e-privacy directive and performance marketing - andrew tibber

The e-Privacy Directive & Performance Marketing

Andrew Tibber

Senior Associate

http://www.linkedin.com/in/andrewtibber

@atibber

http://www.linkedin.com/in/andrewtibber


About Burges Salmon

UK top 50 commercial law firm

Service national/international clients from Bristol/London

IP & Technology Team advise on:

- Affiliate advertising agreements

- Use of 3rd party TMs in paid-for search keywords/ads

- Use/abuse of social media

- Domain name dispute resolution

- Data protection/privacy


The e-Privacy Directive

Ed Vaizey, UK Minister for Culture, Communications and Creative Industries (29 March 2011)

“… a good example of a well-meaning regulation that will be very difficult to make work in practice”


Overview

How did we get here?

- Legal framework – e-Privacy Directive 2002

- How was it implemented in the UK?

What has changed?

- Informed (prior?) consent

Possible models for informed consent

- Online Behavioural Advertising

- Browser technology – Do Not Track

Compliance

- ICO guidance (UK) and suggested actions

- Other EU states


Legal framework


Legal framework

ECHR, Article 8:

“(1) Everyone has the right to respect for his private and family life, his home and his correspondence.”

Data Protection Directive 1995, Article 1(1)

“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”


Legal framework

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector(“e-Privacy Directive 2002”)

Sets out to protect

- rights in ECHR; and

- provide equal level of protection to Data Protection Directive for personal data and privacy of users of publicly available electronic communications services

Part of overarching Framework Directive, setting out regulatory framework for electronic communications infrastructure and services


Legal framework

e-Privacy Directive 2002, Recital 24

“The use of [spyware, web bugs, hidden identifiers etc] should be allowed only for legitimate purposes, with the knowledge of the users concerned.”

e-Privacy Directive 2002, Recital 25

“… ‘cookies’… can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions ... [such] use should be allowed on condition that users are provided with clear and precise information … about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment … The methods for giving information, offering a right to refuse or requesting consent should be made as user friendly as possible.”


Legal framework

e-Privacy Directive 2002, Article 5(3)

“Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”


Legal framework

Storage of or access to:

- Spyware

- Adware

- Cookies

- Google analytics

- Shopping cart

- Flash cookies (Local Shared Objects)

- Post-click

- Post-impression (PI)/post-view (PV)


Legal framework: Summary

Legal obligations imposed by e-Privacy Directive on Member States to legislate in relation to storage of or access to cookies:

- clear and comprehensive information about purpose of cookies must be provided

- right to refuse must be offered

- UNLESS storage/access “strictly necessary” to provide service explicitly requested


Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)

Regulation 6 reproduces Art 5(3) of e-Privacy Directive

Regulated by Information Commissioner’s Office (ICO)

Previous implementation in the UK


Previous implementation in the UK

ICO guidance at the time – Information to be provided

“… sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so”

ICO guidance at the time - Right to refuse

“At the very least … the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to continue to store information on the terminal in question …

Where the relevant information is included in a privacy policy … the policy should be clearly signposted at least on those pages where a user may enter a website.”


What has changed?

Wide review of telecoms legislation led to revised EU Electronic Communications Framework (Directive 2009/136/EC, 25 November 2009)

Includes amendments to the e-Privacy Directive 2002:

- Duty on providers of electronic communications services to notify “personal data breaches” to competent national authority

- New prohibitions on and right to bring proceedings for spam

- Cookies

- Penalties


What has changed?

New recital 66 of the Amending Directive

“… Where it is technically possible and effective … the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application...”


What has changed?

Amended Article 5(3) of the e-Privacy Directive 2002


What has changed?

Implemented in the UK by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)

In force: 26 May 2011

Amended reg 6 of the 2003 Regulations:

“(2) [Requirement that] the subscriber or user of that terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent …

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser

which the subscriber uses or by using another application or programme to signify consent.”


What has changed?

Part V and sections 55A-55E of Data Protection Act 1998 to apply

Gives ICO new powers to:

- issue enforcement/assessment/information notices (failure to comply = criminal offence)

- impose fines of up to £500,000 for serious breaches

(“serious” = potential for “substantial damage or distress”)

Continuing right for users to take civil action for damage


What has changed? Summary

Continuing requirement to provide clear and comprehensive information

Requirement of consent instead of right of refusal, ie opt-in not opt-out

New enforcement powers for ICO

Informed consent


Informed (prior?) consent

7 April 2009 - Rejected amendment to Art 5(3)

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her prior consent, which may be given by way of using the appropriate settings of a browser or another application, after having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”


joint Council Statement, 18 November 2009 (Austria, Belgium, Estonia, Finland, Germany, Ireland, Latvia, Malta, Poland, Romania, Slovakia, Spain, UK)

“the amended Article 5(3) is not intended to alter the existing requirement that such consent be exercised as a right to refuse the use of cookies or similar technologies used for legitimate purposes”




Article 29 Data Protection Working Party Opinion 2/2010 on online behavioural advertising (22 June 2010)

“i) consent must be obtained before the cookie is placed and/or the information stored in the user’s terminal equipment is collected, which is usually referred to as prior consent and ii) informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user.”



