Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DMA Cookies update


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DMA Cookies update

  1. 1. Countdown to cookies08.30am Registration & refreshments09.00am Welcome from chair Caroline Roberts, director of public affairs, DMA09.05am DMA 10 step guidance Simon McDougall, managing director, Promontory Financial Group09.25am The Osborne Clarke perspective Stephen Groom, head of marketing and privacy law Osborne Clark09.45am Guidance for email marketing Clare O’Brien, industry programmes consultant, IAB09.55am Guidance for mobile marketing Mark Brill, director, Formation Jo Garcia, business development director, Traction Platform10.05am Google’s perspective Michael Todd, industry relations manager, Google10.20am Q&A session10.50am Closing comments from chair #dmacookies
  2. 2. WelcomeCaroline Roberts, Head of Public Affairs, DMA #dmacookies
  3. 3. DMA 10 step guidanceSimon McDougall, Promontory Financial Group #dmacookies
  4. 4. Washington Atlanta New York San Francisco Dubai London Milan Paris Singapore Sydney Tokyo Toronto Countdown to cookies, 25 days to go! Simon McDougall Managing Director, Promontory
  5. 5. Introduction 25 days to go...
  6. 6. Covering• A few key reminders &• A step-by-step guide
  7. 7. This is what the revised law requires• a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.(2) The requirements are that the subscriber or user of that terminal equipment: – (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and – (b) has given his or her consent.
  8. 8. Those setting ‘cookies’ must• tell people that the cookies are there,• explain what the cookies are doing, and• obtain their consent to store a cookie on their device.
  9. 9. Strictly necessary cookies are out of scope• There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is: – (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or – (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.• As are intranet sites purely targeted at your employees.
  10. 10. The ICO’s core advice remains consistent “It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area.”1. Check what type of cookies and similar technologies you use and how you use them.2. Assess how intrusive your use of cookies is.3. Decide what solution to obtain consent will be best in your circumstances.
  11. 11. Step-by-step guide (to getting there)1. Engage key stakeholders2. Check what types of cookies you use3. Assess the intrusiveness of your cookies4. Decide how you will obtain consent5. Develop and test your solution(s)6. Update your Cookie policy and other relevant content7. Communicate with third parties8. Ensure relevant staff are fully aware9. Define a maintenance / control process10. Talk with and learn from others Page 11
  12. 12. 1. Engage key stakeholders• … and keep them informed throughout• Key to implementing a compliant solution will be your IT team / web managers• But don’t forget other impacted teams: – Legal & Compliance – Help Desks – Customer facing colleagues – Marketing – PR• Allocate budget and resource Page 12
  13. 13. 2. Check what type of cookies you use• i.e. Audit your cookies (not forgetting about equivalent technologies)• Make sure you identify all your websites and other places where cookies might be used (e.g. mobile apps)• There are many third parties now providing cookie audit services (as well as end-to end solutions) Page 13
  14. 14. 3. Assess the intrusiveness of the cookies• Assess your cookies against an ‘intrusiveness scale’ (either your own or an industry standard such as the ICC’s) and categorise each cookie e.g.: – Strictly necessary – Performance – Functionality – Targeting• This is also a good opportunity to identify any cookies that are no longer required Page 14
  15. 15. 4. Decide how you will obtain consentLanguage lessons!• Pop-up boxes• Splash pages• Landing pages• Homepage headers• Banners• Scrolling text• Implied consent• Tick boxes• Terms & Conditions(and l’m sure there are more!) Page 15
  16. 16. BT’s solution• A One Time Message (OTM) is displayed the first time you visit• Acceptance to cookies is based on continuing to use the website after this message has been displayed Page 16
  17. 17. Reddbridge MediaA reasonably similar approach at the beginning … Page 17
  18. 18. Reddbridge mediaSlightly different in the mechanics … Page 18
  19. 19. 5. Develop and test your solution(s)• These requirements are new for everyone so make no assumptions• Before you launch be sure you test the end-to-end user experience• Don’t forget to include an assement of the ‘understandability’ of the language you have used• And after you go live keep alert for user feedback Page 19
  20. 20. 6. Update your Cookie policy…and other relevant content.• Alongside your consent mechanism, you will need to provide access to content which will explain: – What cookies/ equivalent technologies are in use – What they are doing – How users can both provide and withdraw consent• If appropriate use industry defined language / descriptions such as the ICC’s• Keep the profile of your site users in mind when updating your policy e.g. do children use your site?• If your changes are ‘work in progress’ then you might consider updating your existing cookie policies to tell your customers that you are getting ready. Page 20
