13664028 (P.T.A.B. Dec. 11, 2018)

Ex Parte Zhang et al

Patent Trial and Appeal BoardDec 11, 2018

13664028 (P.T.A.B. Dec. 11, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 13/664,028 10/30/2012 21912 7590 12/13/2018 VAN PELT, YI & JAMES LLP 10050 N. FOOTHILL BLVD #200 CUPERTINO, CA 95014 FIRST NAMED INVENTOR Qing Zhang UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. ALIBPOOlCl 8174 EXAMINER BOSWELL, BETH V ART UNIT PAPER NUMBER 3600 NOTIFICATION DATE DELIVERY MODE 12/13/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): usptocorrespondence@ip-patent.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte QING ZHANG, HAI WANG, and YI DING Appeal2017-010558 1 Application 13/664,028 Technology Center 3600 Before MURRIEL E. CRAWFORD, MICHAEL W. KIM, and PHILIP J. HOFFMANN, Administrative Patent Judges. KIM, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE This is an appeal from the final rejection of claims 1, 5-8, and 12-15. We have jurisdiction to review the case under 35 U.S.C. Â§Â§ 134 and 6. The invention relates generally to a "technique for providing data statistics." Spec. ,r 10. Independent claim 8 is illustrative: 8. A method comprising: 1 The Appellants identify Alibaba Group Holding Limited as the real party in interest. Appeal Br. 1. Appeal2017-010558 Application 13/664,028 storing product information, wherein the product information is input by one or more sellers through one or more interaction operations that are presented at a user interface; classifying, using one or more processors, a plurality of products included in the product information into a Standard Property Union (SPU) based at least in part on the plurality of products sharing a set of one or more identical properties, wherein at least some of the plurality of products are associated with different sellers; generating data in a database that (1) identifies the SPU and (2) associates the plurality of products with the SPU; generating behavioral data relating to the plurality of products associated with the SPU, wherein generating the behavioral data comprises: receiving an indication of a user selection to a webpage associated with a first product included in the plurality of products associated with the SPU; and in response to the indication, sending an access request to a log server, wherein the log server is configured to determine identifying information associated with a user associated with a user selection uniform resource locator (URL) associated with the user, wherein the URL comprises information that records the user's behavioral data with respect to the SPU; wherein the behavioral data relating to the plurality of products associated with the SPU includes one or more of: a number of times the plurality of products has been purchased, a number of times plurality set of products has been saved, or a number of times the plurality of products has been viewed, and wherein the generating of the behavioral data relating to the plurality of products associated with the SPU comprises: configuring corresponding relationships between a cumulative number of a plurality of types of the behavioral data associated with the SPU, wherein configuring corresponding relationships between the cumulative number of the plurality of types of the behavioral data associated with the SPU includes: 2 Appeal2017-010558 Application 13/664,028 accumulating behavioral data by a plurality of users associated with the first product included in the plurality of products associated with the SPU; accumulating behavioral data by at least a portion of the plurality of users associated with a second product included in the plurality of products associated with the SPU; and determining the cumulative number of the plurality of types of the behavioral data associated with the SPU based at least in part on a combination of the accumulated behavioral data associated with the first product and the accumulated behavioral data associated with the second product; and presenting, at a display, at least some of the corresponding relationships between the cumulative number of the plurality of types of the behavioral data and the SPU. The Examiner rejects claims 1, 5-8, and 12-15 under 35 U.S.C. Â§ 101 as directed to ineligible subject matter in the form of an abstract idea. The Examiner rejects claims 1, 6-8, and 13-15 under 35 U.S.C. Â§ I03(a) as unpatentable over Shaya et al. (US 2002/0161664 Al, pub. Oct. 31, 2002) ("Shaya"), Ghadialy et al. (US 8,744,928 B2, iss. June 3, 2014), ("Ghadialy"), and Hasselback et al. (US 2007/0156515 Al, pub. July 5, 2007) ("Hasselback"). The Examiner rejects claims 5 and 12 under 35 U.S.C. Â§ I03(a) as unpatentable over Shaya, Ghadialy, Hasselback, and Johnson et al. (US 2008/0027830 Al, pub. Jan. 31, 2008) ("Johnson"). We AFFIRM. ANALYSIS Patentable subiect matter An invention is patent-eligible if it claims a "new and useful process, machine, manufacture, or composition of matter." 35 U.S.C. Â§ 101. The 3 Appeal2017-010558 Application 13/664,028 Supreme Court, however, has long interpreted Â§ 101 to include implicit exceptions: "[l]aws of nature, natural phenomena, and abstract ideas" are not patentable. E.g., Alice Corp. Pty. Ltd. v. CLS Bank Int 'l, 134 S. Ct. 2347, 2354 (2014). In determining whether a claim falls within the excluded category of abstract ideas, we are guided in our analysis by the Supreme Court's two- step framework, described in Mayo and Alice. Id. at 2355 (citing Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66, 77-78 (2012)). In accordance with that framework, we first determine what concept the claim is "directed to." See Alice, 134 S. Ct. at 2356 ("On their face, the claims before us are drawn to the concept of intermediated settlement, i.e., the use of a third party to mitigate settlement risk."); Bilski v. Kappas, 561 U.S. 593, 611 (2010) ("Claims 1 and 4 in petitioners' application explain the basic concept of hedging, or protecting against risk .... "); Diamond v. Diehr, 450 U.S. 175, 184 (1981) ("Analyzing respondents' claims according to the above statements from our cases, we think that a physical and chemical process for molding precision synthetic rubber products falls within theÂ§ 101 categories of possibly patentable subject matter."); Parker v. Flook, 437 U.S. 584, 594--595 (1978) ("Respondent's application simply provides a new and presumably better method for calculating alarm limit values."); Gottschalkv. Benson, 409 U.S. 63, 64 (1972) ("They claimed a method for converting binary-coded decimal (BCD) numerals into pure binary numerals."). The following method is then used to determine whether what the claim is "directed to" is an abstract idea: 4 Appeal2017-010558 Application 13/664,028 [T]he decisional mechanism courts now apply is to examine earlier cases in which a similar or parallel descriptive nature can be seen-what prior cases were about, and which way they were decided. See, e.g., Elec. Power Grp., 830 F.3d at 1353-54. That is the classic common law methodology