Post on 29-Nov-2014
description
Countdown to cookies
08.30am Registration & refreshments
09.00am Welcome from chair
Caroline Roberts, director of public affairs, DMA
09.05am DMA 10 step guidance
Simon McDougall, managing director, Promontory Financial Group
09.25am The Osborne Clarke perspective
Stephen Groom, head of marketing and privacy law Osborne Clark
09.45am Guidance for email marketing
Clare O’Brien, industry programmes consultant, IAB
09.55am Guidance for mobile marketing
Mark Brill, director, Formation
Jo Garcia, business development director, Traction Platform
10.05am Google’s perspective
Michael Todd, industry relations manager, Google
10.20am Q&A session
10.50am Closing comments from chair
#dmacookies
Welcome
Caroline Roberts, Head of Public Affairs, DMA
http://tolu.na/JVRREF
#dmacookies
DMA 10 step guidance Simon McDougall, Promontory Financial Group
#dmacookies
Washington Atlanta New York San Francisco Dubai London Milan Paris Singapore Sydney Tokyo
Toronto
Countdown to cookies, 25 days to go!
Simon McDougall
Managing Director, Promontory
Introduction
25 days to go...
Covering
• A few key reminders
&
• A step-by-step guide
This is what the revised law requires
• a person shall not store or gain access to information
stored, in the terminal equipment of a subscriber or user
unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that
terminal equipment:
– (a) is provided with clear and comprehensive
information about the purposes of the storage of, or
access to, that information; and
– (b) has given his or her consent.
Those setting ‘cookies’ must
• tell people that the cookies are there,
• explain what the cookies are doing, and
• obtain their consent to store a cookie on their device.
Strictly necessary cookies are out of scope
• There is an exception to the requirement to provide
information about cookies and obtain consent where the
use of the cookie is:
– (a) for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or
– (b) where such storage or access is strictly necessary for the
provision of an information society service requested by the
subscriber or user.
• As are intranet sites purely targeted at your employees.
The ICO’s core advice remains consistent
“It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous
requirements in this area.”
1. Check what type of cookies and similar technologies you use and
how you use them.
2. Assess how intrusive your use of cookies is.
3. Decide what solution to obtain consent will be best in your
circumstances.
Page 11
Step-by-step guide (to getting there)
1. Engage key stakeholders
2. Check what types of cookies you use
3. Assess the intrusiveness of your cookies
4. Decide how you will obtain consent
5. Develop and test your solution(s)
6. Update your Cookie policy and other relevant content
7. Communicate with third parties
8. Ensure relevant staff are fully aware
9. Define a maintenance / control process
10. Talk with and learn from others
Page 12
1. Engage key stakeholders
• … and keep them informed throughout
• Key to implementing a compliant solution will be your IT
team / web managers
• But don’t forget other impacted teams:
– Legal & Compliance
– Help Desks
– Customer facing colleagues
– Marketing
– PR
• Allocate budget and resource
Page 13
2. Check what type of cookies you use
• i.e. Audit your cookies (not forgetting about equivalent
technologies)
• Make sure you identify all your websites and other
places where cookies might be used (e.g. mobile apps)
• There are many third parties now providing cookie audit
services (as well as end-to end solutions)
Page 14
3. Assess the intrusiveness of the cookies
• Assess your cookies against an ‘intrusiveness scale’
(either your own or an industry standard such as the
ICC’s) and categorise each cookie e.g.:
– Strictly necessary
– Performance
– Functionality
– Targeting
• This is also a good opportunity to identify any cookies
that are no longer required
Page 15
4. Decide how you will obtain consent
Language lessons!
• Pop-up boxes
• Splash pages
• Landing pages
• Homepage headers
• Banners
• Scrolling text
• Implied consent
• Tick boxes
• Terms & Conditions
(and l’m sure there are more!)
Page 16
BT’s solution
• A One Time Message (OTM) is displayed the first time
you visit www.bt.com
• Acceptance to cookies is based on continuing to use the
website after this message has been displayed
Page 17
Reddbridge Media
A reasonably similar approach at the beginning …
Page 18
Reddbridge media
Slightly different in the mechanics …
Page 19
5. Develop and test your solution(s)
• These requirements are new for everyone so make no
assumptions
• Before you launch be sure you test the end-to-end user
experience
• Don’t forget to include an assement of the
‘understandability’ of the language you have used
• And after you go live keep alert for user feedback
Page 20
6. Update your Cookie policy
…and other relevant content.• Alongside your consent mechanism, you will need to provide access
to content which will explain:
– What cookies/ equivalent technologies are in use
– What they are doing
– How users can both provide and withdraw consent
• If appropriate use industry defined language / descriptions such as
the ICC’s
• Keep the profile of your site users in mind when updating your policy
e.g. do children use your site?
• If your changes are ‘work in progress’ then you might consider
updating your existing cookie policies to tell your customers that you
are getting ready.
