E-privacy Directive and Performance Marketing - Andrew Tibber
Upcoming SlideShare
Loading in...5
×
 

E-privacy Directive and Performance Marketing - Andrew Tibber

on

  • 924 views

 

Statistics

Views

Total Views
924
Views on SlideShare
924
Embed Views
0

Actions

Likes
0
Downloads
36
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • In December 2009, a legislative package revising the existing telecommunications and electronic communications framework came into force. Member states had until 26 May 2011 to implement the Directive. As part of this package, new rules require websites to obtain consent when placing 'cookies' on your computer, mobile or other device. The guidance given by the UK government and the ICO has stated that responsibility for compliance will be shared between ad network providers, publishers and advertisers. The message is clear: the rules apply to everyone who uses cookies and the new rules cannot be ignored. This talk will focus on: Previous position What was the previous legislation? How did businesses interpret it? What were the drivers for change? New position What is the new legislation? How does this change things? What are the unresolved questions? How to comply? What are the currently suggested solutions which will enable businesses to comply? What areas of uncertainty remain? Enforcement Who has responsibility for enforcement? What are the timescales? What is the approach? What are the penalties?
  • In December 2009, a legislative package revising the existing telecommunications and electronic communications framework came into force. Member states had until 26 May 2011 to implement the Directive. As part of this package, new rules require websites to obtain consent when placing 'cookies' on your computer, mobile or other device. The guidance given by the UK government and the ICO has stated that responsibility for compliance will be shared between ad network providers, publishers and advertisers. The message is clear: the rules apply to everyone who uses cookies and the new rules cannot be ignored. This talk will focus on: Previous position What was the previous legislation? How did businesses interpret it? What were the drivers for change? New position What is the new legislation? How does this change things? What are the unresolved questions? How to comply? What are the currently suggested solutions which will enable businesses to comply? What areas of uncertainty remain? Enforcement Who has responsibility for enforcement? What are the timescales? What is the approach? What are the penalties?

E-privacy Directive and Performance Marketing - Andrew Tibber E-privacy Directive and Performance Marketing - Andrew Tibber Presentation Transcript

