Connect with the DMA…• The #tag for this event is: #dmalegal• LinkedIn: DMA: Direct Marketing Association (UK) Limited• Twitter: @DMA_UK/ @DMANorth• DMA Website: http://www.dma.org.uk• Email: firstname.lastname@example.org or email@example.com• Phone: 020 7291 3300 or 0161 918 6780
Today’s agenda• 09.00 – 09.30 Registration and Coffee• 09.30 – 09.35 Welcome and Introduction• 09.35 – 10.05 Data Protection Regulation – Richard Parkinson, Legal Director Pinsent Masons and Samantha Livesey, Partner, Pinsent Masons• 10.05 – 10.35 Data Protection Regulation – Caroline Roberts, Director of Public Affairs, DMA and James Milligan, Solicitor, DMA• 10.35 – 10.55 Refreshment Break• 10.55 – 11.15 Cookies – New Privacy Regulations – James Milligan, Solicitor, DMA• 11.15– 11.30 Hot Industry Issues – Caroline Roberts, Director of Public Affairs, DMA and James Milligan, Solicitor, DMA• 11.30 – 12.00 Panel Debate and Close
The Proposed New EU Data Protection RegulationSamantha Livesey and Richard Parkinson
Agenda1. Introduction2. Timescale3. Headline proposed changes4. Summary of main changes from current regime5. Some specifics + considerations for compliance
Retailers: gaining competitiveadvantage from customer insights
From proposal to law: legislative processto implementation Committee stage: Draft report published: Jan to April 2013 Nov 2012 Lead committee Parliamentary vote: April 2013Hearings: amendments to text:May to Nov 2012 Dec 2012 Q1. 2014?May 2012 December 2012 April 2013 2014
Headline proposed changes• Data processors directly covered• Expanded definitions: “personal data” and “data subject”• Explicit consent required• Right to be forgotten• Greater emphasis on accountability• Notification of data security breaches• More onerous sanctions for breach
ConsentConsent: Current Position Consent: Proposed Position- Freely given, specific, informed -Freely given, specific, informed and explicitindication of the data subject’s indication of data subject’s wisheswishes - Given either by a statement or a clear- Explicit consent required for affirmative actionsensitive personal data only - Data controller / data subject relationship to be taken into account - Burden of proof on controller to demonstrate consent
Greater accountability• Public bodies / companies <250 staff• Appointment of DP officer 2 year appointment independent reporting to board inform train• Maintenance of documentation• Data protection impact reports
Data security breach notification• Mandatory notification• Within 24 hours of becoming aware of breach• Report to cover: nature of breach number of data subjects categories of data proposed mitigation
Data security breach roadmap INCIDENT: NOTIFY: ALERT: INVESTIGATE INVESTIGATE A data security Notify Insurer Involve your : Find out what Find out what incident occurs immediately security breach happened happened response teamNOTIFYICOWITHIN24HOURS EVALUATE: RESPOND: RESPOND: ASSESS: ASSESS: CONTAIN: CONTAIN: How successful Complete your Complete your What are the What are the Prevent/limit any Prevent/limit any was the security breach Incident potential potential further data loss further data loss response? Response plan response Plan consequences? consequences?
Proposed enhanced sanctions• Depend on:- Size of organisation involved Nature and gravity of breach Whether intentional or negligent Technical and organisational measures Previous breaches Co-operation with ICO
Proposed enhanced sanctions• Up to €250k or 0.5% annual worldwide turnover intentional or negligent failure to operate a proper subject access request• Up to €500k or 1% annual worldwide turnover intentional or negligent failure to respond to subject access requests in accordance with Regulation• Up to €1m or 2% of annual worldwide turnover for other compliance failures
Winners LosersData Protection Officers Data processorsData subjects?Genuinely better protection for them? Data subjects?Multinational businesses seeking to Consumers: Increased burden andoperate in a genuinely single cost of compliance passed onEuropean marketThe (few?) national supervisory Other national supervisory authorities:authorities likely to receive increased increased duties; same resourcesfundingInitiatives for information sharing on The many industries that operatecyber/data security incidents: both using “indirectly identifiable data”industry groups and government (or in the “grey zone”)
Draft EU Data Protection Regulation DMA View and Lobbying ActivityCaroline Roberts James MilliganDirector of Public Affairs DMA Solicitor
Draft Regulation- DMA View• DMA welcomes the Commission’s aim to reduce red tape and simplify bureaucracy – but proposals do not achieve that: overly strict, bureaucratic and unworkable• Needs to be a fair balance between privacy and legitimate business interests• Current proposals will stifle innovation, add considerably to business costs and place unnecessary obstacle to e- commerce jobs growth• Will be particularly harmful to SMEs• Hard to say how Commission’s estimate of 2.3 billion euros saving to businesses was calculated
“The proposed EU Data Protection Regulationcould cost the UK £47 billion in lost salesAccording to the businesses polled for the study,the proposed EU legislation could cost UK eachan average of £76,000.Crucially, if these results were representative ofthe UK economy as a whole, this would translateinto a potential cost of £47 billion to UKbusinesses, concentrated amongst mainlySMEs.”
