While for many at this time of year its a season for gifts which don't last beyond Boxing Day, the draft paper published by the Information Commissioner's Office on Thursday is likely to have a lasting legacy, writes Jonathan Armstrong, technology lawyer and partner at Duane Morris.
The debate over the use of tracking tools on websites has been hotting up for some time. Many corporations use tracking software on their sites and in marketing e-mails, often without the knowledge of those responsible for compliance and security.
From the work I have done with companies over the last couple of years I would guess that around 70% are using tracking techniques. In many cases the intended use is harmless - for example to get statistics on the use of different browsers, to measure the success of email marketing campaigns or to localise content. The way is which this is done can be more problematical.
The first problem for most organisations is one of control. Tracking software is often embodied into freeware installed onto a website without proper testing and due diligence. Software used to help serve adverts for example can have multiple destination addresses for the data being collected. How can you be sure where it is going? How do you know the use being made of your customer's data?
Coupled with this is the increased regulatory climate. Regulators on both sides of the Atlantic seem determined to make 2010 the year of greater internet regulation.
In the US the Federal Trade Commission announced in September that it had settled its proceedings against retail group Sears. Sears had told its users that it was installing software to track their online browsing and gave them a $10 voucher when they signed up online. According to the FTC's complaint, the information they gave was not specific enough. As part of the settlement Sears agreed to destroy all of the customer information it collected and change its future practices.
Closer to home, the European Commission has also been trying to regulate online tracking. On Friday a new European Directive is likely to be signed which will include changes to the e-Privacy Directive to regulate online tracking. The changes are aimed at bringing in new legislation in each of the 27 EU member states within the next 18 months.
In the UK, regulators already have power to act both for deceptive trade practice (like the powers used by the FTC in Sears) and under data protection legislation. Thursday's paper shows us that the information commissioner does not intend to wait for European developments before he gets involved.
The paper takes the form of draft guidance on which he will consult until 5 March. In many respects it is a helpful summary of existing law in the UK and anyone with a corporate web presence would be wise to take a look.
The paper stresses the difficulty in truly anonymising data streams when using online tracking. It emphasises the need to tell consumers how data is used and to be transparent. This for many corporations is a real challenge, especially when using third-party providers to provide services or host applications running off the site. Historically, online tracking has often been a bit murky with shoddy data handling practices. This will have to stop.
Technology professionals need to act now to make sure that they know all of the applications on their website, what they are doing, and the customer information they are collecting. All those involved in the website need to be part of the compliance process. On the positive side, CIOs are likely to get more airtime with the board as the importance of these issues increases. The next few weeks are a time to recharge the batteries for plenty of action in the New Year.