three major search engines including Google warning them that their "methods of making users' search data anonymous," including retention of users' IP addresses for periods longer than necessary, were in conflict with the EU's rules on data protection. 'internet search engines scolded by EU regulators', EurActiv (27 May 2010). Search engine data is an important source of tracking data for behavioural advertising.
99. Art. 29 Opinion 4/2007, note 89, p.17.
100. http://ec.europa.eu/justice-home/fsj/privacy/docs/wpdocs/2007/wp136-en. pdf, Ibid.
101. A decision by the European Court of Justice supports the view that IP addresses are personal data. See 'Online behavioral advertising, what all global companies need to know', Baker and McKenzie (materials provided for a seminar on this topic held on 18 May 2010, referencing Promusicae v. Telefonica, a decision of the European Court of Justice, 29 Jan. 2008).
102. Further, a German association of data protection authorities has ruled that tracking using IP addresses breaches German law. See 'Germany rules IP address tracking reaches data protection law', Napier News (9 February 2010). In contrast, A French Court held an IP address was not personal data. See 'IP address in anti-piracy probe was not personal data, says French Court', Out-Law.com (2 February 2010). The court's opinion is reported in French available at http://www.legalis.net/jurisprudence-decision.php3?id-article=2852 (accessed on 27 September 2010).
103. Shaffer, G. (2000) 'Globalization and social protection: the impact of EU and international rules in the ratcheting up of privacy standards', 25 Yale Journal of International Law 1, pp.13-16 (commenting that the EU Data Protection Directive imposes both ex ante controls on data controllers that restrict what they must do before they may process personal data and ex post controls on enterprises that restrict subsequent processing of personal data when it goes beyond the initial purposes of processing personal data including transfers of personal data to third-parties).
104. Pop, V. (2010) 'EU privacy rules changing US companies', euobserver.com (29 June 2010) (commenting that privacy issues arise when customers' personal) 95 Data Protection Directive, note 65, art. 2 (d-g).
105. Data Protection Directive, note 65, art. 19.
106. Data Protection Directive, note 65, arts. 10-11.
107. Data Protection Directive, note 65, art. 14(b).
108. Shaffer, note 93, p.15. Sensitive personal information covers all personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and processing of data concerning health or sex life. Data Protection Directive, note 65, art. 8.
109. Data Protection Directive, note 65, art. 25(1);
110. Determann, L. (2010) 'New European Standard Contractual Clauses for data processors', The Privacy Advisor, p.1 (11 May 2010).
111. Solove et al., note 49, pp.933-957.
112. Miller, M.Z. (2007) 'Why Europe is safe from ChoicePoint: preventing commercialized identity theft through strong data protection and privacy laws', 39 George Washington International Law Review, pp.405-408.
113. See, for example, CDD profiling complaint, note 9, p.26 (discussing the online marketing industry's illogical persistence that cookies for individual targeting via a per-impression auction are not personal data).
114. Determann, note 100, p.1.
115. Miller, M.Z. (2007) 'Why Europe is safe from ChoicePoint: preventing commercialized identity theft through strong data protection and privacy laws', 39 George Washington International Law Review, pp.405-408. Ibid.
116. Miller, M.Z. (2007) 'Why Europe is safe from ChoicePoint: preventing commercialized identity theft through strong data protection and privacy laws', 39 George Washington International Law Review, pp.405-408. Ibid.
117. Miller, M.Z. (2007) 'Why Europe is safe from ChoicePoint: preventing commercialized identity theft through strong data protection and privacy laws', 39 George Washington International Law Review, pp.405-408. Ibid.
118. Determann, note 100, p.2.
119. Determann, note 100, p.1.
120. In the House of Representatives, [Staff Discussion Draft], 111th CONGRESS, lst Session, H.R. -, To require notice and consent of an individual prior to the collection and disclosure of certain personal information related to that individual (May 3, 2010) [hereinafter "The Boucher Bill"), available at http://www.boucher.house.gov/images/stories/Privacy-Draft-5-10.pdf (accessed on 27 September 2010). The Boucher Bill, drafted by Congressman Rick Boucher, was publicly released for comment by stakeholders.