Key points in the draft Regulation Opt-in and opt–out - obtaining consent• General rule for direct marketing – “explicit consent by clear statement or affirmative action” .• Possible legitimate interests exemption ?• Legacy databases – what about data collected under current law?• At odds with existing rules on voice calls, email and SMS marketing
Key points in the draft RegulationIP addresses and cookies• Definition of personal data extended so could cover some IP addresses and cookies• But IP addresses identify a device not an individual + some IPs are general• Huge implications for digital marketers• Web analytics & profiling made much more difficult, if not impossible• Interaction with new cookie rules
Key points in the draft Regulation The right to be forgotten• Right for individuals to request organisations to delete any information held on them• Drafted with social media in mind – but goes beyond this• Problem of information which has already been passed on to third parties• Possibility of misleading consumers by raising unrealistic expectations• Suppression files.
Key points in the draft RegulationSubject Access Requests• Data subjects to be able to request full information on data held on them free of any charge• Currently can levy a £10 fee – doesn’t cover cost but deters time-wasters, frivolous or vexatious requests.• Costs organisations £50 million p.a. now to meet SARs• Proposal that can provide data in electronic form if data subject agrees to this
Key points in the draft Regulation- Marketing to Children• General rule – parental consent required for under 18’s• Exception for online marketing to children above age of 13• No flexibility – a risk-based approach would be better.
Key Points in the draft Regulation –DelegatedActs• A major concern is that much of the detail of the Regulation will be implemented through additional delegated legislation – some 45 Delegated Acts are mentioned.• Details of this secondary legislation will not be clear until Regulation passed• These areas of secondary legislation will include: • powers to specify further procedures • technical standards for Privacy by Design/Default • specification of lawful processing condition • additional responsibilities for national data protection authorities; etc.• European Commission will be taking significant powers to itself away from the national authorities - raises serious issues of subsidiarity and accountability
Current position - UK• Government reshuffle • at MoJ Helen Grant replaces Lord McNally.• MoJ Data Protection Advisory Panel • DMA invited to join• Justice Select Committee enquiry • DMA submitted evidence • 3 oral hearings ICO, Minister, FSB, Privacy International, Microsoft, Which? • Focus on bureaucratic burdens, benefits of harmonisation, Right to be Forgotten • Report in October to EU Scrutiny Committee• Allies • CBI; Federation of Small Business; Which? etc.• DMA Research • Data Privacy: What the Consumer Really Thinks and on the economic value of the dm industry, Putting a Price on Direct Marketing
Current position – UK Data Group• DMA chairing industry group under Advertising Association umbrella - to co-ordinate lobbying efforts• + ISBA, IPA, MRS, IPM, Sky, ITV, Channel 4, Microsoft, Google, Facebook• Ministerial Round Table on 23rd October• Set of draft amendments to propose• Priorities agreed: definition of personal data; profiling; consent; impact on small businesses; compliance costs• Mapping exercise of key individuals to target – pooling of intelligence on lobbying outcomes
Current position – Brussels –Council of Ministers• Council of Ministers Working Group meeting monthly• Initial reports indicate UK Government (and others) taking a helpful and business-friendly stance – many object to delegated acts; find it too prescriptive and blunt in outlook on risk and harm & would prefer a more principles- based approach.• UK pushing for Directive, rather than Regulation – as is Germany
Current position – Brussels –European Parliament• Lead Committee = LIBE • Civil Liberties, Justice & Home Affairs • Rapporteur is German Green MEP • Aiming for Draft Report for discussion in December with vote in early 2013• 4 other Committees will produce reports • ITRE – industry & trade • IMCO – Internal Market & Consumer Protection • Juri – Legal • Employment & Social Affairs
