Phorm must be opt in

ICO: Phorm is OK if it is opt-in and anonymous

Controversial web advertising system Phorm must be opt-in and maintain customer anonymity says official guidance issued today from privacy watchdog The Information Commisssioner's Office (ICO).

BT, Carphone Warehouse, and Virgin Media are currently evaluating Phorm. The system profiles the addresses and contents of sites visited by web users and then uses that information to match a user against broad advertising categories.

The ICO says that if Phorm's system adheres in practice to the claims of the company, then it will not breach the Data Protection Act.

"Phorm has asserted that it does not have nor would it ever want or need access to any information held by the ISP which would enable it to link their user ID and profile to a living individual," says the guidance.

"If this is true the company is not processing personal data of the ISP’s customers in providing its product and the DPA will not apply."

But even if Phorm is not processing personal data, any ISP using the system could potentially trace individuals because it knows the identity of the anonymous IP addresses being profiled by Phorm.

Because of this, users must choose to be involved in the system, which currently seems to be the case, says the ICO.

"At this point it appears that users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether or not to be involved on that basis," it says.

The ICO says it will keep use of Phorm under review.

Any breach of the Regulation of Investigatory Powers Act 2000 (RIPA) – a law on the interception of communications – is a matter for the Home Office, which is currently investigating the issues.