Page 21
BT’s solution
• The website uses an icon for each category of cookie
• And provides the functionality to set cookie preferences
by reference to the cookie categories
Page 22
BT’s solution
• Hovering over each icon provides a brief overview of the
cookie category
• Clicking on Change cookie settings provides access to
more detailed information
• The site privacy policy contains an updated section on
cookies
Page 23
7. Communicate with third parties
Think about your relevant third party relationships
– Are any third parties running websites on your behalf?
– Placing cookies on your behalf ?
– Broadcasting emails on your behalf?
• What changes are they making in order to comply?
• Do you need additional contractual terms in place?
Page 24
8. Ensure relevant staff are fully aware
• It’s essential that any staff who might be asked questions
about your solution are fully briefed and aware
• This could include, for example:
– Technical help desks,
– Public relations teams,
– Call centre staff
Page 25
9. Define a maintenance / control process
• Remember the 26th May 2012 is the start not the end
date
• It is essential that you keep effective control of your
organisations use of cookies to ensure ongoing
compliance
Page 26
10. Talk with and learn from others
• DMA
• ICO
• ICC
• Trade Associations
• Etc.
Page 27
Thank you
Osborne Clarke perspectiveStephen Groom, Osborne Clarke
#dmacookies
What has the Information
Commissioner's Office said so far?
Edited "highlights"2 May 2012
Stephen Groom
Head of Marketing and Privacy Law
Osborne Clarke
marketinglaw.co.uk
osborneclarke.com
Sources
• "Guidance on the rules on use of cookies and similar
technologies" ICO Version 2 13 December 2011
• "The ICO's Dave Evans on EU cookie law compliance"
Graham Charlton, Econsultancy 24 April 2012
30
osborneclarke.com
Consumer understanding and "implied consent"
• The level of consent required has to take into account the
degree of understanding and awareness of the person
being asked
• "Implied consent" must be based on a definite shared
understanding of what is going to happen
• At present general awareness of the functions and use of
cookies is simply not high enough for websites to look to
rely entirely in the first instance on implied consent
• If websites in medium to long term are transparent about
cookies and privacy, it will be easier to assume knowledge
31
osborneclarke.com
Prior consent required?
• Setting cookies before users have had the opportunity to
look at the information provided and make a choice is
likely to lead to compliance problems
• Wherever possible the setting of cookies should be
delayed until users have had the opportunity to
understand what cookies are being used and choose
• Where this is not possible, websites should be able to
show they are doing as much as possible to reduce the
time before cookie info and options are provided
• Consider shortening cookie lifespan if users might make
a one off visit 32
osborneclarke.com
The "strictly necessary" exception
• "Strictly necessary" means that the storage of or access to
information should be essential rather than reasonably
necessary or "important"
• Cookie must be essential to provide service requested
by the user, rather than what might be essential for any
other uses the service provider might want to make of the
data
• Cookies for analytics, first and third party advertising
or a tailored greeting on user's return to site are unlikely
to fall within the exception
33
osborneclarke.com
Whose responsibility is it to comply?
• The Regulations do not define who is responsible
• The person setting the cookie is primarily responsible
for compliance
• Where third party cookies are set through a website,
both parties will be responsible
• Users are most likely to address complaints to the
company running the website
• Publishers, third party cookie providers, website
designers, email marketing service providers etc need to
allocate responsibility in their contracts and include
relevant warranties and indemnities 34
osborneclarke.com
International issues
• An organisation based in UK likely to be subject to the
Regulations even if their website is technically hosted
overseas
• Organisations based outside Europe with websites
designed for the European market, or providing
products or services to customers in Europe….
• ..should consider that their users in the UK and Europe
will clearly expect information and choices about
cookies to be provided
35
osborneclarke.com
Enforcement and penalties
• If someone says we're not doing anything about this,
then we may pay them more attention
• All our enforcement actions are likely to be in the form of
negotiations
• If people listen to our advice and are prepared to take
steps there shouldn't be a problem
• If we had an enforcement team dedicated to cookie law
abuse, people would rightly question our priorities
• Options: Information Notice, Undertaking, Enforcement
Notice, Monetary Penalty Notice <£500,00036
osborneclarke.com
Sum up
• ICO guidance on the cookie law to date has been criticised, but on the
whole..
• so far they have made a pretty good fist of a near impossible job.
• They can't be expected to provide instant solutions for all
scenarios and..
• although on some issues they have not been as clear as some would
like….
• you can be sure that their approach is clearer and more practical
and business-friendly than most other EU regulators!
• The December Guidance takes 30 minutes to read –check it out!
37
osborneclarke.com
38
Any questions?
Stephen Groom
Head of Marketing & Privacy Law
T +44 (0) 207 105 7078
M +44 (0) 207 105 7078
stephen.groom@osborneclarke.com
www.marketinglaw.co.uk
[insert photo here]
Height = 5.39cm
Width = 5.81cm
What has the Information
Commissioner's Office said so far?