Current position – Brussels -FEDMA• FEDMA co-ordinating central European effort, a link point for exchange of intelligence on lobbying outcomes in different Member States• Organising meetings in Brussels with key individuals in Council, Commission and Parliament, e.g. Cypriot Presidency; advisers to key MEPs; party group secretariats.• Produced a FEDMA position paper on priorities for industry + draft amendments to text• Lobbying directly where there is no national DMA• DMA participating in Europe-wide group, Data Industry Platform – for collective lobbying + current research project by KPMG on likely effect of Regulation on European industry
Next steps• Industry Round Table with MoJ and DCMS Ministers – 23rd October• Contact key UK MEPs• Promote suggested amendments to Regulation – to UK MEPs and via FEDMA to others•• Lobby UK political leaders to influence their MEPs in EU Parliament• Continue to engage with key Commission, Council and Parliament civil servants and advisers
Timing• Council Working Party meets on 25/26 September + 4 more meetings in 2012• 6th December – Council Ministers meet• LIBE lead EP Committee – meeting with national parliaments on 9/10 October; will produce working document in mid-October & draft report in late November• Other 4 Committees in parallel• ???????? 2014.
Coffee break…The next session starts at 10.55am
Cookies – 6 months on James Milligan DMA Solicitor
Covering:• 26th May?• Current developments• What does the law require?• Practical Guidance
26th May• Online world did not end• ICO issued revised guidance• Implied consent = shared understanding.• www.silktide.com
What does the law require?• The EUs revised privacy and communications directive came into force on 26 May 2011• EU laws have been in place since 2003 clear information requirement.• The changes in May dramatically tightened the rules: clear information and consent from users to store a cookie on their device.
The law doesn’t just cover cookies• The law isn’t actually about cookies, but because it affects them so much people have started calling it the ‘Cookie Law’• The law covers all technologies which store information in the “terminal equipment" of a user, and that includes so- called Flash cookies (Locally Stored Objects), HTML5 Local Storage, web beacons or bugs…and more• This applies to email and mobile marketing too!
In practiceThose setting cookies must:• tell people that the cookies are there,• explain what the cookies are doing, and• obtain their consent to store a cookie on their device.
Two exemptions from consentrequirement• 1. “use of cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network“• 2. “cookies that are strictly necessary for the provision of a service” – e.g. internet banking, online shopping carts, website log-ins
Check what type of cookies you use• This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why.• You should analyse which cookies are strictly necessary and might not need consent.• You might also use this as an opportunity to ‘clean up’ your webpages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved• And also check that you have identified ALL your websites.
Assess how intrusive your use ofcookies is• ….It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other.• You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.
Decide how to obtain consent• Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent.• The more privacy intrusive your activity, the more you will need to do to get meaningful consent…. – Pop-up box – Splash page – Landing page – Webpage header, banner or scrolling text – Through T&Cs for registered website users• Cannot currently rely on users’ browser settings!
Thank you and QuestionsDMA Cookie Watchhttp://www.dma.org.uk/toolkit/cookie-watchTel: 020 7291 3347Email: firstname.lastname@example.orgDMA Legal AdviceTel: 020 7291 3360Email: email@example.com
Hot Industry TopicsCaroline Roberts James MilliganDirector of Public Affairs DMA Solicitor
Hot Industry Topics• Consumer Rights legislation• Marketing to children• Telemarketing• Financial services• Alcohol marketing• Postal Affairs• Environment
Consumer Law – all change• UK consumer law is not fit for purpose.• Outdated language and concepts not appropriate in age of digital downloads and international online retail.• To help consolidate and simplify consumer law for the benefit of consumers and traders, the Government has launched three consultations.
