B2B Marketing Conference 2011

Meeting the challenges of new ePrivacy

laws

Stephen Groom

November 2011

osborneclarke.com

1

Agenda

• Quick context

• Cookie law update

• Impact on Online Behavioural Advertising (OBA)

• The UK's position (plus the latest from Europe)

• Practical steps

• Increased penalties and don't forget…..

• A quick look into the future

osborneclarke.com

2

Quick context

• Data Protection Act 1998

• Privacy and Electronic Communications (EC Directive)

Regulations 2003

• Privacy and Electronic Communications (EC Directive)

(Amendment) Regulations 2011

• in force since 26 May 2011

Cookie confusion – Where are we, how did we get here and what on earth to do?

osborneclarke.com

4

What are cookies?

• Text files, stored in the web browser on your computer and used by

websites to ‘recognise’ the computer

• Delivered when your web browser accesses an online service

• Each cookie is specific to both:

• a particular website that issues it; and

• A particular computer (or more specifically, the browser on a

particular computer) that requests the content

• The same cookie is exchanged constantly as website content is

accessed, enabling the website to recognise a browser that has

previously visited the website

• See http://www.whatarecookies.com/ for more details

osborneclarke.com

5

What is behavioural advertising?

Source: Federal Trade Commission Staff Report (February 2009):

"Self-Regulatory Principles For Online Behavioral Advertising"

"…online behavioral advertising means the

tracking of a consumer’s online activities over

time – including the searches the consumer has

conducted, the web pages visited, and the

content viewed – in order to deliver advertising

targeted to the individual consumer’s interests."

osborneclarke.com

6

Common types of OBA

1. First party OBA (the Amazon approach)

• Publisher places cookies on its own website

• Collects behaviour information about interests and likes

• Uses information to target adverts on its own website only

2. Third party OBA (the AdSense approach)

• OBA provider places tracks visitors to partnering websites

• Collects behaviour information about interests and likes

• Uses information to target adverts on other partnering websites

3. ISP traffic monitoring (the Phorm approach)

• OBA provider intercepts user data traffic passing through ISP

• Collects behaviour information about interests and likes

• Uses information to target adverts on partnering websites

Intrusiveness / risk

spectrum

Less

intrusive

Less

risk

More

intrusive

More

risk

osborneclarke.com

7

OBA: What are the legal issues? - There's a lot more to think about than just the cookie laws

1. Consumer Protection from Unfair Trading Regulations 2008 • lack of disclosure could be an "unfair commercial practice"

• see OFT Market Study on Online Targeting of Advertising and Prices

2 Data Protection Act 1998 • does OBA data (e.g. IP addresses) qualify as "personal data"?

• if so, "fair and lawful processing" requirements apply eg enhanced notice

• if sensitive personal data is involved, explicit consent requirements

3 Privacy and Electronic Communications ("PEC") Regulations 2003

also regulate • location data

• traffic data

• spam / SMS marketing

4 Which brings us to the saga of the EU's cookie rules…!

osborneclarke.com

8

May 2011 UK implements PEC

amendment Regulations requiring user

to have given consent but allowing for

browser settings to be used to do so.

Cookie Law Development

2002 Directive on Privacy + Electronic

Communications ("PEC") includes

specific tracking technology provisions 2003 PEC Regulations confirm opt out

obligation where technology used to

store or access information on terminal

equipment. Late 2009 EC surprisingly amends

PEC Directive to require user consent to

tracking technology. Deadline for

member state implementation May 2011

2010 Article 29 Working Party opine that

prior opt in consent a requirement before

cookies used in OBA

May 2012 UK deadline for compliance with new cookie law.

Cue furious lobbying by internet advertising industry

osborneclarke.com

9

9

Snapshot: Who has implemented?

osborneclarke.com

10

10

Snapshot: Opt in/out patchwork

osborneclarke.com

11 11

Cookie highway code chaos - The UK position

.. requires user consent

to have been obtained

Unless strictly

necessary for

service provision….

…. placement of

cookies on a

device .....