for creating law when a single governing definitional context is not available. See generally Karl N. Llewellyn, The Common Law Tradition: Deciding Appeals (1960). This more flexible approach is also the approach employed by the Supreme Court. See Alice, 134 S. Ct. at 2355-57. We shall follow that approach here. Amdocs (Israel) Limited v. Openet Telecom, Inc., 841 F.3d 1288, 1294 (Fed. Cir. 2016). Concepts determined to be abstract ideas, and thus patent-ineligible, include certain methods of organizing human activity, such as fundamental economic practices (Alice, 134 S. Ct. at 2357; Bilski, 561 U.S. at 611); mathematical formulas (Flook, 437 U.S. at 594--95; and mental processes (Benson, 409 U.S. at 69). Concepts determined to be patent-eligible include physical and chemical processes, such as "molding rubber products" (Diehr, 450 U.S. at 191), "'tanning, dyeing, making waterproof cloth, vulcanizing India rubber, smelting ores"' (id. at 182 n.7 ( citing Corning v. Burden, 56 U.S. 252, 267-268 (1853)), and manufacturing flour (Benson, 409 U.S. at 69 (citing Cochrane v. Deener, 94 U.S. 780, 785 (1876)). If the claim is "directed to" a patent-ineligible abstract idea, we then consider the elements of the claim-both individually and as an ordered combination-to assess whether the additional elements transform the nature of the claim into a patent-eligible application of the abstract idea. Alice, 134 S. Ct. at 2355. This is a search for an "inventive concept"-an element or combination of elements sufficient to ensure that the claim amounts to "significantly more" than the abstract idea itself. Id. 5 Appeal2017-010558 Application 13/664,028 The Appellants argue independent claims 1, 8, and 15, as well as all dependent claims, together as a group. Appeal Br. 11-17. We select independent claim 8 as representative. See 37 C.F.R. Â§ 4I.37(c)(l)(iv). The Examiner finds the claim is directed to the concept of "storing product information," which the Examiner asserts includes the steps for classifying, generating, configuring, and determining information. Answer 10; see also id. at 13 ("gathering and manipulating product information/data and/or logistics"). While the Examiner's formulation is not incorrect, we see classifying products into groups, logging behavior data, and calculating totals from the behavior data to be more accurately characterized as involving more than merely storing product information. Accordingly, while still keeping the thrust, we restate the Examiner's findings from the Answer to state that the claim is directed to the concept of storing, analyzing, updating, and displaying data related to products. We find that all of the steps recited in independent claim 8 are, essentially, encompassed by this concept. Specifically, for example, the claim involves receiving data about products, categorizing products into groups, saving the group relationships, receiving and logging data about user behavior extracted from data items conveyed in a URL, analyzing the data, counting occurrences from stored data, and displaying data from among the stored data and results. We note that the gathering and displaying of data are merely insignificant extra-solution activities, are uninfluential in the analysis of subject matter eligibility, and thus may be properly excluded from the concept the claims are "directed to." See In re Bilski, 545 F.3d 943, 963 (Fed. Cir. 2008) (en bane), aff'd sub nom Bilski v. Kappas, 561 U.S. 593 (2010) ( characterizing data gathering steps as insignificant extra-solution 6 Appeal2017-010558 Application 13/664,028 activity). See also Bilski, 561 U.S. at 610-11 ("adding 'insignificant postsolution activity."'). In addition, we note that at least some of these steps can be easily performed by a person mentally, for example, the "classifying" and "determining" steps. The Federal Circuit has held that if a method can be performed by human thought alone, or by a human using pen and paper, it is merely an abstract idea and is not patent-eligible under Â§ 101. Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1139, 1150 (Fed. Cir. 2016) holding that claims to the mental process of "translating a functional description of a logic circuit into a hardware component description of the logic circuit" are directed to an abstract idea, because the claims "read on an individual performing the claimed steps mentally or with pencil and paper"). Additionally, mental processes, e.g., computing a score, as recited in claim 1, remain unpatentable even when automated to reduce the burden on the user of what once could have been done with pen and paper. Benson, 409 U.S. at 71. In addition to the abstract idea, independent claim 8 recites computer involvement, by "using one or more processors" for a classifying step, and receiving information from a web site that is sent "to a log server." The Examiner finds that these computer components are "generically recited computer components." Answer 11. On that basis, the Examiner finds nothing in the claim adds significantly more than the abstract idea that would transform the claim into eligible subject matter. Id. We are not persuaded by the Appellants' argument that, according to the Appellants, the claims are not directed to an abstract idea, because, citing DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1248 (Fed. Cir. 7 Appeal2017-010558 Application 13/664,028 2014), the claimed method solves a problem particular to the Internet. Appeal Br. 13; see also Reply Br. 3--4. As an initial matter, the claims do not recite elements requiring the Internet. The Specification does describe that there is so much data in large scale merchandise networks, "displaying a large number of products in a ranked list has become a problem." Spec. ,r 3. We do not interpret this, however, as indicating that the only "networks" involving large numbers of products that are hard to rank are on the Internet. Large numbers of products are available for sale and ranking at other "networks," such as retail distribution networks involving brick and mortar stores, or catalog sales businesses. The problem thus is not the Internet, but a large number of products, which is not a problem unique to the Internet. In addition, because the process stores and analyzes data, and can be performed mentally, this does not limit it to the Internet. We also are unpersuaded by the Appellants' argument that the claims are directed to improvements in computer-related technology, because large amounts of data are reduced by the claim's step of aggregating product listings by category. Appeal Br. 14; see also Reply Br. 4--5. This is because the abstract idea can be performed mentally, and aggregating data by category does not require a computer. We are not persuaded by the Appellants' argument that the claims offer something more that transforms the abstract idea into eligible subject matter, because they are a "specific implementation" that does not preempt all ways of storing and analyzing data. Appeal Br. 15-16; see also Reply Br. 7. Although "preemption may signal patent ineligible subject matter, the absence of complete preemption does not demonstrate patent eligibility." 