1. Consumer Rights Bill• BIS consultation proposes a range of options to clarify the rights and remedies for goods and services, including digital content, including: • Replace the current system of implied terms with a clear set of statutory guarantees when purchasing goods • Set a clear time limit for a short term right to reject • Clarify the number of times a retailer can repair sub- standard goods before being obliged to replace them • Replace “reasonable care and skill” with statutory guarantees for service levels • Introduce statutory remedies for sub-standard services • Clarify the rights and remedies available when buying digital content.• If implemented, these changes will see a complete change to how consumer law protects people when buying goods and services, and will introduce concepts that will allow for developments in technology.• This consultation closes on 5 October
2. Unfair terms in consumer contracts: a new approach• Current law on unfair terms in consumer contracts contained in two pieces of legislation which have their own inconsistencies and overlapping provisions.• As part of consultation on package of measures to simplify and consolidate consumer law, the Law Commissions asked to review and update 2005 report in relation to its general consumer recommendations.• Also asked to look at one specific issue: Which terms in a contract should be excluded from any rules? (has arisen from 2009 litigation over bank charges)• Their advice to be published spring 2013.• Consultation looks at recommendations in 2005 report and updates some proposals in light of changes since.• The consultation closes on 25 October.
3. Implementation of the Consumer Rights Directive• Agreed by the European Commission in 2011 – into UK law by April 2014.• Focused on harmonising and simplifying rules in a few key areas of consumer law: • Information that must be given to a consumer before s/he buys goods or services on a trader’s premises • Information that must be given to a consumer before s/he buys goods or services away from a trader’s premises, for example a fair, or at a distance (eg online) • Cancellation rights and responsibilities when a consumer buys goods or services away from a trader’s business premises or at a distance • Delivery times for goods and where responsibility lies if there is a problem • Post-contract helplines – these now cannot be a premium rate but can only be a basic rate call • Additional payments – these are payments that are charged on top of the price of the goods or services. They now need to have active or express consent so pre-ticked boxes will no longer be allowed • Payment fees (eg credit card surcharges).
Consumer Rights Directive – UK implementation• Payment fees are also subject to a separate consultation, issued by the Department for Business Innovation and Skills on 3 September• Many of the provisions of the Consumer Rights Directive have to be implemented as agreed in Europe but the consultation looks at some areas where there is leeway in how the UK Government implements the provisions. These include applying the provisions to sectors exempted by the Directive, for example healthcare and social services, setting a minimum value for a transaction to be subject to the provisions and dealing with emergency repairs in the home.• Aims to put an end to certain bad business practices and help consumers make well informed decisions when buying products or services.• Also to boost business confidence, setting out clearer rules and responsibilities and cutting red tape by reducing compliance costs.• Consultation closes on 1 November.
Marketing to children• General political concern about over-commercialisation• Bailey Review on Commercialisation and Sexualisation of Childhood – “Letting Children Be Children” - report published 2011• Says role and practice of advertising in broadly good shape – praises industry initiatives, e.g. CHECK• 5 key recommendations: • Sexual imagery on billboards, magazine covers. • No under-16 brand ambassadors & peer to peer techniques • Harmonisation of the age of a child at 16 • Website for parents to complain • Improving industry and regulatory understanding of parental concerns
Marketing to children – industry response• Children’s Panel set up to monitor advertising to children and take forward issues of concern• Parent Port – gateway portal for parents for information, advice, complaints, etc.• Research - Credos, Advertising Association think tank• UK Brand Ambassador and Peer-to-Peer Marketing Pledge:• Agreed principle that “ Young people under the age of 16 should not be employed directly or indirectly paid or paid-in-kind to actively promote brands, products, goods, services, causes or ideas to their peers, associates or friends”• 30+ national company signatories + 13 trade associations, including DMA• Industry awareness campaigns
Marketing to children- latest developments • Consultation on extending age rating system to music DVDs and Blu-rays • Govt encouraging industry to introduce clear warnings on explicit videos online • Govt finalising legislation to implement the new classification system for video games • Govt asking ASA to consider whether more should be done to spell out commercial intent of advergames to young people and parents
Telemarketing OFCOM issued consultation 4th April on Simplifying Non- geographic Numbers - detailed proposals on the unbundled tariff and Freephone• Non-geographic numbers include 03, 080, 0845,0870, 083/4, 0871/2/3, 09 and 118 numbers.• Used to call businesses and Government agencies, to get information, make payments for services and vote on TV shows. Nearly every consumer and every company in the country uses these numbers in some way.• Confusion about the price – even freephone not clear cut• Concerns about revenue sharing.