• Any device and

any technology -

PCs, laptops,

mobile devices

smart meters……

• Browser setting exception

• Active consent

• Timing

• PEC fines – £0.5m max

• ICO interpretation of

strictly necessary

likely to be narrower

than commercial

teams

osborneclarke.com

12 12

The "Industry' Response"

• Self regulatory initiative to try to ward off explicit opt in

• A broad coalition inc. IAB,EASA, DMA and ISBA. Signed by 90+ leading stakeholders

• All agree to adhere to a 6 Principle "Framework"

• Receivers of behaviourally targeted and retargeted ads alerted by a "uniform pictogram" or "icon"

• When clicked on it gives info re: what OBA is, how it works and how Your Online Choices site can be used to opt out

• Not yet expressly approved by ICO or EC

osborneclarke.com

13 13

ICO's Position

• "We remain to be convinced that [the use of privacy i symbol] amounts to consent" – David Smith, Deputy IC 22/9/11

• Moratorium on enforcement until May 2012

• But only if you're seen to be considering your approach

"If ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered [the new rules] and that they have a realistic plan to achieve compliance"

"You cannot ignore these new rules"

osborneclarke.com

14 14

So what should businesses be doing now?

• Audit use of cookies

• Cookies necessary for the provision of requested services

• Probably OK to continue but provide clear information e.g why cookies essential for security in context of online banking services

• Useful but intrusive cookies • eg third party behavioural cookies

• ICO: "the most challenging area". Browser settings will not provide a solution as yet

• Do everything you can to get right info to users and allow them to make informed choices

osborneclarke.com

15 15

So what should businesses be doing now?

• Set up a cross-functional task force (IT/digital, Legal, Compliance,

PR, Marketing) to devise an action plan and….

• Inform and educate internally

• Ensure customer facing staff know what to say in reply to customer

queries

• Make easy and immediate changes e.g. add an update to your privacy

policy such as:.

"With regard to the new requirements on cookies after the

revision of the e-Privacy Directive, we are working towards

implementing the new requirements in line with official

guidance"

osborneclarke.com

16

More ICO suggestions as to what businesses should be doing now

• "Feature-led consent"

cookies used when user chooses a particular feature such as watching a video clip. If user is taking action to agree to the functionality being "switched on", provided it is made clear that "certain things will happen" by choosing to take a particular action then this can be interpreted as consent.

• Functional/"first party" uses

analytical/behavioural cookie collecting info about how people access and use the site. Make disclosures about this more prominent e.g. place highlighted text in web page footer or header or which turns into scrolling text when you want to set a cookie. This could prompt the user to read further info eg via the site privacy pages and make available choices

osborneclarke.com

17

New cookie laws - unanswered questions

• Marketing emails that drop cookies

Clearly caught by the new PEC Regs but no DCMS or

ICO Guidance currently deals

• International issues

osborneclarke.com

18

Increased penalties and don't forget…

• In serious cases a fine of up to £500,000 for …

• A breach of any provision of the Privacy and Electronic Communications Regulations including:

– opt in rules for email and text marketing

– do not call telemarketing rules

– opt in rules for use of location data for marketing

– opt in rules for sending pre-recorded marketing messages by automated calling systems

• Don’t forget Reg 7 of the Ecommerce Regs 2002

osborneclarke.com

19 19

In 12 Months Everything Will Look Different

• EC likely to announce revisions in Q1 2012

• Directive or Regulation?

• Possible changes

• Accountability

• Data Protection Officer requirement?

• Privacy by design

• Data breach notification

• Currently only: Fin Services + Telecoms plus random territories for specific classes of data

• Data portability

• Right to be forgotten

• Data transfers made easier? Safe harbor approach

• Notifications and other bureaucracy to be scrapped?

osborneclarke.com

20

New regulator powers?

"You know that ICO is not the Gestapo.

Yet I don't have statutory powers to carry out audits in

those sectors causing me the most concern.

Something is clearly wrong when the regulator has to

ask permission from the organisation causing us

concern before we can audit their data protection

practices"

Christopher Graham

Information Commissioner

October 2011 At a Privacy Law & Business conference

• Currently ICO only has

audit powers over public

sector organisations

• But it can suggest to a

private company that an

audit might be a good idea

• in lieu of immediate

enforcement (eg

Google)

osborneclarke.com

21

Useful source materials

• www.marketinglaw.co.uk

• ICO's Personal Information Online Code of Conduct

• IAB Europe "European Self-Regulation for Online

Behavioural Advertising"

• DCMS paper "Implementing the revised EU Electronic

Communications Framework"

• ICO: "Changes to the rules on using cookies and

similar technologies for storing information"

osborneclarke.com

22 22

Any questions?

Stephen Groom

Head of Marketing & Privacy Law

Osborne Clarke London

T +44 (0) 207 105 7078

M +44 (0) 207 105 7079

stephen.groom@osborneclarke.com

www.marketinglaw.co.uk