Tracking individuals' use of the internet is the latest trend in online advertising. But are current data protection laws strong enough to protect the right to privacy?

Online advertising comes in many guises: ads on search engine results pages, banner ads and email marketing, including spam, to name a few. For most people advertising is part and parcel of their online experience: sometimes useful, sometimes irritating, but perhaps most often ignored. However, there have been significant developments in online advertising recently which are causing debate among privacy professionals – particularly relating to behavioural or personalised internet advertising. Should those of us who are concerned about privacy really be cautious about embracing these new technologies?

One matter in particular to have received press coverage is Phorm's internet service provider (ISP)-level adware and associated targeted online advertising. Targeted online advertising directs advertisements at customers based on their previous online behaviour. Together with a user's ISP, the new technologies profile the addresses and certain content of websites visited and then use that information to place that user in defined advertising categories.

Those who champion users' privacy often use offline analogies to convey how the new technologies work.

For example, US Congressman Joe Barton, who co-founded the Congressional Privacy Caucus, was recently quoted as saying: "Businesses don't send out gumshoes to track you around the shopping centre, and they shouldn't be allowed to dog you around the internet either".

However, Phorm argues that, as the profiling will take place with the knowledge and agreement of the user, there is no cause for any privacy concerns. It points out that the profile is based on a unique ID allocated at random to each user which is held only on their computer and by Phorm. This means the profiling and advertising occurs without knowledge of the identity of individual users and no "personal data", within the meaning of the Data Protection Act 1998, is processed.

At its very narrowest, privacy is understood to comprise users' data protection rights to have their personal data processed fairly and lawfully in accordance with this act. However data protection and privacy are not the same thing: there is other legislation which also plays a part in shaping our notions of privacy and what constitutes a compromise of it.

Accordingly, Phorm's response that such advertising complies with data protection legislation, even if correct, is not the end of the story as users' privacy rights extend beyond the strict limits of data protection law. For example, the Regulation of Investigatory Powers Act 2000 prohibits the interception of communications without consent. Even if targeted online advertising complies with data protection legislation as no personal data are processed, it may constitute the interception of a user's communication with a website, requiring the consent of both the individual and also the companies hosting the web pages visited by that user.

In addition, the Privacy and Electronic Communications Regulations 2003 require users to be informed when a cookie is placed on their computers and to be given clear and comprehensive information about its purpose and the ability to refuse it. There is also the right of respect for private life under article eight of the European Convention on Human Rights. The recent case of Copland v UK [2007] confirmed that this right extends to respect for the privacy of internet usage. In that case, the European Court of Human Rights held that Carmarthenshire College had breached an employee's right to respect for her private life by monitoring, collecting and storing personal information relating to her internet usage. Those who are concerned about targeted advertising argue that the only difference between what targeted online advertisers do and what Carmarthenshire College did in the Copland case is that online advertisers have non-name identifiers.

The regulators appear, at least in principle, to be willing to accept these new technologies. The Information Commissioner has reviewed how Phorm works and has concluded that it can operate in a way that complies with both the Data Protection Act and the Privacy and Electronic Communications Regulations. The Home Office has confirmed that it is questionable whether Phorm's technology involves an interception within the meaning of the Regulation of Investigatory Powers Act 2000 and, even if it does, it could be argued that such an interception was not unlawful. What appears to be key to this acceptance is the obtaining of users' fully informed consent and the ability of users to opt-out.

As well as getting the regulators on board, however, those operating these new technologies will need to gain, and maintain, public confidence. This is not always easy: different people may have different notions – and expectations – of privacy. These differences may be due to generational distinctions: the attitudes of Generation Y to these technologies are likely to be very different to those of older generations who have not grown up with the internet.

Both Phorm and the online advertisers must be aware of and address such differences in attitude if they are to be able to reassure those concerned about privacy and persuade them to embrace the brave new world of targeted online advertising.

Ann Bevitt is head of employment and privacy at Morrison & Foerster in London.