Ethical issues concerned with personal information ownership have been usefully summarised by Mason (1986) into four areas:

• Privacy - what information is held about the individual?

• Property - who owns it and how can ownership be transferred?

• Accessibility - who is allowed to access this information, and under which conditions?

Fletcher (2001) provides an alternative perspective, raising these issues of concern for both the individual and the marketer:

• Transparency - who is collecting what information?

• Security - how is information protected once it has been collected by a company?

• Liability - who is responsible if data are abused?

All of these issues arise in the next section which reviews actions marketers should take to achieve privacy and trust.

Data protection legislation is enacted to protect the individual, to protect their privacy and to prevent misuse of their personal data. Indeed, the first article of the European Union Directive 95/46/EC on which legislation in individual European countries is based, specifically refers to personal data. It says:

Member states shall protect the fundamental rights and freedoms of natural persons [i.e. a named individual at home or at work], and in particular their right to privacy with respect to the processing of personal data.

Personal data

Any information about an individual stored by companies concerning their customers or employees.


The process whereby companies register with the data protection register to inform about their data holdings.

Data controller

Each company must have a defined person responsible for data protection.

Data subject

The legal term to refer to the individual whose data are held.

In the UK, the enactment of the European legislation is the Data Protection Act 1984, 1998 (DPA), which is managed by the legal requirements of the 1998 UK data protection act and summarised at This law is typical of what has evolved in many countries to help protect personal information. Any company that holds personal data on computers or on file about customers or employees must be registered with a data protection registrar (although there are some exceptions which may exclude small businesses). This process is known as notification.

The guidelines on the eight data protection principles are produced by Information Commissioner (1998) on which this overview is based. These principles state that personal data should be:

1 Fairly and lawfully processed

In full:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless - at least one of the conditions in Schedule 2 is met; and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

The Information Commissioner has produced a 'fair processing code' which suggests how an organisation needs to achieve 'fair and lawful processing' under the details of Schedules 2 and 3 of the Act. This requires:

• Appointment of a data controller who is a person with defined responsibility for data protection within a company.

• Clear details in communications such as on a web site or direct mail of how a 'data subject' can contact the data controller or a representative.

• Before data processing 'the data subject has given his consent' or the processing must be necessary either for a 'contract to which the data subject is a party' (for example as part of a sale of a product) or because it is required by other laws. Consent is defined in the published guidelines as 'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed'.

• Sensitive personal data requires particular care, this includes:

- the racial or ethnic origin of the data subject;

- political opinions;

- religious beliefs or other beliefs of a similar nature;

- membership of a trade union;

- physical or mental health or condition;

- sexual life;

- the commission or alleged commission or proceedings of any offence.

• No other laws must be broken in processing the data.

2 Processed for limited purposes

In full:

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

This implies that the organisation must make it clear why and how the data will be processed at the point of collection. For example, an organisation has to explain how your data will be used if you provide your details on a web site when entering a prize draw. You would also have to agree (give consent) for further communications from the company.

Figure 3.2 suggests some of the issues that should be considered when a data subject is informed of how the data will be used. Important issues are:

• Whether future communications will be sent to the individual (explicit consent is required for this in online channels; this is clarified by the related Privacy and Electronic Communications Regulation Act which is referred to below);

• Whether the data will be passed on to third parties (again explicit consent is required);

Figure 3.2 Information flows that need to be understood for compliance with data protection legislation i

Figure 3.2 Information flows that need to be understood for compliance with data protection legislation

3 Adequate, relevant and not excessive

In full:

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

This specifies that the minimum necessary amount of data is requested for processing. There is difficulty in reconciling this provision between the needs of the individual and the needs of the company. The more details that an organisation has about a customer, then the better they can understand that customer and so develop products and marketing communications specific to that customer which they are more likely to respond to.

4 Accurate

In full:

Personal data shall be accurate and, where necessary, kept up to date.

It is clearly also in the interest of an organisation in an ongoing relationship with a partner that the data be kept accurate and up-to-date. The guidelines on the Act suggest that additional steps should be taken to check data are accurate, in case they are in error, for example due to mis-keying by the data subject or the organisation or for some other reason. Inaccurate data are defined in the guidelines as: 'incorrect or misleading as to any matter of fact'.