  21. 21. BT’s solution• The website uses an icon for each category of cookie• And provides the functionality to set cookie preferences by reference to the cookie categories Page 21
  22. 22. BT’s solution• Hovering over each icon provides a brief overview of the cookie category• Clicking on Change cookie settings provides access to more detailed information• The site privacy policy contains an updated section on cookies Page 22
  23. 23. 7. Communicate with third partiesThink about your relevant third party relationships – Are any third parties running websites on your behalf? – Placing cookies on your behalf ? – Broadcasting emails on your behalf?• What changes are they making in order to comply?• Do you need additional contractual terms in place? Page 23
  24. 24. 8. Ensure relevant staff are fully aware• It’s essential that any staff who might be asked questions about your solution are fully briefed and aware• This could include, for example: – Technical help desks, – Public relations teams, – Call centre staff Page 24
  25. 25. 9. Define a maintenance / control process• Remember the 26th May 2012 is the start not the end date• It is essential that you keep effective control of your organisations use of cookies to ensure ongoing compliance Page 25
  26. 26. 10. Talk with and learn from others• DMA• ICO• ICC• Trade Associations• Etc. Page 26
  27. 27. Thank you Page 27
  28. 28. Osborne Clarke perspectiveStephen Groom, Osborne Clarke #dmacookies
  29. 29. What has the InformationCommissioners Office said so far?Edited "highlights"2 May 2012Stephen GroomHead of Marketing and Privacy LawOsborne
  30. 30. osborneclarke.comSources• "Guidance on the rules on use of cookies and similar technologies" ICO Version 2 13 December 2011• "The ICOs Dave Evans on EU cookie law compliance" Graham Charlton, Econsultancy 24 April 2012 30
  31. 31. osborneclarke.comConsumer understanding and "impliedconsent"• The level of consent required has to take into account the degree of understanding and awareness of the person being asked• "Implied consent" must be based on a definite shared understanding of what is going to happen• At present general awareness of the functions and use of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent• If websites in medium to long term are transparent about cookies and privacy, it will be easier to assume knowledge 31
  32. 32. osborneclarke.comPrior consent required?• Setting cookies before users have had the opportunity to look at the information provided and make a choice is likely to lead to compliance problems• Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and choose• Where this is not possible, websites should be able to show they are doing as much as possible to reduce the time before cookie info and options are provided• Consider shortening cookie lifespan if users might make a one off visit 32
  33. 33. osborneclarke.comThe "strictly necessary" exception• "Strictly necessary" means that the storage of or access to information should be essential rather than reasonably necessary or "important"• Cookie must be essential to provide service requested by the user, rather than what might be essential for any other uses the service provider might want to make of the data• Cookies for analytics, first and third party advertising or a tailored greeting on users return to site are unlikely to fall within the exception 33
  34. 34. osborneclarke.comWhose responsibility is it to comply?• The Regulations do not define who is responsible• The person setting the cookie is primarily responsible for compliance• Where third party cookies are set through a website, both parties will be responsible• Users are most likely to address complaints to the company running the website• Publishers, third party cookie providers, website designers, email marketing service providers etc need to allocate responsibility in their contracts and include relevant warranties and indemnities 34
  35. 35. osborneclarke.comInternational issues• An organisation based in UK likely to be subject to the Regulations even if their website is technically hosted overseas• Organisations based outside Europe with websites designed for the European market, or providing products or services to customers in Europe….• ..should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided 35
  36. 36. osborneclarke.comEnforcement and penalties• If someone says were not doing anything about this, then we may pay them more attention• All our enforcement actions are likely to be in the form of negotiations• If people listen to our advice and are prepared to take steps there shouldnt be a problem• If we had an enforcement team dedicated to cookie law abuse, people would rightly question our priorities• Options: Information Notice, Undertaking, Enforcement Notice, Monetary Penalty Notice <£500,000 36
  37. 37. osborneclarke.comSum up• ICO guidance on the cookie law to date has been criticised, but on the whole..• so far they have made a pretty good fist of a near impossible job.• They cant be expected to provide instant solutions for all scenarios and..• although on some issues they have not been as clear as some would like….• you can be sure that their approach is clearer and more practical and business-friendly than most other EU regulators!• The December Guidance takes 30 minutes to read –check it out! 37