8 Appeal2017-010558 Application 13/664,028 Ariosa Diagnostics, Inc. v. Sequenom, Inc., 788 F.3d 1371, 1379 (Fed. Cir. 2015) (citing Alice, 134 S. Ct. at2354). We are further unpersuaded by the Appellants' argument that the claims recite a technology-rooted solution to an Internet-centric problem, and that the claim is transformed into eligible subject matter by a "processor that works in concert with a log server." Appeal Br. 16-17; see also Reply Br. 6 ("nonconventional technology such as a log server"), 8-9. As we noted earlier, the claim does not require anything more than implementing the abstract idea of storing and analyzing data on a general-purpose computer, to solve a problem not unique to the Internet. Additionally, the interaction between the claimed processor and log server is merely messaging, which is also a generic computer function involving only the communication of data. For example, the operations of storing, analyzing, receiving, and displaying data are primitive computer operations found in any computer system. See In re Katz Interactive Call Processing Patent Litig., 639 F.3d 1303, 1316 (Fed. Cir. 2011) ("Absent a possible narrower construction of the terms 'processing,' 'receiving,' and 'storing,' discussed below, those functions can be achieved by any general purpose computer without special programming."). We do not agree with the Appellants that the claimed method cannot be performed mentally because "receiving an indication of a user selection to a webpage," and "sending an access request to a log server" require computers. Reply Br. 3. The use of the computer in these two steps, however, is just to receive particular data, and to ask a general-purpose computer to save it. This is merely a data-gathering step, where limiting its 9 Appeal2017-010558 Application 13/664,028 application of the method to a computer environment is insufficient to confer patent eligibility. Because the Appellants have not shown error in the Examiner's rejection of independent claim 8 as abstract, we sustain the rejection of claims under 35 U.S.C. Â§ 101. Obviousness Reiection of Claims 1. 6-8. and 13-15 The Appellants argue the combination of Shaya, Ghadialy, and Hasselback do not disclose the following limitations of the independent claims: receiving an indication of a user selection to a webpage associated with a first product included in the plurality of products associated with the SPU; and in response to the indication, sending an access request to a log server, wherein the log server is configured to determine identifying information associated with a user associated with a user selection uniform resource locator (URL) associated with the user, wherein the URL comprises information that records the user's behavioral data with respect to the SPU. Appeal Br. 18-22. This is because, according to the Appellants, Ghadialy does not disclose the limitations at the cited locations. Id. at 20-21. We are not persuaded by the Appellants' argument. Ghadialy discloses monitoring browsing behavior, as it discloses "inferring the preferences of the user based on at least one of a number of visits by the user to a product detail page, a number of visits by the user to a product category page, addition by the user of a product to a cart, and completion by the user of an on-line purchase." Ghadialy claims 8, 9 (cited at Answer 6). More specifically, Ghadialy discloses that "[ m ]onitoring of browsing behavior can be performed using an appropriate Web beacon, such as a 1 by 1 pixel 10 Appeal2017-010558 Application 13/664,028 element sometimes referred to as a 'dart,' which is incorporated in one or more source web pages that form the merchant's web site." Id. at col. 5 lines 50-54. The ordinary artisan would have recognized that a "Web beacon" uses data in a URL request to ask another server to retain data from the user's browser activity, from which user behavior can be inferred. See for example, Lori Andrews, "I Know Who You Are And I Saw What You Did: Social Networks and the Death of Privacy," Free Press, 2011, p. 23 (appended as Appendix A); Francoise Gilbert, "Beacons, Bugs, And Pixel Tags: Do You Comply With The FTC Behavioral Marketing Principles and Foreign Law Requirements?" Journal of Internet Law, Vol. 11 Iss. 11, May 2008, p. 3 (appended as Appendix B). Ghadialy thus discloses the same technique used by the Appellants for performing the same function. See Spec. ,r 21. The Appellants thus fail to show error in the Examiner's rejection of the independent claims as obvious. For this reason, we sustain the rejection of claims 1, 8, and 15 under 35 U.S.C. Â§ 103(a), as well as of dependent claims 6, 7, 13, and 14 that were not argued separately. Obviousness Reiection of Claims 5 and 12 Dependent claims 5 and 12 recite: wherein the database is populated by classifying products for which information is stored at the database and associating the products with different SPU s according to sets of identical properties corresponding to the products, and recording the correspondence between the sets of identical properties and the SPU in the database. The Appellants quote the claim language, note that the Examiner finds the claim language disclosed at two paragraphs in Johnson, quote the two paragraphs of Johnson, and assert that the claim language is not disclosed in 11 Appeal2017-010558 Application 13/664,028 Johnson. Appeal Br. 23. A general allegation that the art does not teach any of the claim limitations is no more than merely pointing out the claim limitations. A statement which merely points out what a claim recites will not be considered an argument for separate patentability of the claim. 37 C.F.R. Â§ 4I.37(c)(l)(vii). In addition, Johnson's statement that "[a]ssociations between identical items under different classes can also be defined during the maintenance process" meets the claim language. Johnson ,r 183 ( cited at Answer 9). For this reason, the rejection of claims 5 and 12 under 35 U.S.C. Â§ 103(a) is sustained. DECISION We AFFIRM the rejection of claims 1, 5-8, and 12-15 under 35 U.S.C. Â§ 101. We AFFIRM the rejections of claims 1, 5-8, and 12-15 under 35 U.S.C. Â§ 103(a). No time period for taking any subsequent action in connection with this appeal may be extended under 3 7 C.F .R. Â§ 1.13 6( a )(1 )(iv). AFFIRMED 12 Application/Control No. Applicant(s)/Patent Under Patent Appeal No. Notice of References Cited 13/664,028 2017-010558 Examiner Art Unit 3600 Page 1 of 1 U.S. PATENT DOCUMENTS * Document Number Date Country Code-Number-Kind Code MM-YYYY Name Classification A US- B US- C US- D US- E US- F US- G US- H US- I US- J US- K US- L US- M US- FOREIGN PATENT DOCUMENTS * Document Number Date Country Code-Number-Kind Code MM-YYYY Country Name Classification N 0 p Q R s T NON-PATENT DOCUMENTS * Include as applicable: Author, Title Date, Publisher, Edition or Volume, Pertinent Pages) u Lori Andrews, "I Know Who You Are And I Saw What You Did: Social Networks and the Death of Privacy," Free Press, 2011, p. 23 (appended as Appendix A); V Francoise Gilbert, "Beacons, Bugs, And Pixel Tags: Do You Comply With The FTC Behavior Marketing Principles and Foreign Law Requirements?" Journal oflnternet Law, Vol. 11 Iss. 11, May 2008, p. 3 (appended as Appendix B). w X *A copy of this reference is not being furnished with this Office action. (See MPEP Â§ 707.05(a).) Dates in MM-YYYY format are publication dates. Classifications may be US or foreign. U.S. Patent and Trademark Office PT0-892 (Rev. 01-2001) Notice of References Cited Part of Paper No. fh?..:: Sh:nor:: -:..