The guidelines go on to discuss the importance of keeping information up-to-date. This is only necessary where there is an ongoing relationship and the rights of the individual may be affected if they are not up-to-date. This implies, for example, that a credit-checking agency should keep credit scores up-to-date.

5 Not kept longer than necessary

In full:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

The guidelines state:

To comply with this Principle, data controllers will need to review their personal data regularly and to delete the information which is no longer required for their purposes.

It might be in a company's interests to 'clean data' so that records that are not relevant are archived or deleted, for example if a customer has not purchased for ten years. However, there is the possibility that the customer may still buy again, in which case the information would be useful.

If a relationship between the organisation and the data subject ends, then data should be deleted. This will be clear in some instances, for example when an employee leaves a company their personal data should be deleted. With a consumer who has purchased products from a company this is less clear since frequency of purchase will vary, for example a car manufacturer could justifiably hold data for several years.

6 Processed in accordance with the data subject's rights

In full:

Personal data shall be processed in accordance with the rights of data subjects under this Act.

One aspect of the data subject's rights is the option to request a copy of their personal data from an organisation; this is known as a 'subject access request'. For payment of a small fee such as £10 or £30, an individual can request information which must be supplied by the organisation within 40 days. This includes all information on paper files and on computer. If you requested this information from your bank there might be several boxes of transactions!

Other aspects of a data subject's rights which the law upholds are designed to prevent or control processing which:

• causes damage or distress (for example repeatedly sending mailshots to someone who has died);

• is used for direct marketing (for example, in the UK consumers can subscribe to the mail, e-mail or telephone preference services to avoid unsolicited mailings, e-mails or phone calls). This invaluable service is provided by the Direct Marketing Association (www.dmaconsumers.ora). If you subscribe to these services organisations must check against these 'exclusion lists' before contacting you. If they don't, and some don't, they are breaking the law;

• is used for automatic decision taking - automated credit checks, for example, may result in unjust decisions on taking a loan. These can be investigated if you feel the decision is unfair.

Subject access request

A request by a data subject to view personal data from an organisation.

7 Secure

In full:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This guideline places a legal imperative on organisations to prevent unauthorised internal or external access to information and also its modification or destruction. Of course, most organisations would want to do this anyway since the information has value to their organisation.

Of course, the cost of security measures will vary according to the level of security required. The Act allows for this through this provision:

(i) Taking into account the state of technological development at any time and the cost of implementing any measures, the measures must ensure a level of security appropriate to: (a) the harm that might result from a breach of security; and (b) the nature of the data to be protected. (ii) The data controller must take reasonable steps to ensure the reliability of staff having access to the personal data.

8 Not transferred to countries without adequate protection

In full:

Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Transfer of data beyond Europe is likely for multinational companies. This principle prevents export of data to countries that do not have sound data processing laws. If the transfer is required in concluding a sale or contract or if the data subject agrees to it, then transfer is legal.

Anti-spam legislation

Laws have been enacted in different countries to protect individual privacy and with the intention of reducing spam or unsolicited commercial e-mail (UCE). Originally, the best-known 'spam' was tinned meat (a contraction of 'spiced ham'), but a modern version of this acronym is 'sending persistent annoying e-mail'. Spammers rely on sending out millions of e-mails in the hope that even if there is only a 0.01% response they may make some money, if not get rich.

Anti-spam laws do not mean that e-mail cannot be used as a marketing tool. As explained below, opt-in is the key to successful e-mail marketing. Before starting an e-mail dialogue with customers, according to European and American law and in many countries in the Asia-Pacific region, companies must ask customers to provide their e-mail address and then give them the option of 'opting into' further communications. Ideally they should proactively opt in by checking a box. E-mail lists can also be purchased where customers have opted in to receive e-mail. Data held about individuals are commonly used for marketing products to potential or existing customers through e-mail.

