Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Meeting the challenges of new Eprivacy laws


Published on

Since it became part of UK law in May 2011, the EU "ePrivacy" Directive 2009/136/EC has caused shockwaves across the digital marketing community. What are the key points in the new laws for B2B marketers? Do they cover more than just cookies? Is it possible to make sense of what the regulators are saying about how to comply? And what strategies should marketers be deploying to stay out of the courts? Get the answers to these and other important questions during this session.

Published in: Business, Technology
  • Be the first to comment

Meeting the challenges of new Eprivacy laws

  1. 1. B2B Marketing Conference 2011Meeting the challenges of new ePrivacylawsStephen GroomNovember 2011
  2. 2. osborneclarke.comAgenda• Quick context• Cookie law update • Impact on Online Behavioural Advertising (OBA) • The UKs position (plus the latest from Europe) • Practical steps• Increased penalties and dont forget…..• A quick look into the future 1
  3. 3. osborneclarke.comQuick context• Data Protection Act 1998• Privacy and Electronic Communications (EC Directive)Regulations 2003• Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011• in force since 26 May 2011 2
  4. 4. Cookie confusion –Where are we, how did we get here and what onearth to do?
  5. 5. osborneclarke.comWhat are cookies?• Text files, stored in the web browser on your computer and used by websites to ‘recognise’ the computer• Delivered when your web browser accesses an online service• Each cookie is specific to both: • a particular website that issues it; and • A particular computer (or more specifically, the browser on a particular computer) that requests the content• The same cookie is exchanged constantly as website content is accessed, enabling the website to recognise a browser that has previously visited the website• See for more details 4
  6. 6. osborneclarke.comWhat is behavioural advertising? "…online behavioral advertising means the tracking of a consumer’s online activities over time – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests." Source: Federal Trade Commission Staff Report (February 2009): "Self-Regulatory Principles For Online Behavioral Advertising" 5
  7. 7. osborneclarke.comCommon types of OBA1. First party OBA (the Amazon approach)• Publisher places cookies on its own website Intrusiveness / risk spectrum• Collects behaviour information about interests and likes Less Less• Uses information to target adverts on its own website only intrusive risk2. Third party OBA (the AdSense approach)• OBA provider places tracks visitors to partnering websites• Collects behaviour information about interests and likes• Uses information to target adverts on other partnering websites3. ISP traffic monitoring (the Phorm approach)• OBA provider intercepts user data traffic passing through ISP• Collects behaviour information about interests and likes More More intrusive risk• Uses information to target adverts on partnering websites 6
  8. 8. osborneclarke.comOBA: What are the legal issues?- Theres a lot more to think about than just the cookie laws1. Consumer Protection from Unfair Trading Regulations 2008 • lack of disclosure could be an "unfair commercial practice" • see OFT Market Study on Online Targeting of Advertising and Prices2 Data Protection Act 1998 • does OBA data (e.g. IP addresses) qualify as "personal data"? • if so, "fair and lawful processing" requirements apply eg enhanced notice • if sensitive personal data is involved, explicit consent requirements3 Privacy and Electronic Communications ("PEC") Regulations 2003 also regulate • location data • traffic data • spam / SMS marketing4 Which brings us to the saga of the EUs cookie rules…! 7
  9. 9. osborneclarke.comCookie Law Development2002 Directive on Privacy + ElectronicCommunications ("PEC") includesspecific tracking technology provisions 2003 PEC Regulations confirm opt out obligation where technology used to store or access information on terminalLate 2009 EC surprisingly amends equipment.PEC Directive to require user consent totracking technology. Deadline formember state implementation May 2011 Cue furious lobbying by internet advertising industry2010 Article 29 Working Party opine thatprior opt in consent a requirement before May 2011 UK implements PECcookies used in OBA amendment Regulations requiring user to have given consent but allowing for browser settings to be used to do so. May 2012 UK deadline for compliance with new cookie law. 8
  10. 10. osborneclarke.comSnapshot: Who has implemented? 9 9
  11. 11. osborneclarke.comSnapshot: Opt in/out patchwork 10 10
  12. 12. osborneclarke.comCookie highway code chaos -The UK position Unless strictly necessary for …. placement of .. requires user consent cookies on a to have been obtained service provision…. device .....• ICO interpretation of • Any device and • Browser setting strictly necessary any technology - exception likely to be narrower PCs, laptops, • Active consent than commercial mobile devices teams smart meters…… • Timing • PEC fines – £0.5m max 11
