Baidu cookie case: Compliance in big data-based precision marketing

By Wu Weiming, AllBright Law Offices
0
796

Big data-based precision marketing is a key manifestation of upgrades and transformation in the online advertising industry. However, in the development process, it has also faced legal and compliance issues. This column proposes to analyze this briefly in light of the Baidu cookie case.

Precision marketing refers to the process of constructing group profiles of users on the basis of big-data analysis, as well as accurately finding users and pushing product or service information to users by associating identification tags in the profiles with the identity information of internet users.

吴卫明-WU-WEIMING-锦天城律师事务所-高级合伙人-Senior-Partner-AllBright-Law-Offices
WU WEIMING
Senior Partner
AllBright Law Offices

Precision marketing can generally be divided into three stages: (1) constructing group profiles of users; (2) linking the profiles with specific identification information accurately to find users; and (3) pushing information to the target users.

The first stage mainly involves the rules related to collecting personal information. The second stage involves the output of group user profiles or output of tags. At the second stage, user profiles transform from lacking personal identity features to having personal identification functions. By combining the group profile and personal identification information, user profiles are made specific, which is a key stage in precision marketing. If this stage involves the transfer of personal identification information, it needs judgment, based on the principle of authorization, and consent, determined in the Cybersecurity Law.

The third stage is the pushing of marketing information. To push information requires users’ mobile phone numbers, WeChat numbers, international mobile equipment identities (IMEI), browser cookie information, etc. There is a vigorous ongoing debate over whether information like IMEI and browser cookies are part of personal information. In its judgment on the Baidu cookie case, in particular, the Nanjing Intermediate Court found that online browsing history was linked solely to the hardware, and lacked the features of personal information, resulting in cookie information not being deemed as personal information for a time.

BAIDU COOKIE CASE

The plaintiff, surnamed Zhu (Mr Zhu), discovered that, in the course of visiting relevant websites at home and at work, after using the Baidu search engine to search relevant key words, ads relating to his key words would appear on specific websites of the Baidu ad alliance. Mr Zhu argued that Baidu utilized online cookie technology to record and track the key words he searched, without him knowing it and without him opting for it, and displayed his interests, hobbies and personal demands on the relevant websites and placed ads on the web pages he visited, infringing his right to privacy. In May 2013, Mr Zhu sued Baidu in the People’s Court of Gulou District, Nanjing, seeking an order for immediate cessation of the infringement and payment of a solatium for emotional injury in the amount of RMB10,000.

The judgment at first instance held that personal privacy includes one’s private activities and private sphere. Mr Zhu’s act of using specific words to carry out online searches on Baidu would leave traces of his private activities in cyberspace, and the traces of such activities would display his personal online preferences, reflect information on his personal interests and demands and, to a certain extent, denote his basic particulars and details of his private life, falling, therefore, within the scope of personal privacy. Accordingly, the judgment at first instance found that Baidu had infringed Mr Zhu’s privacy.

Subsequently, the case was appealed to the Nanjing Intermediate Court. The appeals court held that collected online browsing history was anonymized and, therefore, did not satisfy the requirement of personal information being “identifiable”. As to the issue of the pushing of information, the appeals court held that the terminal to which the information pushed was the browser, not the specific individual.

This case occurred before the issuance and entry into force of such laws and regulatory documents as the Cybersecurity Law. If this case were inspected in light of the new rules, the following two points would require particular attention:

  1. Is cookie information personal information? Article 1 of the Interpretations on Cases Involving Infringement of the Personal Information of Citizens expressly places “various types of information recorded in electronic or other methods, that alone or in combination with other information can identify the identity of a specific natural person or reflect details of the activities of a specific natural person, including his or her name, ID card number, correspondence information, address, account password, property details, whereabouts, etc” within the scope of personal information. In addition to following up on this concept, the Information Security Technology – Personal Information Security Specification sets forth examples of personal information. It places the individual’s online history (user operation records stored in web logs, including website browsing history, software use history, click history, etc.) and information on the equipment regularly used by the individual (including hardware serial numbers, equipment MAC addresses, software libraries, unique equipment identifiers (e.g., IMEI/android ID/IDFA/OPENUDID/GUID, SIM card IMSI information, etc.) within the scope of personal information. Based on this principle, the principle determined in the Baidu cookie case to determine personal information had been superseded.
  2. Whether the user is adequately informed about the way cookie information is acquired and used? The Cybersecurity Law and other such laws, regulations and specifications have established the principle of express consent in respect of the collection and use of information. As defined in the Information Security Technology – Personal Information Security Specification, before the collection of such data, the related subject shall be expressly informed of the types of personal information to be collected by different business functions of the product or service offered, as well as the rules of collection and use, and shall grant his/her consent. Furthermore, the authorization and consent thereof needs to be secured from the subject of such information. Express consent signifies that the content of the notification on the web page and any information prohibiting the use of a certain app should be relatively prominently displayed and easy for the user to distinguish and read.

Wu Weiming is a senior partner at AllBright Law Offices

Allbright-Law-Offices 锦天城律师事务所

上海市浦东新区银城中路501号

上海中心大厦11及12层 邮编:200120

11/F and 12/F, Shanghai Tower

No. 501 Yincheng Middle Road

Pudong New Area, Shanghai 200120, China

电话 Tel: +86 21 2051 1000

传真 Fax: +86 21 2051 1999

电子信箱 E-mail:

[email protected]

www.allbrightlaw.com