Old Cookie Laws? The OFT Looks At The Consumer Protection Implications of Behavioural Data Again

The Office of Fair Trading (OFT), the government's consumer protection watchdog in the UK, has issued a call for information on cookie-derived behavioural data and its effect on online markets including pricing.

The OFT’s move follows a number of media investigations into behavioural data, and similar technical data (such as device and operating system information) gleaned from devices when a user browses the internet, and its use in influencing a user’s experience, in particular the price and type of goods and services presented to that user.

The OFT are building on their 2010 report on Online Targeting of Advertising and Prices, which was backed by a detailed consumer survey. At that point in time the OFT adopted a watching brief and encouraged self-regulation, for example through adoption of guidelines issued by the Internet Advertising Bureau (IAB).

The OFT are revisiting the position in part due to the rapid march of technology.

Their key priority is to “develop trust in online markets”, adding further weight to this ever-prevalent theme in privacy compliance. They aim to do so through working with industry and other regulators (including the US Federal Trade Commission) to develop and increase best practices, increase self-regulation, but also take enforcement action where necessary regarding potential breaches of consumer law.

They will be specifically looking at:

  • Whether consumers have enough control over data being shared and sold between organisations.
  • Whether firms have it clear in their own minds as to what data they need to provide goods and services, and whether they are acquiring additional data simply to pass on to others.
  • Any areas where consumer detriment may result (in particular price hikes).
  • Making recommendations to the Information Commissioner’s Office (ICO) regarding changes in data protection and privacy laws.

Their stated intention is not to pick on loyalty schemes in particular, although they are in scope. The OFT recognise that these are widespread, accepted by consumers, and generally well-understood.

So what consumer protection laws might be relevant?

In the OFT’s 2010 review, they focussed on the Consumer Protection from Unfair Trading Regulations 2008 (CPRs). The CPR's prohibit unfair commercial practices which distort consumer transactional decisions.

Put broadly, absent full transparency around behaviourally-driven pricing and behaviourally-driven selection of products/ services, in the OFT’s view the CPRs could be breached if an average consumer was influenced to make a different transactional decision (such as to use one website over another).

To illustrate this point, the OFT highlighted the following scenarios as potentially giving rise to a breach:

  • A failure to comply with the new cookie laws and be transparent about how cookies are used;
  • Any false or misleading statement around the use and purpose of cookies/similar tracking technologies and/or related behavioural data, including in pricing and product/ service selection;
  • Any failure to provide such information if it is needed to make an informed choice about use of a site, or if that information was provided late or in a hidden, ambiguous, or unintelligible manner.
  • Aggressive practices such as use of alternative technologies to get around the implications of the new cookie laws (absent appropriate information being provided to the consumer to enable them to make an informed choice).

The CPRs create various criminal sanctions, some of which apply on a strict liability basis, so are not to be treated lightly; however, the key factor is whether an average consumer would actually be influenced by the practices described above. This question is not easy to answer. The OFT collated a lot of information in relation to its 2010 report which in part supported the proposition that consumers would be influenced. This position runs contrary to the prevailing attitude within most organisations we work with though, that consumers don't take heed of the notices and information being given to them, and carry on to use a site regardless.

The OFT's view on data protection and privacy?

Although outside of their official remit, In issuing their call for information, the OFT have added further support to the requirements set out in Principle 1 of the Data Protection Act 1998, and the new cookie laws that came into force earlier this year – in essence that organisations have to be transparent about each purpose for which cookies, and the personal data they drive, are used, including pricing and product targeting.

In talking about the scope of data being collected, the OFT are also adding weight to Principle 3 of the DPA, which requires personal data, when collected, to be proportionate to its intended use.

Where does this call for information leave us?

Overall, we appear to be witnessing a convergence in regulatory concern and action around common privacy themes.

The full implications of this trend remain to be seen, but one thing appears certain: organisations will have to be increasingly diligent in their privacy-compliance practices in the future if they are avoid regulatory censure and related harm to their reputation in the eyes of their customers.

We await the results of the call for information (due in Spring 2013) with interest.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.