Upload
b2b-marketing
View
888
Download
1
Tags:
Embed Size (px)
Citation preview
B2B Marketing Conference 2011
Meeting the challenges of new ePrivacy
laws
Stephen Groom
November 2011
osborneclarke.com
1
Agenda
• Quick context
• Cookie law update
• Impact on Online Behavioural Advertising (OBA)
• The UK's position (plus the latest from Europe)
• Practical steps
• Increased penalties and don't forget…..
• A quick look into the future
osborneclarke.com
2
Quick context
• Data Protection Act 1998
• Privacy and Electronic Communications (EC Directive)
Regulations 2003
• Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2011
• in force since 26 May 2011
Cookie confusion – Where are we, how did we get here and what on earth to do?
osborneclarke.com
4
What are cookies?
• Text files, stored in the web browser on your computer and used by
websites to ‘recognise’ the computer
• Delivered when your web browser accesses an online service
• Each cookie is specific to both:
• a particular website that issues it; and
• A particular computer (or more specifically, the browser on a
particular computer) that requests the content
• The same cookie is exchanged constantly as website content is
accessed, enabling the website to recognise a browser that has
previously visited the website
• See http://www.whatarecookies.com/ for more details
osborneclarke.com
5
What is behavioural advertising?
Source: Federal Trade Commission Staff Report (February 2009):
"Self-Regulatory Principles For Online Behavioral Advertising"
"…online behavioral advertising means the
tracking of a consumer’s online activities over
time – including the searches the consumer has
conducted, the web pages visited, and the
content viewed – in order to deliver advertising
targeted to the individual consumer’s interests."
osborneclarke.com
6
Common types of OBA
1. First party OBA (the Amazon approach)
• Publisher places cookies on its own website
• Collects behaviour information about interests and likes
• Uses information to target adverts on its own website only
2. Third party OBA (the AdSense approach)
• OBA provider places tracks visitors to partnering websites
• Collects behaviour information about interests and likes
• Uses information to target adverts on other partnering websites
3. ISP traffic monitoring (the Phorm approach)
• OBA provider intercepts user data traffic passing through ISP
• Collects behaviour information about interests and likes
• Uses information to target adverts on partnering websites
Intrusiveness / risk
spectrum
Less
intrusive
Less
risk
More
intrusive
More
risk
osborneclarke.com
7
OBA: What are the legal issues? - There's a lot more to think about than just the cookie laws
1. Consumer Protection from Unfair Trading Regulations 2008 • lack of disclosure could be an "unfair commercial practice"
• see OFT Market Study on Online Targeting of Advertising and Prices
2 Data Protection Act 1998 • does OBA data (e.g. IP addresses) qualify as "personal data"?
• if so, "fair and lawful processing" requirements apply eg enhanced notice
• if sensitive personal data is involved, explicit consent requirements
3 Privacy and Electronic Communications ("PEC") Regulations 2003
also regulate • location data
• traffic data
• spam / SMS marketing
4 Which brings us to the saga of the EU's cookie rules…!
osborneclarke.com
8
May 2011 UK implements PEC
amendment Regulations requiring user
to have given consent but allowing for
browser settings to be used to do so.
Cookie Law Development
2002 Directive on Privacy + Electronic
Communications ("PEC") includes
specific tracking technology provisions 2003 PEC Regulations confirm opt out
obligation where technology used to
store or access information on terminal
equipment. Late 2009 EC surprisingly amends
PEC Directive to require user consent to
tracking technology. Deadline for
member state implementation May 2011
2010 Article 29 Working Party opine that
prior opt in consent a requirement before
cookies used in OBA
May 2012 UK deadline for compliance with new cookie law.
Cue furious lobbying by internet advertising industry
osborneclarke.com
9
9
Snapshot: Who has implemented?
osborneclarke.com
10
10
Snapshot: Opt in/out patchwork
osborneclarke.com
11 11
Cookie highway code chaos - The UK position
.. requires user consent
to have been obtained
Unless strictly
necessary for
service provision….
…. placement of
cookies on a
device .....
