Since it became part of UK law in May 2011, the EU "ePrivacy" Directive 2009/136/EC has caused shockwaves across the digital marketing community. What are the key points in the new laws for B2B marketers? Do they cover more than just cookies? Is it possible to make sense of what the regulators are saying about how to comply? And what strategies should marketers be deploying to stay out of the courts? Get the answers to these and other important questions during this session.
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Meeting the challenges of new Eprivacy laws
1. B2B Marketing Conference 2011
Meeting the challenges of new ePrivacy
laws
Stephen Groom
November 2011
2. osborneclarke.com
Agenda
• Quick context
• Cookie law update
• Impact on Online Behavioural Advertising (OBA)
• The UK's position (plus the latest from Europe)
• Practical steps
• Increased penalties and don't forget…..
• A quick look into the future
1
3. osborneclarke.com
Quick context
• Data Protection Act 1998
• Privacy and Electronic Communications (EC Directive)
Regulations 2003
• Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2011
• in force since 26 May 2011
2
5. osborneclarke.com
What are cookies?
• Text files, stored in the web browser on your computer and used by
websites to ‘recognise’ the computer
• Delivered when your web browser accesses an online service
• Each cookie is specific to both:
• a particular website that issues it; and
• A particular computer (or more specifically, the browser on a
particular computer) that requests the content
• The same cookie is exchanged constantly as website content is
accessed, enabling the website to recognise a browser that has
previously visited the website
• See http://www.whatarecookies.com/ for more details
4
6. osborneclarke.com
What is behavioural advertising?
"…online behavioral advertising means the
tracking of a consumer’s online activities over
time – including the searches the consumer has
conducted, the web pages visited, and the
content viewed – in order to deliver advertising
targeted to the individual consumer’s interests."
Source: Federal Trade Commission Staff Report (February 2009):
"Self-Regulatory Principles For Online Behavioral Advertising"
5
7. osborneclarke.com
Common types of OBA
1. First party OBA (the Amazon approach)
• Publisher places cookies on its own website Intrusiveness / risk
spectrum
• Collects behaviour information about interests and likes
Less Less
• Uses information to target adverts on its own website only
intrusive risk
2. Third party OBA (the AdSense approach)
• OBA provider places tracks visitors to partnering websites
• Collects behaviour information about interests and likes
• Uses information to target adverts on other partnering websites
3. ISP traffic monitoring (the Phorm approach)
• OBA provider intercepts user data traffic passing through ISP
• Collects behaviour information about interests and likes More More
intrusive risk
• Uses information to target adverts on partnering websites
6
8. osborneclarke.com
OBA: What are the legal issues?
- There's a lot more to think about than just the cookie laws
1. Consumer Protection from Unfair Trading Regulations 2008
• lack of disclosure could be an "unfair commercial practice"
• see OFT Market Study on Online Targeting of Advertising and Prices
2 Data Protection Act 1998
• does OBA data (e.g. IP addresses) qualify as "personal data"?
• if so, "fair and lawful processing" requirements apply eg enhanced notice
• if sensitive personal data is involved, explicit consent requirements
3 Privacy and Electronic Communications ("PEC") Regulations 2003
also regulate
• location data
• traffic data
• spam / SMS marketing
4 Which brings us to the saga of the EU's cookie rules…!
7
9. osborneclarke.com
Cookie Law Development
2002 Directive on Privacy + Electronic
Communications ("PEC") includes
specific tracking technology provisions 2003 PEC Regulations confirm opt out
obligation where technology used to
store or access information on terminal
Late 2009 EC surprisingly amends equipment.
PEC Directive to require user consent to
tracking technology. Deadline for
member state implementation May 2011
Cue furious lobbying by internet advertising industry
2010 Article 29 Working Party opine that
prior opt in consent a requirement before May 2011 UK implements PEC
cookies used in OBA amendment Regulations requiring user
to have given consent but allowing for
browser settings to be used to do so.
May 2012 UK deadline for compliance
with new cookie law.
8
12. osborneclarke.com
Cookie highway code chaos -
The UK position
Unless strictly
necessary for …. placement of .. requires user consent
cookies on a to have been obtained
service provision….
device .....