~:: ~~(Â·h~.~.~J~:Â·r }>p-i:~:}.(:J~ ?-o ti'.:~::t:: ~;-.,~:;:: J\n~:\~(~ ::r~~~d~::~r~:: k:- \~\:;k--2~\ I~Â·~::=~:~:'.:~.::} V (if!. h~~- ~i.1:,d::'.,:Â·:=~ b.~ ~A t=i:=\;t\tf~~::~=:::tl ::-(Â·1\~:JÂ·:r::Â·::-::>t:~ ~=:r::d :~-~-=:l~-:'\, 1\l\W' widih,"l l>d-::nc,Hl\ ii BEACONS, BUGS, AND PIXEL TAGS: DO YOU COMPLY WITH THE FTC BEHAVIORAL ... Gilbert, Frarn;oise Journal of Internet Law; May 2008; 11, 11; Computing Database pg.3 May 2008 ~fACONS. ~UGS. ANO ~IXH lAGS ~O ~OU ~OMDlY WITH THf fl~ ~fHAVIORAl MARKHING ~RINCIDlf S ANO f OHIGN lAW ~rnUIR[MfNTS1 By Fran~oise Gilbert ,..~ Â§!Â§ h d f b -i i t t e en o Decem er 200 /, tl1-e Federal Trade ~ ~ ~'i Commission (FTC) published a set of Proposed Â§ Â§ ~ ~ Principles to govern behavioral advertising (principles)t ~ ~ in order to create a framework for the collection of information through Web beacons and the use of this infom1ation when communicating with individuals or serv, ing personalized advertisements. This practice is known as behavioral targeting. Online behavioral advertising or behavioral market- ing or behavioral targeting combines: â€¢ Tracking online activities, such as searches that the user has conducted, Web pages that the user has visited, or content that the user has viewed. This is accomplished through the combined use of cookies and Web beacons, Web tags, clear GIFs, action tags, pixel tags, or Web bugs, ai-id Frarn;oise Gilberr is an attorney and c Certified information Privacy Professional (CIPP). She is the 1\llanaging Director of IT Law GrO'lp. ,Nww. itlawgroup.com, a !aw firm bosed in Palo Aito. CA. !Vis. Gilbert focuses on informotion privacy and security ond data govemonce. She has assisted gioba! componies ond selecred start-ups on leading-edge rechno!og; iegoi issues, incf,1ding information privocy information security, ond other doto governance issues. Copyright 2008, Frarn;oise Gilbert. JOURNAL OF INTERNET LAW â€¢ Delivering advertising targeted to a user's interests. Advertisements may be served to the user while he or she navigates the site. Personalized promotional emails may also be sent to that user with content focusing on the user's assumed interests. Web beacons and other tracking technologies are not new. They have been in place for several years. \Xlhat is new, is the substantial improvement in the precision and quality of the data collected and the use of this informa- tion for targeted advertisements. The more accurate the data, the higher the risk of invasion of privacy. Since the early days of Web track, ing technologies, industry groups and consumer advo, cates have developed proposals and recommendations regarding the issues raised by behavioral advertising. For example, a Do Not Track proposal was presented; it was inspired by the popular and highly successful Do Not Call program. The principles recently published by the FTC encour, age meaningful and enforceable self-regulation to address the privacy concerns raised by behavioral advertising. In its announcement of the principles, the FTC indicated that it intended to outline a framework to protect against harms to consumer privacy, while continuing to support innovation in consumer services and products. The FTC stated that it remains mindful of the impor, tance of accommodating the wide v~riety of business models that exist in this area. Concurrently, on the other hand, individuals must be protected against the risk that tracking technologies might lead to intrusion into their private affairs and the risk of abuse or misuse of sensi- tive personal information. Indeed, tracking mechanisms are largely invisible and unknown to consumers. Most consurners cannot see Web beacons and have no way to control them. They do not know whether they can block them or how to do so. The issuance of the FTC principles also prompts a comparison with the equivalent regime in other countries. Indeed, companies with a global reach may need to understand more than just the principles outlined by the FTC. Since their Web sites or mar, keting campaigns may reach individuals protected by other laws, US companies must be prepared to comply with the laws of those foreign countries that may have jurisdiction over them. European Union member states, for example, have issued rules or guidance on the use of Web beacons and tracking technologies in Web sites and email communica- tions. While some common elements appear on both side of the Atlantic Ocean, there are additional t\vists and requirements in Europe, such as, notification of the Data Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. ( 3 '---------------Â· 4 ) JOURNAL OF INTERNET LAW Protection Authorities. This makes even more complex the operation of a Web site or the use of email marketing campaigns with a global reach. This article presents an overview of Web tracking technologies, an analysis of the proposed FTC principles, and a survey of the laws applicable to Web beacons in selected European countries. A list of suggested best prac- tices is also proposed. Web beacons, action tags, clear GIFs, Web tags, pixel tags, Web bugs, and similar tracking technologies are different from cookies. Web beacons are incon- spicuous to the user. They consist of a small string of software code, typically 1-by-l pixel in size, that is placed on a Web page or an email message to track pages viewed or emails opened. Their size makes them invisible to the user. Their presence can be spotted only after scrutinizing the \Xfeb site code. They do not reside on the user's computer. Cookies, on the other hand, are easily identified on a user's computer. Go to the "Preferences" section of your browser.2 Open the tab "Privacy," and then click on "Show cookies." A list of cookies is displayed. Users can also set their browsers to accept or reject all cookies or only cookies from specified sites. Cookies can be deleted. In your browser's dashboard, click one of the two buttons under the list of cookies. You can delete all or only selected cookies. Thus, the user can keep some control over cookies. Not Â·with Web beacons. Web beacons cannot be removed or deactivated by the user because they do not reside on the user's computer. Some sites, such as Yahoo, offer users the ability to click on an opt-out button, which blocks