Legal opt-in e-mail addresses and customer profile information are available for purchase or rental from a database traditionally known by marketers as a cold list, so called because the company that purchases the data from a third party does not know you. Your name will also potentially be stored on an opt-in house list within companies you have purchased from where you have given your consent to be contacted by the company or given additional consent to be contacted by its partners.


Unsolicited e-mail (usually bulk-mailed and untargeted).

Cold list

Data about individuals that are rented or sold by a third party.

House list

Data about existing customers used to market products to encourage future purchase.

Regulations on privacy and electronic communications

Privacy and Electronic Communications Regulations Act

A law intended to control the distribution of e-mail and other online communications including cookies.

While the Data Protection Directive 95/46 and Data Protection Act afford a reasonable level of protection for consumers, they were quickly superseded by advances in technology and the rapid growth in spam. As a result, in 2002 the European Union passed the '2002/58/EC Directive on Privacy and Electronic Communications' to complement previous data protection law. This Act is significant from an information technology perspective since it applies specifically to electronic communications such as e-mail and the monitoring of web sites.

As with other European laws, this law was implemented differently in different countries. Some countries considered infringements more seriously. A company which is in breach of the directive in Italy is threatened by fines of up to €66,000 while in the UK the maximum fine is £5,000. It is clearly important for managers to have access to legal advice which applies not only to their own country, but also to other European countries.

In the US in January 2004, a new federal law known as the CAN-SPAM Act was introduced to assist in the control of unsolicited e-mail. CAN SPAM stands for 'Controlling the Assault of Non-Solicited Pornography and Marketing' (an ironic juxtaposition between pornography and marketing). This harmonised separate laws in different US states, but was less strict than in some states such as California. The Act requires unsolicited commercial e-mail messages to be labelled (though not by a standard method) and to include opt-out instructions and the sender's physical address. It prohibits the use of deceptive subject lines and false headers in such messages. Anti-spam legislation in other countries can be accessed at

As an example of European privacy law, we will now review the implications for managers of the UK enactment of 2002/58/EC Directive on Privacy and Electronic Communications. This came into force in the UK on 11 December 2003 as the Privacy and Electronic Communications Regulations (PECR) Act. The law is published at: Consumer marketers in the UK also need to heed the Code of Advertising Practice from the Advertising Standards Agency (ASA CAP code, codes). This has broadly similar aims and places similar restrictions on marketers to the PECR law.

It is a surprisingly accessible and commonsense document - many marketers will be practising similar principles already. Clauses 22 to 24 are the main clauses relevant to email communications. We will summarise the main implications of the law by picking out key phrases. The new PECR law:

1 Applies to consumer marketing using e-mail or SMS text messages

22(1) applies to individual subscribers. 'Individual subscribers' means consumers, although the Information Commissioner has stated that this may be reviewed in future to include business subscribers as is the case in some other countries such as Italy and Germany.

Although this sounds like great news for business-to-business (B2B) marketers and some take the view 'great, the new law doesn't apply to us', this could be dangerous. There has been adjudication by the Advertising Standards Agency which found against a B2B organisation which had unwittingly e-mailed consumers from what they believed was an in-house list of B2B customers.

The new law applies to 'unsolicited communications' (22(1)). It was introduced with a view to reducing spam, although we all know its impact will be limited on spammers beyond Europe. The relevant phrase is part of 22(2) where the recipient must have 'previously notified the sender that he consents' or has proactively agreed to receiving commercial


A customer proactively agrees to receive further information.

e-mail. This is opt-in. Opt-in can be achieved online or offline through asking people whether they want to receive e-mail. Online this is often done through a tick box.

The main options are shown in Figure 3.3. Figure 3.3(a) is opt-out and it can be considered this is against the spirit of the law since someone may sign up to receive e-mail communications without realising it. Figure 3.3(b) is opt-in since the subscriber has to explicitly check the box. Figure 3.3(c) is also opt-in, but it is a more subtle approach. The consumer cannot enter the prize draw unless they complete the form. In fact, the PECR law does not mandate a tick box option provided consent is clearly indicated.

Your Name & Address

To enter you in the £10,000 prize draw, please make sure you enter your name and email address on this page and your contact address on the next page.