Edited "highlights"2 May 2012
Stephen Groom
Head of Marketing and Privacy Law
Osborne Clarke
marketinglaw.co.uk
Guidance for email marketingClare O’Brien, IAB
#dmacookies
ePrivacy Directive and transparent
user communication for the email
industry
working towards compliancy
A guide for transparency
Focusing on the what data is collected,
how its collected and why its collected
Acknowledging consumer understanding
iabuk.net/contact
“Testing of respondents’ knowledge of internet
cookies confirmed their limited understanding:
Only for one out of sixteen internet cookies
related statements a majority of respondents
knew the correct answer with other
respondents either selecting the incorrect
answer or indicating that they did not know
the answer.”Research into consumer understanding and management of
internet cookies and the potential impact of the EU Electronic
Communications Framework, DCMS, April 2011 6%
A resource for the email industry
Towards achieving consistent consumer
understanding of our businesses
•DMA and IAB work together to ensure
consistency of message across the industry
•Underlines the brand benefits of clear
communication
•A flexible framework
•Launches 9th May
Building trust through communication
Towards achieving consistent consumer
understanding of our businesses
•It’s a guide for marketers
•It encourages clear communication
•It addresses what consumers care about
•It will be refined as good practice develops
•It will contribute to widening consumer
understanding and therefore implicit consent
iabuk.net/contact
Thank you
clare@iabuk.net
020 7050 6963
Guidance for mobile marketingMark Brill, Formation
Jo Garcia, Traction
#dmacookies
Breakfast Briefing: 2nd May 2012
MOBILE GUIDANCE ON PRIVACY AND
ELECTRONIC COMMUNICATIONS 2
Introducing ...
Jo Garcia
•Vice Chair, DMA Mobile Marketing Council
Business Development Director, Traction Platform
Implications of the regulations for mobile
Mark Brill
•Chair, DMA Mobile Marketing Council
CEO, Formation
•Putting it into practice
Confused by cookies?
60% know
what they
are
Public perceptions
89% have
heard of
cookies
72% believe mobile and
desktop cookies are
used in the same way
July 2011: Toluna QuickSurveys
Public perceptions
57% are
concerned
about internet
security
2/3rds of
mobile web
users are
concerned
about security
Public perceptions
36% have
opted out of
website
cookies
What about mobile?
It includes ...
•Mobile websites
•Apps
•Web apps
•Messaging
•QR codes and NFC
(in some circumstances)
The ICO position
• Review period until May 2012
• PC, mobile or tablet?
‘The Regulations do not make a distinction. We
consider the individual circumstances of any case
when we are looking at the possibility of formal
action.’
• Mobile tech solutions?
‘The DCMS are aware of the need to consider this
area (they’ve said it is on the agenda) but to date
they have not had direct discussions with mobile
specific developers.’
Key Principles for Mobile the
most personal channel
• Be Open and Transparent
• Seek Permission – Opt –in Consent
• Personal nature of the mobile device
• Not a shared device
• Consider future activities and
opportunities
Don’t Panic
• Get opt-in consent
• Be transparent
• The ICO are sympathetic:
‘Our general approach is generally to seek
compliance informally without first resorting to
formal action. If we became aware of something
very serious we do have the option to take formal
action straight away but this would be unusual.’
COOKIES AND MOBILE
TECHNOLOGY CHANNELS
Mobile technology includes:
• Messaging
• Mobile websites
• Apps
• Web apps
• QR/NFC/Bluetooth
Messaging
• SMS and MMS
• Tracking not stored
on terminal device
• Take care with the
destination (e.g.
website or app)
Mobile websites
• Considered no different to desktop
websites
– Tablet sites as well
• Be careful of HTML5 and it’s offline
storage/database capability
– You will need permission if using this to
store anything pertaining to personal data,
including tracking
Mobile websites
• Cookies
management
options are fewer
• Don’t rely on
technology solutions
Some websites are doing it well …
on desktop sites
… but not on mobile
Apps
• Mobile apps can store
a considerable amount
of personal data
• Cookies Policy can be
made opt-in with first
opening
• Take care with legacy
apps – may require an
update
Other channels
• Bluetooth – not applicable, but take
care with destination
• QR – does not apply but take care with
URL tracking
• NFC – not fully implemented yet –
currently does not appear to be relevant
The compliance matrix
At the end of the day
• Mobile is a highly personal channel
• Consumers have high expectations in
both trust and user experience from
brands
• Understand these expectations and
meeting them
We are the Mobile Marketing Council
• Jo Garcia
• Mark Brill
THANK YOU!
Google’s perspectiveMichael Todd, Google
#dmacookies
Q&A Session
#dmacookies
Upcoming events
Client email marketing survey
Sponsored by Alchemy Worx
Thursday 17 May 2012, The King’s Fund
The DMA summer lunch- with Alastair Campbell
Sponsored by Mobile Marketing Group
Thursday 12 July 2012
Email customer lifecycle: List growth
Sponsored by Silverpop
Tuesday 22 May 2012
To see our full events listing please visit http://www.dma.org.uk/event-listing