Web beacons placed by the company on its Web site. Web beacons have been used for reporting site traffic, counting unique visitors, or to audit advertising. With the advent of technology, they are now also able to record almost every move of a Web site user, such as the areas of a page that the user has downloaded or printed or the ads on which the user has clicked. As a result, Web beacons are considered more invasive and are viewed as a greater threat to users' privacy than cookies. Further, to the extent that they may also collect sensi- tive information about a user's lifestyle or concerns (such as frequent visits to specific pages of a medical site), there are substantial security implications. The data collected about the uses of a site may contain sensitive information, which may have to be guarded with substantial security measures. May 2008 Behavioral marketing requires several components. In many cases, there is a combination of Web tracking tech- nologies and cookie technologies. The user is identified through cookies. The use of the site is tracked through Web beacons. The collected data may or may not include personal information, such as the user's email. Aggregate-non personally identifiable-data may be used to manage the site, identify the pages with greater traffic, or content that is viewed for a longer period. If personal information has been collected, users may be recognized when they return to the site through cook- ies placed on their computers or through their computer IP addresses. In this case, the site (or a network advertis- ing company) then may serve to the user advertisements that are based on the profile associated with that user's cookie. These personalized advertisements take into account the interest of the user, which were identified ( or guessed) through the analysis of the prior visits of the user associated with that cookie. In certain cases, contact information, such as the user's email address or user ID, may have been collected during other visits to the site or as part of the user registration process. In this case, in addition to serving advertisements, the company may combine the user's contact information and profile in order to create personalized promotional emails with proposals and promotions tailored to the user's interest. For example, the user who has shown interest for content or advertisements related to golf might be sent a promotion for a vacation in a golf resort. Behavioral marketing may offer substantial benefits to customers. For example, it may be instrumental in the provision of free Web content or access to ne1.vspapers and information, which are provided free because they are subsidized by online advertising. In addition, behavioral marketing allows for the generation of personalized ads. The target customer might be more receptive to advertisements that are based on a personal profile. Someone interested in golf will likely be less annoyed by ads featuring Tiger Woods than by those that promote diet pills or cell phone services. On the other hand, behavioral marketing is based on the use of data that have been collected without the user's knowledge because Web beacons are inconspicuous. The perspective of being monitored anywhere and everywhere on the Web makes Web surfing much less enjoyable. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. May 2008 The FTC principles provide an attempt at funneling the tremendous development of behavioral marketing and limiting the possible attacks on customer privacy. The principles create a framework for the collection of information through Web beacons and the use of this information to serve targeted, personalized advertisements and other unsolicited communications to individuals. It aims at providing individuals ,vith some control over their use of the Web. The principles are consistent with prior decisions made by the FTC in similar circumstances, such as in the Gateway Leaming case.J The proposed principles require: â€¢ Transparency. A Web site where data is collected for behavioral advertising should provide a dear, concise, consumer-friendly, and prominent statement that data about consumers' activities online are being collected at the site for use in providing advertising about products and services tailored to individual consumers' interests. â€¢ Consumer control. The statement should also pro, vide that consumers can choose whether or not to have their information collected for such purpose. The Web site should also provide consumers with a clear, easy-to-use, and accessible method for exercis, ing this option. â€¢ Reasonable security. A company that collects and/ or stores consumer data for behavioral advertising should provide reasonable security for that data. Such protections should be based on the sensitivity of the data, the nature of the company's business operations, the types of risks the company faces, and the reason- able protections available to the company. â€¢ Limited data retention. The company should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. â€¢ Affirmative express consent for material changes to existing privacy promises. A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies later. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. â€¢ Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. A company should only collect sensitive data for behavioral advertising if it obtains affirmative JOURNAL OF INTERNET LAW express consent from the consumer to receive such advertising. The position of the European Union with respect to Web beacons, Web bugs, action tags, and clear GIFs includes some of the concepts outlined by the FTC, but differs in some aspects.4 For example, like for all other privacy protection matters, a company doing business in the European Union must "notify" its privacy practices to the Data Protection Authority of the country where it is located. Thus, the incorporation of Web beacons in a Web site that is directed to or sued by EU residents would require prior notification to the relevant Data Protection Authorities of the countries where a company does business. In the European Union, Web beacons and other tracking technologies are largely considered equivalent to cookies, and their use in \Veb sites is generally permitted in European Union countries, subject to certain condi, tions. The specific rules in each country differ in their implementation, but generally require the following: â€¢ The user must be informed of the use of these techniques and be given the option to refuse them, together with clear instructions on how to do so. â€¢ If these techniques are going to be used to collect any personal data or data by which a user can be identi, fied, the relevant Data Protection Authority must receive notification of the proposed use of tracking mechanisms by the site. â€¢ The proposed use of the tracking technologies must be reflected in the site's privacy policy that is regis, tered with the Authority. â€¢ In some cases, the notification