  • The e-Privacy Directive & Performance Marketing Andrew Tibber Senior Associate http://www.linkedin.com/in/andrewtibber @atibber
  • About Burges Salmon
    • UK top 50 commercial law firm
    • Service national/international clients from Bristol/London
    • IP & Technology Team advise on:
      • Affiliate advertising agreements
      • Use of 3 rd party TMs in paid-for search keywords/ads
      • Use/abuse of social media
      • Domain name dispute resolution
      • Data protection/privacy
  • The e-Privacy Directive
    • Ed Vaizey, UK Minister for Culture, Communications and Creative Industries (29 March 2011)
    • “… a good example of a well-meaning regulation that will be very difficult to make work in practice”
  • Overview
    • How did we get here?
      • Legal framework – e-Privacy Directive 2002
      • How was it implemented in the UK?
    • What has changed?
      • Informed (prior?) consent
    • Possible models for informed consent
      • Online Behavioural Advertising
      • Browser technology – Do Not Track
    • Compliance
      • ICO guidance (UK) and suggested actions
      • Other EU states
  • Legal framework
  • Legal framework
    • ECHR, Article 8:
    • “ (1) Everyone has the right to respect for his private and family life , his home and his correspondence.”
    • Data Protection Directive 1995, Article 1(1)
    • “ In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data .”
  • Legal framework
    • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive 2002”)
    • Sets out to protect
      • rights in ECHR; and
      • provide equal level of protection to Data Protection Directive for personal data and privacy of users of publicly available electronic communications services
    • Part of overarching Framework Directive, setting out regulatory framework for electronic communications infrastructure and services
  • Legal framework
    • e-Privacy Directive 2002, Recital 24
    • “ The use of [spyware, web bugs, hidden identifiers etc] should be allowed only for legitimate purposes, with the knowledge of the users concerned .”
    • e-Privacy Directive 2002, Recital 25
    • “… ‘ cookies’… can be a legitimate and useful tool , for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions ... [such] use should be allowed on condition that users are provided with clear and precise information … about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment … The methods for giving information, offering a right to refuse or requesting consent should be made as user friendly as possible.”
  • Legal framework
    • e-Privacy Directive 2002, Article 5(3)
    • “ Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. ”
  • Legal framework
    • Storage of or access to:
      • Spyware
      • Adware
      • Cookies
        • Google analytics
        • Shopping cart
        • Flash cookies (Local Shared Objects)
        • Post-click
        • Post-impression (PI)/post-view (PV)
  • Legal framework: Summary
    • Legal obligations imposed by e-Privacy Directive on Member States to legislate in relation to storage of or access to cookies:
      • clear and comprehensive information about purpose of cookies must be provided
      • right to refuse must be offered
      • UNLESS storage/access “strictly necessary” to provide service explicitly requested
    • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
    • Regulation 6 reproduces Art 5(3) of e-Privacy Directive
    • Regulated by Information Commissioner’s Office (ICO)
    Previous implementation in the UK
  • Previous implementation in the UK
    • ICO guidance at the time – Information to be provided
    • “… sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so”
    • ICO guidance at the time - Right to refuse
    • “ At the very least … the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to continue to store information on the terminal in question …
    • Where the relevant information is included in a privacy policy … the policy should be clearly signposted at least on those pages where a user may enter a website.”
  • What has changed?
    • Wide review of telecoms legislation led to revised EU Electronic Communications Framework (Directive 2009/136/EC, 25 November 2009)
    • Includes amendments to the e-Privacy Directive 2002:
      • Duty on providers of electronic communications services to notify “personal data breaches” to competent national authority
      • New prohibitions on and right to bring proceedings for spam
      • Cookies
      • Penalties
  • What has changed?
    • New recital 66 of the Amending Directive
    • “… Where it is technically possible and effective … the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application ...”
  • What has changed?
    • Amended Article 5(3) of the e-Privacy Directive 2002
  • What has changed?
    • Implemented in the UK by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)
    • In force: 26 May 2011
    • Amended reg 6 of the 2003 Regulations:
    • “ (2) [Requirement that] the subscriber or user of that terminal equipment:
    • (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
    • (b) has given his or her consent …
    • (3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”
  • What has changed?
    • Part V and sections 55A-55E of Data Protection Act 1998 to apply
    • Gives ICO new powers to:
      • issue enforcement/assessment/information notices (failure to comply = criminal offence)
      • impose fines of up to £500,000 for serious breaches
      • (“serious” = potential for “substantial damage or distress”)
    • Continuing right for users to take civil action for damage
  • What has changed? Summary
    • Continuing requirement to provide clear and comprehensive information
    • Requirement of consent instead of right of refusal, ie opt-in not opt-out
    • New enforcement powers for ICO
     Informed consent
  • Informed (prior?) consent
    • 7 April 2009 - Rejected amendment to Art 5(3)
    • “ Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her prior consent , which may be given by way of using the appropriate settings of a browser or another application, after having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”
    • joint Council Statement, 18 November 2009 (Austria, Belgium, Estonia, Finland, Germany, Ireland, Latvia, Malta, Poland, Romania, Slovakia, Spain, UK)
    • “ the amended Article 5(3) is not intended to alter the existing requirement that such consent be exercised as a right to refuse the use of cookies or similar technologies used for legitimate purposes”
    Informed (prior?) consent
  • Informed (prior?) consent
    • Article 29 Data Protection Working Party Opinion 2/2010 on online behavioural advertising (22 June 2010)
    • “ i) consent must be obtained before the cookie is placed and/or the information stored in the user’s terminal equipment is collected, which is usually referred to as prior consent and ii) informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user .”
  • Informed (prior?) consent
    • Alexander Alvaro, European Parliament Deputy, e-Privacy Directive Rapporteur ( Privacy and Security Law Report , October 2010)