• Any device and
any technology -
PCs, laptops,
mobile devices
smart meters……
• Browser setting exception
• Active consent
• Timing
• PEC fines – £0.5m max
• ICO interpretation of
strictly necessary
likely to be narrower
than commercial
teams
osborneclarke.com
12 12
The "Industry' Response"
• Self regulatory initiative to try to ward off explicit opt in
• A broad coalition inc. IAB,EASA, DMA and ISBA. Signed by 90+ leading stakeholders
• All agree to adhere to a 6 Principle "Framework"
• Receivers of behaviourally targeted and retargeted ads alerted by a "uniform pictogram" or "icon"
• When clicked on it gives info re: what OBA is, how it works and how Your Online Choices site can be used to opt out
• Not yet expressly approved by ICO or EC
osborneclarke.com
13 13
ICO's Position
• "We remain to be convinced that [the use of privacy i symbol] amounts to consent" – David Smith, Deputy IC 22/9/11
• Moratorium on enforcement until May 2012
• But only if you're seen to be considering your approach
"If ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered [the new rules] and that they have a realistic plan to achieve compliance"
"You cannot ignore these new rules"
osborneclarke.com
14 14
So what should businesses be doing now?
• Audit use of cookies
• Cookies necessary for the provision of requested services
• Probably OK to continue but provide clear information e.g why cookies essential for security in context of online banking services
• Useful but intrusive cookies • eg third party behavioural cookies
• ICO: "the most challenging area". Browser settings will not provide a solution as yet
• Do everything you can to get right info to users and allow them to make informed choices
osborneclarke.com
15 15
So what should businesses be doing now?
• Set up a cross-functional task force (IT/digital, Legal, Compliance,
PR, Marketing) to devise an action plan and….
• Inform and educate internally
• Ensure customer facing staff know what to say in reply to customer
queries
• Make easy and immediate changes e.g. add an update to your privacy
policy such as:.
"With regard to the new requirements on cookies after the
revision of the e-Privacy Directive, we are working towards
implementing the new requirements in line with official
guidance"
osborneclarke.com
16
More ICO suggestions as to what businesses should be doing now
• "Feature-led consent"
cookies used when user chooses a particular feature such as watching a video clip. If user is taking action to agree to the functionality being "switched on", provided it is made clear that "certain things will happen" by choosing to take a particular action then this can be interpreted as consent.
• Functional/"first party" uses
analytical/behavioural cookie collecting info about how people access and use the site. Make disclosures about this more prominent e.g. place highlighted text in web page footer or header or which turns into scrolling text when you want to set a cookie. This could prompt the user to read further info eg via the site privacy pages and make available choices
osborneclarke.com
17
New cookie laws - unanswered questions
• Marketing emails that drop cookies
Clearly caught by the new PEC Regs but no DCMS or
ICO Guidance currently deals
• International issues
osborneclarke.com
18
Increased penalties and don't forget…
• In serious cases a fine of up to £500,000 for …
• A breach of any provision of the Privacy and Electronic Communications Regulations including:
– opt in rules for email and text marketing
– do not call telemarketing rules
– opt in rules for use of location data for marketing
– opt in rules for sending pre-recorded marketing messages by automated calling systems
• Don’t forget Reg 7 of the Ecommerce Regs 2002
osborneclarke.com
19 19
In 12 Months Everything Will Look Different
• EC likely to announce revisions in Q1 2012
• Directive or Regulation?
• Possible changes
• Accountability
• Data Protection Officer requirement?
• Privacy by design
• Data breach notification
• Currently only: Fin Services + Telecoms plus random territories for specific classes of data
• Data portability
• Right to be forgotten
• Data transfers made easier? Safe harbor approach
• Notifications and other bureaucracy to be scrapped?
osborneclarke.com
20
New regulator powers?
"You know that ICO is not the Gestapo.
Yet I don't have statutory powers to carry out audits in
those sectors causing me the most concern.
Something is clearly wrong when the regulator has to
ask permission from the organisation causing us
concern before we can audit their data protection
practices"
Christopher Graham
Information Commissioner
October 2011 At a Privacy Law & Business conference
• Currently ICO only has
audit powers over public
sector organisations
• But it can suggest to a
private company that an
audit might be a good idea
• in lieu of immediate
enforcement (eg
Google)
osborneclarke.com
21
Useful source materials
• www.marketinglaw.co.uk
• ICO's Personal Information Online Code of Conduct
• IAB Europe "European Self-Regulation for Online
Behavioural Advertising"
• DCMS paper "Implementing the revised EU Electronic
Communications Framework"
• ICO: "Changes to the rules on using cookies and
similar technologies for storing information"
osborneclarke.com
22 22
Any questions?
Stephen Groom
Head of Marketing & Privacy Law
Osborne Clarke London
T +44 (0) 207 105 7078
M +44 (0) 207 105 7079
www.marketinglaw.co.uk