  38. 38. osborneclarke.comAny questions? [insert photo here] Height = 5.39cm Width = 5.81cmStephen GroomHead of Marketing & Privacy LawT +44 (0) 207 105 7078M +44 (0) 207 105 38
  39. 39. What has the InformationCommissioners Office said so far?Edited "highlights"2 May 2012Stephen GroomHead of Marketing and Privacy LawOsborne
  40. 40. Guidance for email marketingClare O’Brien, IAB #dmacookies
  41. 41. ePrivacy Directive and transparentuser communication for the emailindustryworking towards compliancy
  42. 42. A guide for transparencyFocusing on the what data is collected,how its collected and why its collected
  43. 43. Acknowledging consumer understanding “Testing of respondents’ knowledge of internet cookies confirmed their limited understanding: Only for one out of sixteen internet cookies related statements a majority of respondents knew the correct answer with other respondents either selecting the incorrect answer or indicating that they did not know the answer.”6% Research into consumer understanding and management of internet cookies and the potential impact of the EU Electronic Communications Framework, DCMS, April
  44. 44. A resource for the email industryTowards achieving consistent consumerunderstanding of our businesses•DMA and IAB work together to ensureconsistency of message across the industry•Underlines the brand benefits of clearcommunication•A flexible framework•Launches 9th May
  45. 45. Building trust through communicationTowards achieving consistent consumerunderstanding of our businesses•It’s a guide for marketers•It encourages clear communication•It addresses what consumers care about•It will be refined as good practice develops•It will contribute to widening consumerunderstanding and therefore implicit consent
  46. 46. Thank you 020 7050
  47. 47. Guidance for mobile marketingMark Brill, FormationJo Garcia, Traction #dmacookies
  49. 49. Introducing ...Jo Garcia•Vice Chair, DMA Mobile Marketing CouncilBusiness Development Director, Traction PlatformImplications of the regulations for mobileMark Brill•Chair, DMA Mobile Marketing CouncilCEO, Formation•Putting it into practice
  50. 50. Confused by cookies?
  51. 51. Public perceptions 60% know 89% have what they heard of are cookies 72% believe mobile and desktop cookies are used in the same wayJuly 2011: Toluna QuickSurveys
  52. 52. Public perceptions 57% are concerned about internet security 2/3rds of mobile web users are concerned about security
  53. 53. Public perceptions 36% have opted out of website cookies
  54. 54. What about mobile?It includes ...•Mobile websites•Apps•Web apps•Messaging•QR codes and NFC(in some circumstances)
  55. 55. The ICO position• Review period until May 2012• PC, mobile or tablet? ‘The Regulations do not make a distinction. We consider the individual circumstances of any case when we are looking at the possibility of formal action.’• Mobile tech solutions? ‘The DCMS are aware of the need to consider this area (they’ve said it is on the agenda) but to date they have not had direct discussions with mobile specific developers.’
  56. 56. Key Principles for Mobile themost personal channel• Be Open and Transparent• Seek Permission – Opt –in Consent• Personal nature of the mobile device• Not a shared device• Consider future activities and opportunities
  57. 57. Don’t Panic• Get opt-in consent• Be transparent• The ICO are sympathetic: ‘Our general approach is generally to seek compliance informally without first resorting to formal action. If we became aware of something very serious we do have the option to take formal action straight away but this would be unusual.’
  59. 59. Mobile technology includes:• Messaging• Mobile websites• Apps• Web apps• QR/NFC/Bluetooth
  60. 60. Messaging• SMS and MMS• Tracking not stored on terminal device• Take care with the destination (e.g. website or app)
  61. 61. Mobile websites• Considered no different to desktop websites – Tablet sites as well• Be careful of HTML5 and it’s offline storage/database capability – You will need permission if using this to store anything pertaining to personal data, including tracking
  62. 62. Mobile websites• Cookies management options are fewer• Don’t rely on technology solutions
  63. 63. Some websites are doing it well … on desktop sites
  64. 64. … but not on mobile
  65. 65. Apps• Mobile apps can store a considerable amount of personal data• Cookies Policy can be made opt-in with first opening• Take care with legacy apps – may require an update
  66. 66. Other channels• Bluetooth – not applicable, but take care with destination• QR – does not apply but take care with URL tracking• NFC – not fully implemented yet – currently does not appear to be relevant
  67. 67. The compliance matrix
  68. 68. At the end of the day• Mobile is a highly personal channel• Consumers have high expectations in both trust and user experience from brands• Understand these expectations and meeting them
  69. 69. We are the Mobile Marketing Council• Jo Garcia• Mark BrillTHANK YOU!
  70. 70. Google’s perspectiveMichael Todd, Google #dmacookies
  71. 71. Q&A Session #dmacookies
  72. 72. Upcoming eventsClient email marketing surveySponsored by Alchemy WorxThursday 17 May 2012, The King’s FundThe DMA summer lunch- with Alastair CampbellSponsored by Mobile Marketing GroupThursday 12 July 2012Email customer lifecycle: List growthSponsored by SilverpopTuesday 22 May 2012To see our full events listing please visit