The questions marked in blue are obligatory fields. Title: Select answer

Surname: First Name: Phone No: Mobile No: Email:

Is this email address your:

<~ Home f Business f Both

Which is your preferred format for receiving email offers?

Figure 3.3 Online forms: (a) opt-out, (b) opt-in, (c) implicit opt-in

Permission marketing

Customers agree (opt-in) to be involved in an organisation's marketing activities, usually as a result of an incentive.

The approach required by the law has, in common with many aspects of data protection and privacy law, been used by many organisations for some time. In other words, sending unsolicited e-mails was thought to be unethical and also not in the best interests of the company because of the risk of annoying customers. In fact, the law conforms to an established approach known as 'permission marketing', a term coined by US commentator Seth Godin (1999, Chapter 6 - first four chapters available free from


A customer declines the offer to receive further information.

3 Requires an opt-out option in all communications

An opt-out or method of 'unsubscribing' is required so that the recipient does not receive future communications. In a database this means that a 'do not e-mail' field must be created to avoid e-mailing these customers. The law states that a 'simple means of refusing' future communications is required both when the details were first collected and in each subsequent communication.

4 Does not apply to existing customers when marketing similar products

This commonsense clause (22 (3) (a)) states that previous opt-in is not required if the contact details were obtained during the course of the sale or negotiations for the sale of a product or service. This is sometimes known as 'soft opt-in'. While this is great news for retailers, it is less clear where this leaves not-for-profit organisations such as charities or public-sector organisations where the concept of a sale does not apply.

Clause 22 (3) (b) adds that when marketing to existing customers the marketer may market 'similar products and services only'. Case law will help in clarifying this. For example, for a bank, it is not clear whether a customer with an insurance policy could be targeted for a loan.

5 Requires contact details must be provided

It is not sufficient to send an e-mail with a simple sign-off from 'the marketing team' or 'the web team' with no further contact details. The law requires a name, address or phone number to whom a recipient can complain.

6 Requires the 'from' identification of the sender must be clear

Spammers aim to disguise the e-mail originator. The law says that the identity of the person who sends the communication must not be 'disguised or concealed' and that a valid address to 'send a request that such communications cease' should be provided.

7 Applies to direct marketing communications

The communications that the legislation refers to are for 'direct marketing'. This suggests that other communications involved with customer service such as an e-mail about a monthly phone statement are not covered, so the opt-out choice may not be required here.


Cookies are small text files stored on an end-user's computer to enable web sites to identify the user.

8 Restricts the use of cookies

Some privacy campaigners consider that the user's privacy is invaded by planting cookies or electronic tags on the end-user's computer. The concept of the cookie and its associated law is not straightforward, so it warrants separate discussion.

Persistent cookies

Cookies that remain on the computer after a visitor session has ended. Used to recognise returning visitors.

Session cookies

A cookie used to manage a single visitor session.

Understanding cookies

A cookie is a data file placed on your computer that identifies that individual computer. 'Cookie' derives from the Unix operating system term 'magic cookie' which meant something passed between routines or programs that enables the receiver to perform some operation.

Types of cookies

The main cookie types are:

• Persistent cookies - these stay on a user's computer between multiple sessions and are most valuable for marketers to identify repeat visits to sites;

• Temporary or session cookies (single-session) - useful for tracking within pages of a session such as on an e-commerce site;

First-party cookies

Served by the site currently in use -typical for e-commerce sites.

Third-party cookies

Served by another site to the one being viewed - typical for portals where an ad network will track remotely or where the web analytics software places a cookie.

• First-party cookies - served by the site currently in use, typical for e-commerce sites. These can be persistent or session cookies;

• Third-party cookies - served by another site to the one being viewed, typical for portals where an ad network will track remotely or where the web analytics software places a cookie. These are typically persistent cookies.

Cookies are stored as individual text files in a directory on a personal computer. There is usually one file per web site. For example: [email protected]. This file contains encoded information as follows:

FLT_VIS IK:bapzRnGdxBYUUID:Jul-25-1999l 0 425259904 29357426 1170747936 29284034 *

The information in the cookie file is essentially just an identification number and a date of the last visit although other information can be stored.