• ICO interpretation of • Any device and • Browser setting
strictly necessary any technology - exception
likely to be narrower PCs, laptops, • Active consent
than commercial mobile devices
teams smart meters…… • Timing
• PEC fines – £0.5m max
11
13. osborneclarke.com
The "Industry' Response"
• Self regulatory initiative to try to ward off explicit opt in
• A broad coalition inc. IAB,EASA, DMA and ISBA. Signed
by 90+ leading stakeholders
• All agree to adhere to a 6 Principle "Framework"
• Receivers of behaviourally targeted and retargeted ads
alerted by a "uniform pictogram" or "icon"
• When clicked on it gives info re: what OBA is, how it
works and how Your Online Choices site can be used to
opt out
• Not yet expressly approved by ICO or EC
12
14. osborneclarke.com
ICO's Position
• "We remain to be convinced that [the use of privacy i symbol] amounts to
consent" – David Smith, Deputy IC 22/9/11
• Moratorium on enforcement until May 2012
• But only if you're seen to be considering your approach
"If ICO were to receive a complaint about a website, we would expect
an organisation's response to set out how they have considered [the
new rules] and that they have a realistic plan to achieve compliance"
"You cannot ignore these new rules"
13
15. osborneclarke.com
So what should businesses be doing now?
• Audit use of cookies
• Cookies necessary for the provision
of requested services
• Probably OK to continue but provide clear
information e.g why cookies essential for
security in context of online banking services
• Useful but intrusive cookies
• eg third party behavioural cookies
• ICO: "the most challenging area". Browser
settings will not provide a solution as yet
• Do everything you can to get right info to
users and allow them to make informed
choices
14
16. osborneclarke.com
So what should businesses be doing now?
• Set up a cross-functional task force (IT/digital, Legal, Compliance,
PR, Marketing) to devise an action plan and….
• Inform and educate internally
• Ensure customer facing staff know what to say in reply to customer
queries
• Make easy and immediate changes e.g. add an update to your privacy
policy such as:.
"With regard to the new requirements on cookies after the
revision of the e-Privacy Directive, we are working towards
implementing the new requirements in line with official
guidance"
15
17. osborneclarke.com
More ICO suggestions as to what businesses
should be doing now
• "Feature-led consent"
cookies used when user chooses a particular feature such as
watching a video clip. If user is taking action to agree to the
functionality being "switched on", provided it is made clear that
"certain things will happen" by choosing to take a particular action
then this can be interpreted as consent.
• Functional/"first party" uses
analytical/behavioural cookie collecting info about how people
access and use the site. Make disclosures about this more
prominent e.g. place highlighted text in web page footer or
header or which turns into scrolling text when you want to set
a cookie. This could prompt the user to read further info eg via
the site privacy pages and make available choices
16
18. osborneclarke.com
New cookie laws - unanswered questions
• Marketing emails that drop cookies
Clearly caught by the new PEC Regs but no DCMS or
ICO Guidance currently deals
• International issues
17
19. osborneclarke.com
Increased penalties and don't forget…
• In serious cases a fine of up to £500,000 for …
• A breach of any provision of the Privacy and Electronic
Communications Regulations including:
– opt in rules for email and text marketing
– do not call telemarketing rules
– opt in rules for use of location data for marketing
– opt in rules for sending pre-recorded marketing
messages by automated calling systems
• Don’t forget Reg 7 of the Ecommerce Regs 2002
18
20. osborneclarke.com
In 12 Months Everything Will Look Different
• EC likely to announce revisions in Q1 2012
• Directive or Regulation?
• Possible changes
• Accountability
• Data Protection Officer requirement?
• Privacy by design
• Data breach notification
• Currently only: Fin Services + Telecoms
plus random territories for specific classes of data
• Data portability
• Right to be forgotten
• Data transfers made easier? Safe harbor approach
• Notifications and other bureaucracy to be scrapped?
19
21. osborneclarke.com
New regulator powers?
• Currently ICO only has "You know that ICO is not the Gestapo.
Yet I don't have statutory powers to carry out audits in
audit powers over public those sectors causing me the most concern.
sector organisations Something is clearly wrong when the regulator has to
ask permission from the organisation causing us
concern before we can audit their data protection
• But it can suggest to a practices"
private company that an Christopher Graham
audit might be a good idea Information Commissioner
October 2011
• in lieu of immediate At a Privacy Law & Business conference
enforcement (eg
Google)
20
22. osborneclarke.com
Useful source materials
• www.marketinglaw.co.uk
• ICO's Personal Information Online Code of Conduct
• IAB Europe "European Self-Regulation for Online
Behavioural Advertising"
• DCMS paper "Implementing the revised EU Electronic
Communications Framework"
• ICO: "Changes to the rules on using cookies and
similar technologies for storing information"
21
23. osborneclarke.com
Any questions?
Stephen Groom
Head of Marketing & Privacy Law
Osborne Clarke London
T +44 (0) 207 105 7078
M +44 (0) 207 105 7079
stephen.groom@osborneclarke.com
www.marketinglaw.co.uk
22