proces;; will vary depending on the nature and criticality of the data collected. When used in email or other direct communications, Web beacons, tags, and dear GIFs can be associated with a specific subject and are thus considered to collect person, ally identifiable information. As such, they are subject to the above requirements. In addition, if these tracking technologies are used in connection with commercial emails (e.g., to track open rate), the recipient should be informed of their use and be provided with the ability to block them or switch them off. There is currently no requirement for any special notification methodology to be used in order to notify users of changes in the privacy policy. In the United States, the proposed principles published by the FTC Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. ( 5 Â·, ... ______________ _ 6 ) JOURNAL OF INTERNET LAW would require companies to notify their users and obtain their opt-in consent to the new uses of their personal infom1ation, because the FTC views the use of tracking technologies associated with personal information as a ''material change" from most prior practices. UNITED KINGDOM Although the current UK data protection legisla- tion does not refer to Web beacons, the guidance issued by the Information Commissioner Office's (ICO) has been very clear about the use of Web beacons or clear GIFs.s The UK's Privacy and Electronic Communication (EC Directive) Regulations 2003 implemented from EU Regulations (2002/58/EC) (the E-Privacy Directive) are the most relevant as these were drafted specifically with the increasing use of the cookie in mind. The E,Privacy Directive introduced rules in relation to the use of cookies in 2003. The implementing UK regulations provide that cookies may be used only in the event that the user of the ''terminal equipment" is pro- vided with certain ''clear and comprehensive" informa- tion about the purposes of the storage and access to the information gathered ( whether or not such information is actually personal information). As with many privacy laws, the rhetoric of the law is to provide transparency to the user. To this end, as under the UK's general data protection laws, the theory goes that, if users are provided with information about the purposes of such processing, they are able to make an informed choice as to whether they should accept it. Linked to this, the rules state that users should be "given the opportunity to refuse the storage of or access to that information." If they are offered the right to refuse such processing, the monitoring and tracking can be regarded as fair and lawful. This is effectively an opt,out system, and as such, users do not have to give their con, sent prior to the use of cookies. The effect of these rules L, that Web site owners have a specific obligation to alert visitors to the presence of all cookies and importantly give a choice as to their use. This is backed up by specific ICO guidance, which states that ''at the very least, however, the user or sub, scriber should be given a clear choice as to whether or not they wish to allow a service provider to engage in the continued storage of information." Guidance from the ICO goes on to confirm that, although not expressly referenced in current law, these rules would appear to affect all cookies, Web beacons, and pixel tags and not just those that involve the processing of personal data. It should be noted that if personal data are also collected, the general rules of the Data Protection Act May 2008 1998 (DPA) would apply in addition. The DPA makes no specific reference to cookies or other technologies. As the ICO has gone on record to equate Web beacons and clear GIFs with cookies, consequently the same cookie rules apply to these tracking technologies. A problem arises here. Although most browsers facilitate blocking or rejection of cookies, there are no similar tools available to reject or disable Web beacons, clear GIFs, or bugs (although disabling the cookie can frequently limit the ability to link certain personal information to that device). As Web beacons and clear GIFs are frequently used in combination with cookies, they may result in the process- ing of personal data. Note that, in some circumstances, even an IP address can be personal data if it may iden- tify a living individual. The ICO asserts that, when such devices are invisible, it is hard to see hmv the collection of personal data in this way can be "fair and lawful" and therefore in accordance with the DPA. The ICO suggests that users should be provided with information about the use of such devices and a technical means of refusing or disabling such devices. However, as the Interactive Advertising Bureau of Europe (IAB) explains: because web-beacons or clear gifs are the same as any other content request included in the recipe for a web page, frequently one cannot opt out or refuse them. One solution is to use them in conjunction with cookies, as they can then be rendered ineffec, tive by either opting out of cookies or by changing browser settings. Yet, even this is not necessarily enough. If the Web beacons are used to collect an IP address, for example, further care is needed as again the DPA regime applies. Web beacons and dear GIFs can be used in marketing emails. In this regard, new ICO guidance states that when used in email communications: The important point to note is that if you are using such a tracking device in your marketing emails, you must let the recipient know about i.t in the message itself and explain to them how to switch the web beacon or dear gif off. You could provide this information next to your valid address for opt- out requests and include a link to a webpage that offers a fuller explanation. A link to your cookie and privacy policy alone is unlikely to be sufficient unless the section of that policy which relates to the use of web beacons or clear gifs is clearly sign, posted when you arrive at that page. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. May 2008 FRANCE There is no Legislation specifically addressing the use of Web beacons, but if the data collected will be used for targeted marketing messages, they are subject to the French Data Protection Law and to the lav>' of June 21, 2004, Trust in the Digital Economy. To the extent that the beacon records such infomiation as the number of pages viewed, which sections were viewed, and the time spent on each, the French Data Protection Law requires that: â€¢ The user must be informed of the use of the beacon and the purpose of the data collected. â€¢ The user must have the option to reject the data collection. â€¢ The user must be given appropriate instruction to exercise his/her opt-out right. â€¢ Notification must be given to the CNIL (French Data Protection Authority) advising them of the use of these techniques and explaining what has been implemented to inform the users and advise them of their rights. It is permissible to include the user notifications in the originating site's privacy policy. If the information collected is used to drive marketing messages sent electronically to the customers or prospects, the Trust in the Digital Economy Law also requires prior consent from the user. In addition, the Law of July l 0, 1991, about the protection of the secrecy of correspondence (paper and electronic) protects the content of emails as private corre, spondence. Thus, to the extent that a Web beacon would be used in emails, it might infringe upon the secrecy of the correspondence. For example, if a Web beacon is used to read the content of the email, it would be disclosing infor, rnation about the ccmespondence that might be infringing on this law.6 GERMANY Web beacons are likely to be seen as comparable to cookies as their intention is to provide the person install- ing the Web beacon a means of gathering information on the user. TI,is information is then used to generate user profiles (in most cases for marketing purposes). If the data collected by the Web beacon includes "personal data" as defined by Oerman Data Protection Law, it is subject to the relevant provisions of either the Federal Data Protection Law or the Tele Media Law ( which replaced the Teleservice Data Protection Law \vith effect on 03/01/2007). JOURNAL OF INTERNET LAW Since most Internet users do not have static IP addresses, but dynamic IP addresses, in Oermany Web beacons on Web sites are able to collect personal data only if they are combined with Web site cookies that col- lect personal data. Otherwise, it is unlikely that the user is identifiable. This would be different with regard to Web bugs used in emails and if the Internet user has a static IP address and therefore is identifiable for the person install- ing the Web beacon. In general, under both the Federal Data Protection Law and the Tele Media Law, the collection, processing, or use of personal data is justified only if permitted by law or if the person whose personal data is to be collected, processed, or used has given his/her consent in advance. Therefore, if the personal data collected by the Web bea- con is not necessary to provide the service ( which would constitute a legal permission under the Tele Media Law), the collection is subject to prior consent. Furthermore, certain obligations to inform the Internet user email/recipient apply if the Web beacon contained therein is to collect personal data. It is likely that a disclaimer that only states that the Web site uses Web bugs/Web beacons would not be sufficient since the data subject has to be clearly informed about the type of personal data collected and the purpose of collection, processing, and use. In the event the \Veb beacon is not contained in the Web site visited but in a Web banner the ad-server provider would be subject to the information obligation. Even when the Web beacon is used to create an ano, nymized user profile, the user has to be informed that he has a right to object to the use of the Web beacons.7 ITALY There are no specific provisions covering Web bea- cons or the like in Italy. However, since the Italian Law of 1996 has adopted the 2002 Directive, the situation there is largely consistent with the rest of Europe in that the data subject must be informed as to the use of his data and the related purpose. If the data collection is not necessary to provide the service to the user, user consent will be necessary. Both the Italian consumer protection laws and the Italian Data Protection Law state that any marketing activities that involve the use of the Internet, MMS, or SMS require the prior consent of the data subject. In addi- tion, any processing of personal data whose purpose is to profile consumers or data subjects in general is subject to prior notification to the Data Authority. Notification is merely a fom1 of communication to the Data Protection Authority and no approval is required after notification. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. ( 7 Â·, ... ______________ _ 8 ) JOURNAL OF INTERNET LAW May 2008 It has to be pointed out that the Italian Data Authority has recently tightened its requirements on the use of Internet or email addresses to send promotional, commercial, or marketing materials in general. Thus, the principle applied is that any electronic communication to a customer or prospect requires prior consent of the data subject.s SPAIN According to Spanish regulations on data protec-Â· tion, Web beacons are allowed as Long as they collect only information that includes neither personal data nor data by which the user can be personally identified. Web beacons can be used freely as long as they are used only to control the effectiveness of an advertising cam, paign or similarly by collecting data such as information \vhich has been assigned to a specific cookie, such as the time and date when a Web page has been viewed and a description of the Web page where the Web beacon is residing. lf, however, Web beacons or cookies are used to col, lect personal data, they are subject to prior notification to the Spanish Data Protection Authority. The corre, sponding privacy policy must be registered with the Data Protection Authority through the notification process. The notification to the Data Protection Authority must specify that these tools will be used as a means to collect personal data. In such case, notification pro, ceedings may differ depending on the type of data that is collected, requiring a high, medium, or basic level of protection, according to Law 15/1999 on Personal Data Protection. Further, when the Web beacons or cookies are used to collect personal information, this must be pointed out i.n the terms of use or privacy policy of the Web site. The user must be given the possibility of accepting or rejecting the use of the electronic tools (Web beacons, cookies, etc) by being offered the relevant tools and instrnctions to do so. These specifications also apply to third-party Web beacons.9 Companies doing business in the European Union should also remember that IP addresses are considered "personal information'' in the European Union. For example, Peter Scharr, the Germany Data Protection Commissioner, who leads the EU group preparing a report on how well the privacy policies of Internet search engines comply with EU privacy law, recently stated at a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, "then it has to be regarded as personal data." While this concept had been advanced numerous times in Europe among data privacy professionals, there is now a confirmation that IP addresses should generally be regarded as personal information. This statement might affect companies that use Web beacons and collect IP addresses. Indeed, if an IP address is deemed "personal data," then using tracking technolo, gies in connection with IP addresses might constitute the collection of personal data protected under the European Data Protection laws. This might make most uses of Web beacons subject to the notification requirements