Alexander Alvaro, European Parliament Deputy, e-Privacy Directive Rapporteur (Privacy and Security Law Report, October 2010)

“the ‘prior consent’ formulation was considered and rejected in favor of a wording where the Parliament left more room for flexibility … Consent as defined and used in the Data Protection Directive does not have to be prior or explicit …”


ICO Guidance: “Changes to the rules on using cookies and similar technologies for storing information” (9 May 2011)

“You need to provide information about cookies and obtain consent

before a cookie is set for the first time”

European Commission MEMO/11/320, Brussels, 23 May 2011

“… the new rules require Member States to ensure users have given their consent before such data is stored or accessed. Before being asked for their consent, the user must be given information about what the data collected about them is to be used for (e.g. targeted behavioural advertising).”




Ed Vaizey, UK Minister for Culture, Communications and Creative Industries, Open Letter, 24 May 2011

“… Article 5 of the revised e-Privacy Directive does not specify that the consent must be ‘prior consent’. The original text proposed by the European Parliament did do so but this was removed during negotiation ... it is possible that consent may be given after or during processing.

[But] in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing. It also supports any approach underpinned by industry’s attempts to inform users about the specific choices available and as a result allow users to make choices (ie give consent) based on that information.

Crucially, the requirement of the revised Directive is for informed consent.”



Online Behavioural Advertising (OBA)

Internet Advertising Bureau (IAB) UK “Good Practice Principles” (4 March 2009)

N American “Self-regulatory principles for OBA (July 2009)

IAB European Self-regulation for OBA (14 April 2011)

- 3rd parties should give clear and comprehensible notice describing OBA collection and use practices

- Link to www.youronlinechoices.eu

- Icon in or around the ad

- Disclosure by web site operator of 3rd party arrangement

- No segmentation for under-12s

- Education (eg online videos)

1

2

3


Do Not Track

- Response to US Federal Trade Commission proposed framework for protecting consumer privacy

- HTTP header notifies participants not to set tracking cookies

- Easy to use and understand

- Prevents 3rd party cookies and flash cookies

- Supported by Firefox (4, 4 Mobile and 5 Beta) & IE9

- Safari next

- BUT relies on universal buy-in

“Keep my Opt-Outs” Google Chrome extension– a “better ‘Do not Track’ mechanism”



“… browsers today have not harmonized the range of cookie controls in such a way as to send one clear, standardized signal to businesses that can be used as a proxy to meet compliance and respect consumer demands … realistically it’s going to be months, if not longer, to achieve clarity at a technical level. Then there’s the question of getting users to adopt new versions of browsers with enhanced controls to further support user requirements and ease compliance efforts in this area.

It’s my view that site owners and third parties need to focus on improving privacy notices and statements that inform consumers of their cookie and tracking practices. In addition, any parties engaged in tracking consumers in the EU need to address compliance as if no new browser controls emerge.”

(Alex Fowler, Global Policy and Privacy Leader, Mozilla (Firefox), May 2011)



What cookies are “strictly necessary”?

- Exception construed narrowly

- Includes eg shopping cart

- Excludes eg remembering user preferences, analytics

- Post-click, PI/PV cookies will be caught

Browser settings cannot be used to indicate consent – for now

“You need to provide information about cookies and obtain consent before a cookie is set for the first time”

Compliance: UK ICO Guidance


What sort of information?

- Be upfront about how website operates

- List of cookies and description of how they work

Obtaining consent

- Pop ups

- Easy option but spoils user experience

- Terms and conditions

- Make users aware of changes to Ts and Cs

- Positive indication that users understand & agree to changes

- Text in header/footer linked to further information



3rd party cookies

“everyone has a part to play in making sure that the user is aware of what is being collected and by whom”

“a number of initiatives that seek to ensure that users are given more and better information about how their information might be used. These will no doubt adapt to achieve compliance with the new rule but we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device”

In other words, OBA initiative not currently compliant



Phased approach to implementation of changes

Lead-in period of 12 months ending in May 2012 to allow organisations to develop ways of meeting cookie-related requirements

No enforcement action in this period against organisations working to address their use of cookies

BUT organisations are expected to take action before May 2012

Warnings can be issued in this period if no action taken



Check what cookies you use and for what purpose

- Which cookies are strictly necessary

- Clean-up unnecessary or superseded cookies

Assess how intrusive your use of cookies is

- The more intrusive, the greater the priority for change

- Tracking cookies likely to fall into this category

Decide what the appropriate solutions to obtain consent are and have a realistic plan for compliance

Check Ts and Cs of Affiliate Agreements – require compliance with new privacy regs and indemnity for any loss suffered for breach

Compliance: Suggested actions


Germany

- existing law already required prior notice and opt-in consent for tracking: enforcement now more active

Netherlands

- Draft bill allows for opt-out consent

France

- draft ordinance requiring consent for any use of cookies: can be tacit or implied, eg through easily accessible notice

- Web analytics considered exempt by CNIL

Finland

- In line with UK approach

Belgium, Ireland, Poland, Spain

- Legislation still in draft

Compliance: Across the EU


Conclusion

Early days for the new regime

Clarification urgently needed on consent requirement harmonised across the EU

Browser technology/OBA approach may hold the key

BUT they need to develop further

12-month grace period in the UK

In the meantime show you are taking steps to ensure you can comply by May 2012

- Audit

- Prioritise

- Plan for compliance – empower users to make informed choices


This presentation gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content.

e-privacy directive and performance marketing - andrew tibber

Documents