121. See Guenwald, J. 'Boucher Wants Bipartisan Privacy Bill', Tech Daily Dose, CongressDaily, National Journal (10 June 2010). In the fall, Congressman Boucher announced that the bill is expected to be introduced as proposed legislation early in the next Congress.
122. Krigman, E., 'Boucher moving forward on privacy legislation', CongressDaily (29 September 2010), available at http://techdailydose. nationaljournal.com/2010/09/boucher-moving-forward-on-priv.php (accessed on 9 Oct. 2010). As of the date of this writing, The Boucher Bill has not yet been introduced into Congress. Congressman Rick Boucher was not re-elected to Congress in fall 2010. It is not yet known what impact this will have on the future of this draft bill. Boucher's cosponsor on the bill is still serving in Congress.
123. Other proposed federal legislation is also anticipated. One such bill was introduced by Congressman Rush in the House of Representatives in July 2010. See H.R. 5777, 111th Congress, 2d Session, In the House of Representatives, 'To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes' ('Rush Act of 2010' or 'Best Practices Act'), available at http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname= 111-cong-bills&docid=f:h5777ih.txt.pdf (accessed on 27 September 2010).
124. For simplicity of discussion, focus in this article will be on The Boucher Bill. See The Boucher Bill, note 110. Three companies, eBay, Microsoft and Intel, have declared their support for the Rush Act of 2010, along with the companies' recommendations that the proposed legislation be modified to remove the provision that creates a private right of action. Letter from eBay, Microsoft and Intel to Congressman Rush and Congressman Whitfield (4 October 2010), available at http://blogs.intel.com/policy/HR%205770%20Support%20Letter. pdf (accessed on 13 October 2010).
125. The Boucher Bill, note 110, p.8.
126. The Boucher Bill, note 110, p.12 (express consent is required for disclosure of covered information to unaffiliated parties), p.16 (express consent is required for collection or disclosure of sensitive information or for disclosure of all or substantially all of an individual's online activity). If an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use previously collected covered information. The Boucher Bill, p.12.
127. The requirement to obtain express consent does not apply to disclosure of covered information to a service provider if the covered entity has obtained consent under the opt out rules and the service provider agrees to use the covered information only for the purpose of providing an agreed-upon service to the covered entity and not to disclose covered information to any other person.
128. The Boucher Bill, note 110, p.14.
129. The Boucher Bill, note 110, pp.9-12.
130. The Boucher Bill, note 110, p.2.
131. The Boucher Bill, note 110, p.3.
132. The Boucher Bill, note 110, p.6.
133. The Boucher Bill, note 110, p.2. Sex or gender is not included in this definition.
134. The bill requires express opt in consent before disclosing location-based information. The Boucher Bill, note 110, p.21.
135. The Boucher Bill, note 110, pp.22, 25.
136. The Boucher Bill, note 110, p.8 (para. 13).
137. The Boucher Bill, note 110, pp.17-19.
138. McCullagh,D. 'House privacy bill draws fire from all sides', CNET News (5 May, 2010);
139. 'Online behavioral advertising, what all global companies need to know', Baker and McKenzie p.6 (June 2010).
140. See generally, CDT comments on Discussion Draft of US Consumer Privacy Legislation, note 16, p.3.
141. Art. 29 Opinion 2/2010, note 42, p.4.
142. Art. 29 Opinion 2/2010, note 42, p.3.
143. Art. 29 Opinion 2/2010, note 42, pp.7-9 (based on the amended E-Privacy Directive that must be implemented by Member States into national law by May 2011).
144. Art. 29 Opinion 2/2010, note 42, p.9.
145. 'Online behavioral advertising, what all global companies need to know', Baker and McKenzie p.6 (June 2010). Ibid.
146. 'Online behavioral advertising, what all global companies need to know', Baker and McKenzie p.6 (June 2010). Ibid.
147. Art. 29 Opinion 2/2010, note 42, p.11.
148. 'Online behavioral advertising, what all global companies need to know', Baker and McKenzie p.6 (June 2010). Ibid.
149. Art. 29 Opinion 2/2010, note 42, p.12.
150. Art. 29 Opinion 2/2010, note 42, p.13.
151. 'Online behavioral advertising, what all global companies need to know', Baker and McKenzie p.6 (June 2010). Ibid.