Cookies are specific to a particular browser and computer, so if a user connects from a different computer such as at work or starts using a different browser, the web site will not identify him or her as a similar user.

What are cookies used for?

Common marketing applications of cookies include:

• Personalising a site for an individual. Cookies are used to identify individual users and retrieve their preferences from a database according to an identifier stored in the cookie. For example, I subscribe to the E-consultancy service ( for the latest information about e-business; each time I return I do not have the annoyance of having to log in because it remembers my previous visit. Many sites feature a 'Remember Me' option which implies using a cookie to remember a returning visitor. Retailers such as Amazon can use cookies to recognise returning visitors and can recommend related books purchased by other readers. This approach generally has good benefits for both the individual (it is a hassle to sign in again and relevant content can be delivered) and the company (tailored marketing messages can be delivered).

• Online ordering systems. This enables a site such as to track what is in your basket as you order different products.

• Tracking within a site. Web analytics software such as Webtrends ( which analyses statistics on visitors to web sites relies on persistent cookies to find the proportion of repeat visitors to a web site. Webtrends and other tools increasingly use firstparty cookies since they are more accurate and less likely to be blocked. Marketers should check whether use of first-party cookies is possible on their site.

• Tracking across sites. Advertising networks use cookies to track the number of times a particular computer user has been shown a particular banner advertisement; they can also track adverts served on sites across an ad network. There was an individual rights outcry in the late 1990s since Doubleclick was using this to profile customers. Doubleclick no longer operates an ad network, partly due to this.

Affiliate networks and pay-per-click ad networks such as Google Adwords and Yahoo! Search services (Overture) may also use cookies to track through from a click on a third-party site to a sale or lead being generated on a destination or merchant site. These approaches tend to use third-party cookies. For example, if conversion tracking is enabled in Google Adwords, Google sets a cookie when a user clicks through on an ad. If this user buys the product, then the purchase confirmation page will include script code supplied by Google to make a check for a cookie placed by Google. If there is a match, the sale is attributed to Adwords. An alternative approach using third-party tracking is that different online campaigns have different tracking parameters or codes within the links through to the destination site and when the user arrives on a site from a particular source (such as Google Adwords) this is identified and a cookie set.

When purchase confirmation occurs, this can then be attributed back to the original source, e.g. Google Adwords and the particular referrer.

Owing to the large investments made now in pay-per-click marketing and affiliate marketing by many companies, this is the area of most concern for marketers since the tracking can become inaccurate. However, a sale should still occur even if the cookies are blocked or deleted, so the main consequence is that the ROI (return on investment) of online advertising or pay-per-click marketing may look lower than expected. In affiliate marketing, this phenomenon may benefit the marketer in that payment may not need to be made to the third party if a cookie has been deleted (or blocked) between the time of original clickthrough and sale.

Privacy issues with cookie use

The problem for Internet marketers is that, despite these important applications, blocking by browsers, such as Internet Explorer, or security software and deletion by users has increased dramatically. In 2005 Jupiter Research claimed that 39% of online users may be deleting cookies from their primary computer monthly, although this is debated.

Many distrust cookies since they indicate a 'big brother' is monitoring your actions. Others fear that their personal details or credit card details may be accessed by other web sites. This is very unlikely since all the cookies contain is a short identifier or number that is used to link you to your record in a database. Anyone who found the cookie wouldn't be able to log on to the database without your password. Cookies do not contain passwords, credit card information or any personal details as many people seem to think. These are held on the site servers, protected by firewalls and usernames and passwords. In most cases, the worst that someone can do who gets access to your cookies is to find out which sites you have been visiting.

It is possible to block cookies if the user finds out how to block them, but this is not straightforward and many customers either do not know or do not mind that their privacy may be infringed. In 2003 an interesting survey on the perception and behaviour with regards to cookies was conducted on cookie use in the UK (RedEye, 2003). Of the 1000 respondents:

• 50% had used more than one computer in the last three months;

• 70% said that their computer was used by more than one person;

• 94% said they either accepted cookies or did not know what they were, although 20% said they only accepted session cookies;

• 71% were aware of cookies and accepted them. Of these only 18% did not know how to delete cookies, and 55% of them were deleting them on a monthly basis;

• 89% knew what cookies were and how to delete them and said that they had deleted them once in the last three months.