outlined above. While the FTC principles are not final and are open for comments, they provide a clear indication of the FTC's position with respect to the use of tracking technologies and what rules might be used in the near future to evalu, ate the adequacy of tracking technology usage. In the past, the FTC has proactively used its pmvers underÂ§ 5 of the FTC Act to prosecute companies for their data protection practices. It is likely that it will continue to do so, and that policing the use of tracking technologies will remain among its priorities. Companies contemplating the use of tracking tech- nologies should assess their impact on the privacy rights of their Web site users and the types of disclosures and consent that might be needed before proceeding. To the extent possible, companies should follow the course of action provided in the principles in order to be prepared if these proposed terms became final. Until the principles are finalized and formally adopt, ed, US companies that are using or intend to use tracking technologies on their US Web sites other than as clearly described in their current Web site privacy statements should consider the following: â€¢ Assessment: Investigate the scope of the use of these technologies, the types of information that they col, lect, and the types of cookies with which they are associated. Look at both your practices and those of the advertising networks that you use to setve adver, tisements on your site and on third-party sites. â€¢ Notice: Inform users about the use of tracking tech, nologies, what information will be collected, how it will be used, for which purpose, and to whom the Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. May 2008 information will be disclosed. Provide the notice in clear and conspicuous language before the user's infer, mation is collected. â€¢ Information: Inform users that the company's policies have changed. In some cases, opt-in consent to the use of the new technologies with personal informa, tion that the company may have collected in the past may be necessary because there might be a material change from the prior practices. â€¢ Choice: Inform users about the choices and means that your company offers for limiting the collection of information through Web beacons; offer users the opportunity to choose whether their information may be collected. Provide users with the means to block the use of tracking technologies when they are or might be associated with the collection of personal information. Provide a clear, conspicuous, and readily available mechanism to exercise this choice. â€¢ Sensitive information: Do not collect sensitive infer, mation of individuals without their affirmative or explicit consent. The proposed principles provide for opt-in consent. â€¢ Limited Use: Limit the use of the information col, lected through tracking technologies to the purposes identified in the disclosures. Keep the data only for the time necessary to achieve the purposes stated in your policy. The principles provide that data should be retained only as necessary to fulfill a legitimate business need. â€¢ Security: Take reasonable precaution to protect information collected through tracking technologies against loss, misuse, unauthorized access, disclosure, or alteration as appropriate, given the potential sensi, tivity of the information. â€¢ Emails: If tracking technologies are used in email communications (e.g., to track open rate), consider, as well, appropriate notification and information on how to block the beacons. â€¢ Notification: If the company is also doing business in the European Union, file the modified privacy state, ment with the relevant Data Protection Authorities in the countries where it does business in order to comply with the notification requirements that are in place in each of the EU member states. Since the use of tracking technologies and the col, lected information is likely to constitute a change from prior practices, ensure that the users are made aware of the change to prior practices. The principles clearly indicate that the FTC believes that the use of tracking technol, ogy constitutes a material change to most companies' JOURNAL OF INTERNET LAW practices. Consistent with its prior rulings, the FTC suggests that the materiality of the change requires that you obtain affirmative express consent to the new use of visitors and members' information, especially when the information that ,vill be collected through the use of the tracking technologies might be combined with personal information that the company has collected in the past under a different privacy policy that did not provide for the use of tracking technologies. To do so, at a minimum, conspicuously post a notice of the upcoming changes to the privacy policy on the Web site. Ensure that users have a reasonable time to become aware of the change before the launch. Provide users with the means to choose not to have their use of your \Veb site tracked through web beacons. Pixel tags, Web beacons, and clear GIFs have existed for several years. Initially used for counting the open rate of emails or computing advertisement fees, they are becoming ubiquitous on \Veb sites and the use of the data collected is expanding drastically. This is because recent improvements to the technology allow the collection of data that are more granular, more precise, and of higher quality. With better data, advertisers can identify with greater certainty the interest, preferences, and needs of those who use or visit their Web sites. By applying these more refined data to the creation of personalized mes, sages, companies hope to provide their target customers ,vith more meaningful or useful messages and increase the efficiency and return on investment of their marketing campaigns. The increased data quality allows the compilation of information about a user's interests that is likely to be more accurate. If the collection of personal data about an individual can occur regularly without the individual's knowledge or consent, the privacy, and potentially the security, of that individual may be at risk. The proposed FTC principles present a set of best practices that are con, sistent with fair information practices. While the docu, ment is only a first draft for which comments have been requested, it nevertheless constitutes the best pictures of the current position of the FTC with respect to behavioral targeting. Companies that want to be privacy leaders should promptiy implement clear and conspicuous policies that are consistent with the proposed FTC principles and give users of their website the right and ability to consent to the use of these technologies to collect per- sonal information, or the tools necessary to block these technologies. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. ( 9 Â·, ... ______________ _ 10) JOURNAL OF INTERNET LAW litrp:l/www.ftc .go,,Jopa/ 2007/ 12/principles.shtm. 2 The Firefox browser is used in this example. 3 lurp://tt'