    • “ the ‘prior consent’ formulation was considered and rejected in favor of a wording where the Parliament left more room for flexibility … Consent as defined and used in the Data Protection Directive does not have to be prior or explicit …”
    • ICO Guidance: “Changes to the rules on using cookies and similar technologies for storing information” (9 May 2011)
    • “ You need to provide information about cookies and obtain consent before a cookie is set for the first time ”
    • European Commission MEMO/11/320, Brussels, 23 May 2011
    • “… the new rules require Member States to ensure users have given their consent before such data is stored or accessed. Before being asked for their consent, the user must be given information about what the data collected about them is to be used for (e.g. targeted behavioural advertising).”
    Informed (prior?) consent
  • Informed (prior?) consent
    • Ed Vaizey, UK Minister for Culture, Communications and Creative Industries, Open Letter, 24 May 2011
    • “… Article 5 of the revised e-Privacy Directive does not specify that the consent must be ‘prior consent’. The original text proposed by the European Parliament did do so but this was removed during negotiation ... it is possible that consent may be given after or during processing .
    • [But] in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken . This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing. It also supports any approach underpinned by industry’s attempts to inform users about the specific choices available and as a result allow users to make choices (ie give consent) based on that information.
    • Crucially, the requirement of the revised Directive is for informed consent.”
  • Possible models for informed consent
    • Online Behavioural Advertising (OBA)
    • Internet Advertising Bureau (IAB) UK “Good Practice Principles” (4 March 2009)
    • N American “Self-regulatory principles for OBA (July 2009)
    • IAB European Self-regulation for OBA (14 April 2011)
      • 3 rd parties should give clear and comprehensible notice describing OBA collection and use practices
      • Link to www.youronlinechoices.eu
      • Icon in or around the ad
      • Disclosure by web site operator of 3 rd party arrangement
      • No segmentation for under-12s
      • Education (eg online videos)
  • 1 2 3
    • Do Not Track
      • Response to US Federal Trade Commission proposed framework for protecting consumer privacy
      • HTTP header notifies participants not to set tracking cookies
      • Easy to use and understand
      • Prevents 3 rd party cookies and flash cookies
      • Supported by Firefox (4, 4 Mobile and 5 Beta) & IE9
      • Safari next
      • BUT relies on universal buy-in
    • “ Keep my Opt-Outs” Google Chrome extension– a “better ‘Do not Track’ mechanism”
    Possible models for informed consent
  • Possible models for informed consent
  • “… browsers today have not harmonized the range of cookie controls in such a way as to send one clear, standardized signal to businesses that can be used as a proxy to meet compliance and respect consumer demands … realistically it’s going to be months, if not longer, to achieve clarity at a technical level. Then there’s the question of getting users to adopt new versions of browsers with enhanced controls to further support user requirements and ease compliance efforts in this area. It’s my view that site owners and third parties need to focus on improving privacy notices and statements that inform consumers of their cookie and tracking practices. In addition, any parties engaged in tracking consumers in the EU need to address compliance as if no new browser controls emerge.” (Alex Fowler, Global Policy and Privacy Leader, Mozilla (Firefox), May 2011) Possible models for informed consent
    • What cookies are “strictly necessary”?
      • Exception construed narrowly
      • Includes eg shopping cart
      • Excludes eg remembering user preferences, analytics
      • Post-click, PI/PV cookies will be caught
    • Browser settings cannot be used to indicate consent – for now
    • “ You need to provide information about cookies and obtain consent before a cookie is set for the first time ”
    Compliance: UK ICO Guidance
    • What sort of information?
      • Be upfront about how website operates
      • List of cookies and description of how they work
    • Obtaining consent
      • Pop ups
        • Easy option but spoils user experience
      • Terms and conditions
        • Make users aware of changes to Ts and Cs
        • Positive indication that users understand & agree to changes
      • Text in header/footer linked to further information
    Compliance: UK ICO Guidance
  •  
  •  
    • 3 rd party cookies
    • “ everyone has a part to play in making sure that the user is aware of what is being collected and by whom”
    • “ a number of initiatives that seek to ensure that users are given more and better information about how their information might be used. These will no doubt adapt to achieve compliance with the new rule but we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device”
    • In other words, OBA initiative not currently compliant
    Compliance: UK ICO Guidance
    • Phased approach to implementation of changes
    • Lead-in period of 12 months ending in May 2012 to allow organisations to develop ways of meeting cookie-related requirements
    • No enforcement action in this period against organisations working to address their use of cookies
    • BUT organisations are expected to take action before May 2012
    • Warnings can be issued in this period if no action taken
    Compliance: UK ICO Guidance
    • Check what cookies you use and for what purpose
      • Which cookies are strictly necessary
      • Clean-up unnecessary or superseded cookies
    • Assess how intrusive your use of cookies is
      • The more intrusive, the greater the priority for change
      • Tracking cookies likely to fall into this category
    • Decide what the appropriate solutions to obtain consent are and have a realistic plan for compliance
    • Check Ts and Cs of Affiliate Agreements – require compliance with new privacy regs and indemnity for any loss suffered for breach
    Compliance: Suggested actions
    • Germany
      • existing law already required prior notice and opt-in consent for tracking: enforcement now more active
    • Netherlands
      • Draft bill allows for opt-out consent
    • France
      • draft ordinance requiring consent for any use of cookies: can be tacit or implied, eg through easily accessible notice
      • Web analytics considered exempt by CNIL
    • Finland
      • In line with UK approach
    • Belgium, Ireland, Poland, Spain
      • Legislation still in draft
    Compliance: Across the EU
  • Conclusion
    • Early days for the new regime
    • Clarification urgently needed on consent requirement harmonised across the EU
    • Browser technology/OBA approach may hold the key
    • BUT they need to develop further
    • 12-month grace period in the UK
    • In the meantime show you are taking steps to ensure you can comply by May 2012
      • Audit
      • Prioritise
      • Plan for compliance – empower users to make informed choices
  • This presentation gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content.