Privacy statement

Information on a web site explaining how and why individuals' data are collected, processed and stored.

Legal constraints on cookies

The new PECR law limits the use of cookies. It states:

a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the following requirements are met.

The requirements are:

(a) the user is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information.

(a) suggests that it is important that there is a clear privacy statement and (b) suggests that opt-in to cookies is required. In other words, on the first visit to the site, a box would have to be ticked to agree to the use of cookies. This was thought by many commentators to be a curious provision since this facility is already available in the web browser. A further provision clarifies this. The law states: 'where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user'. This indicates that for an e-commerce service session cookies are legitimate without the need for opt-in. It is arguable whether the identification of return visitors is 'strictly necessary' and this is why some sites have a 'remember me' tick box next to the log-in. Through doing this they are compliant with the law. Using cookies for tracking return visits alone would seem to be outlawed, but we will have to see how case law develops over the coming years before this is resolved.

Viral marketing

A marketing message is communicated from one person to another, facilitated by different media, such as word of mouth, e-mail or web sites. Implies rapid transmission of messages is intended.

Viral e-mail marketing

One widespread business practice that is not covered explicitly in the PECR law is 'viral marketing'. The network of people referred to in the definition is more powerful in an online context where e-mail is used to transmit the virus - rather like a cold or flu virus. The combination of the viral offer and the transmission medium is sometimes referred to as the 'viral agent'. Different types of viral marketing are reviewed in Chapter 8.

Privacy verification bodies

There are several initiatives that are being taken by industry groups to reassure web users about threats to their personal information. The first of these is TRUSTe (www.truste.ora). sponsored by IBM and with sites validated by PricewaterhouseCoopers and KPMG (Figure 3.2). The validators will audit the site to check each site's privacy statement to see whether it is valid. For example, a privacy statement will describe:

• how a site collects information;

• how the information is used;

• who the information is shared with;

• how users can access and correct information;

• how users can decide to deactivate themselves from the site or withhold information from third parties.

A UK initiative coordinated by the Internet Media in Retail Group is ISIS (Internet Shopping is Safe) (www.imra.ora/ISIS). Government initiatives will also define best practice in this area and may introduce laws to ensure guidelines are followed. In the UK. the Data Protection Act covers some of these issues and the 1999 European Data Protection Act also has draft laws to help maintain personal privacy on the Internet.

We conclude this section on privacy legislation with a checklist summary of the practical steps that are required to audit a company's compliance with data protection and privacy legislation. Companies should:

1 Follow privacy and consumer protection guidelines and laws in all local markets. Use local privacy and security certification where available.

2 Inform the user, before asking for information on:

• what personal data are collected, processed and stored;

• what is the purpose of collection.

3 Ask for consent for collecting sensitive personal data, and it is good practice to ask before collecting any type of data.

4 Reassure customers by providing clear and effective privacy statements and explaining the purpose of data collection.

5 Let individuals know when 'cookies' or other covert software are used to collect information about them.

6 Never collect or retain personal data unless it is strictly necessary for the organisation's purposes. For example, a person's name and full address should not be required to provide an online quotation. If extra information is required for marketing purposes this should be made clear and the provision of such information should be optional.

7 Amend incorrect data when informed and tell others. Enable correction on-site.

8 Only use data for marketing (by the company, or third parties) when a user has been informed this is the case and has agreed to this. (This is opt-in.)

9 Provide the option for customers to stop receiving information. (This is opt-out.)

10 Use appropriate security technology to protect the customer information on your site.

Was this article helpful?

0 0
Success For Affiliate Managers

Success For Affiliate Managers

Explode your Affiliate Income Today By Learning FIRST How To Become A Successful Affiliate Manager! Do you want to know everything there is to know about running a successful affiliate program that brings you money on autopilot? Then get your hands on this brand new e-book.

Get My Free Ebook

Post a comment