Telemarketing• Main proposals: – Freephone: (080 and 116 numbers) to be free from all telephones, landline and mobile; – 03: to become the only non-geographic number range linked to the price of a call to a geographic number (i.e. the 01/02 number ranges); – Revenue sharing ranges: (084, 087, 09 and 118 numbers -where a portion of the retail charge is passed back to the receiver of the call) are to have a common simplified structure.• Consultation closed 27th June 2012 – now awaiting Government’s response
Financial Services• EU Gender Directive – In force 21st December 2012 – ECJ ruled 1st March 2011 that gender sensitive pricing is contrary to the principle of equal treatment in EU law – Therefore gender neutral pricing will become the norm - Unisex premiums would see the lower-risk gender paying more to subsidise the high-risk gender
Financial Services• Re- architecture of financial services regulatory environment• Replacement of FSA by Financial Conduct Authority and Prudential Regulatory Authority• Banking Reform Bill – ring fencing of retail and investment arms within banks included in Queen’s Speech 2012.
Financial Services – consumer credit• Consumer Credit in limbo- move to FCA? – Investigations into payday loans and payment protection insurance have raised the issue of standards in the consumer credit market – BIS Committee of MPs has called for tighter controls on debt management companies and payday lenders • Charge higher licensing fees for higher risk credit businesses • Put in place a fast track procedure to suspend credit licences • Give the regulator the power to ban harmful products
Financial Services – consumer credit• BIS Consultation on the Early Implementation of a Ban on Above Cost Payment Surcharges• Credit/Debit Card charges• Consultation closes 15 October 2012.
Alcohol• Government issued its Alcohol strategy on 23rd March• Focus on pricing issues• Minimum pricing in Scotland to be introduced – implications for rest of UK?• Positive comments on the work of self-regulation• Commons Health Select Committee holding an inquiry into the Governments’ proposals, looking at: – effects of marketing on alcohol consumption, in particular in relation to children and young people. – international evidence of the most effective interventions for reducing consumption of alcohol and evidence of any successful programmes to reduce harmful drinking, such as: education; reduction in strength; raising legal drinking age; and plain packaging and marketing bans.
Postal issues• Reversions issue with Royal Mail• DMA in discussions with RM to secure a more beneficial outcome – hosted summit in August• Making progress• VAT – single supply of services
Environment• The DMA and Defra signed a Responsibility Deal in 2011.• Part of this was the introduction of a new website where householders can opt-out of receiving all types of advertising mail.• Aim to reduce the amount of unwanted advertising mail put through the letterbox• Doorstop Preference Service is ready to launch – awaiting final Defra input and agreement with newspaper and directories industries.
Queen’s Speech 2012• DEFAMATION BILL – end to libel tourism and protection for website operators for user generated content on their site provided they comply with new dispute resolution procedures to allow complainant to deal directly with the author• ELECTORAL REGISTRATION AND ADMINISTRATION BILL – introduction of individual electoral registration and system opened up for digital application. - edited version of register will be kept but issue on opt-outs.• ENTERPRISE AND REGULATORY REFORM BILL – aims to cut red tape• PENSIONS BILL – creating a single tier pension and bringing forward increases to the state pension age• DRAFT COMMUNICATIONS DATA BILL – dubbed “The Snoopers’ Charter”
Any Questionsfirstname.lastname@example.org email@example.com 7291 3347 020 7291 3346DMA members can contact DMA Legal Department for free advice: by email: firstname.lastname@example.org or call: 020 7291 3360
Thank you… Presentations will be emailed to you Monday A final thank you to all of today’s speakers: Richard Parkinson, Pinsent Masons Samantha Livesey, Pinsent Masons Caroline Roberts, DMA James Milligan, DMA
Please return your completedevaluation forms and badges to theregistration desk we look forward to seeing you again!