152. Art. 29 Opinion 2/2010, note 42, p.14.
153. Art. 29 Opinion 2/2010, note 42, p.15.
154. Art. 29 Opinion 2/2010, note 42, p.20.
155. Art. 29 Opinion 2/2010, note 42, p.17.
156. Art. 29 Opinion 2/2010, note 42, pp.19-20.
157. 'Online behavioral advertising, what all global companies need to know', Baker and McKenzie p.6 (June 2010). Ibid.
158. See generally, CE Recommendation, note 4.
159. CE Recommendation, note 4, Appendix, para. 3.8 (not answering the question of what is the appropriate level of notice and consent for third-party cookies such as those downloaded by advertising networks).
160. CE Recommendation, note 4, Appendix, para. 1(e).
161. CE Recommendation, note 4, Appendix, paras. 2.1, 2.2.
162. See generally, CE Recommendation, note 4, Appendix.
163. CE Recommendation, note 4, Appendix, para. 1(b), para. 3.11. Sex or gender is not included in this definition although the recommendation mentions prevention of sex discrimination as a reason that it is necessary to regulate profiling.
164. CE Recommendation, note 4, Appendix, para. 4.1 (a-e).
165. CE Recommendation, note 4, Appendix, para.4.1 (f).
166. CE Recommendation, note 4, Appendix, paras. 3.4-3.7 (does not address whether opt in or opt out consent is required).
167. CE Recommendation, note 4, (commenting in the considerations listed that that "profiles, when they are attributed to a data subject, make it possible to generate new personal data which the data subject has communicated to the controller or which she or he can reasonably presume to be known to the controller").
168. CE Recommendation, note 4, Appendix, para. 5.2.
169. CE Recommendation, note 4, Appendix, para. 2.1, para. 5.5.
170. CE Recommendation, note 4, Appendix, para. 1(g).
171. CE Recommendation, note 4, Appendix, para. 1(h).
172. CE Recommendation, note 4, Appendix, para. 1(a) (individual is not identifiable if it requires unreasonable time or effort.
173. Poullet (2009) note 88, p.220 (discussing the use of secondary identifiers such as IP addresses and other unique identifiers stored in cookies and whether they create personal data).
174. CE Recommendation, note 4, Appendix, para. 4.1(f); para. 4.3.
175. CE Recommendation, note 4, Appendix, para. 4.3.
176. See generally, CDT comments on discussion draft of US Consumer Privacy Legislation, note 16. The Center for Democracy and Technology (a consumer privacy advocacy group) criticises the Boucher Bill's references to 'affiliate of a covered entity' and 'unaffiliated party' as requiring further clarification to ensure that these terms are consistent with the reasonable expectations of consumers and do not provide an overbroad exception from the protections of this bill. CDT suggests that the term 'affiliate of the covered entity' be limited to entities under common branding with the covered entity. Ibid. p.3.
177. The Boucher Bill, note 110, pp.17-19. Advertising networks that receive disclosure of covered information may not make further transfers of that information to any other entity without consumer's affirmative express consent.
178. Davis, W. (2010) 'Study: even moderate privacy regulation reduces ad effectiveness', OnlineMediaDaily (18 May, 2010).
179. Davis, W. (2010) 'Study: even moderate privacy regulation reduces ad effectiveness', OnlineMediaDaily . Ibid.
180. 'Study: consumers, marketers differ on electronic privacy', PHYSorg.com (9 July 2010).
181. 'Study: consumers, marketers differ on electronic privacy', PHYSorg.com (2010). Ibid.
182. The FTC discusses when combination of information about a consumer's internet activity might constitute a highly detailed and sensitive profile potentially traceable to the consumer. FTC Guidelines, note 15, p.22.
183. FTC Guidelines, note 15, pp.22-23.
184. FTC Guidelines, note 15, p.26 (emphasis added). Of course the FTC Guidelines limit their applicability in other important respects, for example by excluding first party and contextual advertising from the definition of behavioural advertising and not including consumer access rights for either PII or non-PII data that is used for behavioural advertising purposes.
185. See legislative action, self regulation: online behavioral advertising', Direct Marketing Association, available at http://www.dmaaction.org/index.php? ht=display/ContentDetails/ i/1826309 (accessed on 27 September 2010) [describing self regulatory efforts by the DMA including the CLEAR Ad Notice (Control Links for Education and Advertising Responsibility)].