  13. 13. osborneclarke.comThe "Industry Response"• Self regulatory initiative to try to ward off explicit opt in• A broad coalition inc. IAB,EASA, DMA and ISBA. Signed by 90+ leading stakeholders• All agree to adhere to a 6 Principle "Framework"• Receivers of behaviourally targeted and retargeted ads alerted by a "uniform pictogram" or "icon"• When clicked on it gives info re: what OBA is, how it works and how Your Online Choices site can be used to opt out• Not yet expressly approved by ICO or EC 12
  14. 14. osborneclarke.comICOs Position • "We remain to be convinced that [the use of privacy i symbol] amounts to consent" – David Smith, Deputy IC 22/9/11 • Moratorium on enforcement until May 2012 • But only if youre seen to be considering your approach "If ICO were to receive a complaint about a website, we would expect an organisations response to set out how they have considered [the new rules] and that they have a realistic plan to achieve compliance" "You cannot ignore these new rules" 13
  15. 15. osborneclarke.comSo what should businesses be doing now? • Audit use of cookies • Cookies necessary for the provision of requested services • Probably OK to continue but provide clear information e.g why cookies essential for security in context of online banking services • Useful but intrusive cookies • eg third party behavioural cookies • ICO: "the most challenging area". Browser settings will not provide a solution as yet • Do everything you can to get right info to users and allow them to make informed choices 14
  16. 16. osborneclarke.comSo what should businesses be doing now?• Set up a cross-functional task force (IT/digital, Legal, Compliance, PR, Marketing) to devise an action plan and….• Inform and educate internally• Ensure customer facing staff know what to say in reply to customer queries• Make easy and immediate changes e.g. add an update to your privacy policy such as:. "With regard to the new requirements on cookies after the revision of the e-Privacy Directive, we are working towards implementing the new requirements in line with official guidance" 15
  17. 17. osborneclarke.comMore ICO suggestions as to what businessesshould be doing now• "Feature-led consent" cookies used when user chooses a particular feature such as watching a video clip. If user is taking action to agree to the functionality being "switched on", provided it is made clear that "certain things will happen" by choosing to take a particular action then this can be interpreted as consent.• Functional/"first party" uses analytical/behavioural cookie collecting info about how people access and use the site. Make disclosures about this more prominent e.g. place highlighted text in web page footer or header or which turns into scrolling text when you want to set a cookie. This could prompt the user to read further info eg via the site privacy pages and make available choices 16
  18. 18. osborneclarke.comNew cookie laws - unanswered questions• Marketing emails that drop cookies Clearly caught by the new PEC Regs but no DCMS or ICO Guidance currently deals• International issues 17
  19. 19. osborneclarke.comIncreased penalties and dont forget…• In serious cases a fine of up to £500,000 for …• A breach of any provision of the Privacy and ElectronicCommunications Regulations including: – opt in rules for email and text marketing – do not call telemarketing rules – opt in rules for use of location data for marketing – opt in rules for sending pre-recorded marketing messages by automated calling systems• Don’t forget Reg 7 of the Ecommerce Regs 2002 18
  20. 20. osborneclarke.comIn 12 Months Everything Will Look Different• EC likely to announce revisions in Q1 2012• Directive or Regulation?• Possible changes • Accountability • Data Protection Officer requirement? • Privacy by design • Data breach notification • Currently only: Fin Services + Telecoms plus random territories for specific classes of data • Data portability • Right to be forgotten • Data transfers made easier? Safe harbor approach • Notifications and other bureaucracy to be scrapped? 19
  21. 21. osborneclarke.comNew regulator powers?• Currently ICO only has "You know that ICO is not the Gestapo. Yet I dont have statutory powers to carry out audits in audit powers over public those sectors causing me the most concern. sector organisations Something is clearly wrong when the regulator has to ask permission from the organisation causing us concern before we can audit their data protection• But it can suggest to a practices" private company that an Christopher Graham audit might be a good idea Information Commissioner October 2011 • in lieu of immediate At a Privacy Law & Business conference enforcement (eg Google) 20
  22. 22. osborneclarke.comUseful source materials•• ICOs Personal Information Online Code of Conduct• IAB Europe "European Self-Regulation for Online Behavioural Advertising"• DCMS paper "Implementing the revised EU Electronic Communications Framework"• ICO: "Changes to the rules on using cookies and similar technologies for storing information" 21
  23. 23. osborneclarke.comAny questions? Stephen Groom Head of Marketing & Privacy Law Osborne Clarke London T +44 (0) 207 105 7078 M +44 (0) 207 105 7079 22