legal aspects of real time and trigger based marketing (privacy and cookies)
TRANSCRIPT
Sirius LegalReal-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Real Time Marketing!
Trigger Based
Marketing!
2016’s Marketing buzz…
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
2016’s Marketing buzz…
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
2016’s Marketing buzz…
“dynamic, personalized content delivered across channels.”
“dynamic personalization”
“commercial and communication activities based upon the measurement of relevant and identifiable changes in a customer's individual needs”
“trigger or event is defined as a detectable change in an Individual’s circumstances
Translated into Legal Speak
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Measuring and defining triggers requires data
Gathering data = privacy law and cookie law
Translated into legal speak: Data = Privacy & cookies…
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
EU Data Protection Directive 95/46/EC of 1995Upcoming EU General Data Protection Regulation of 2016
EU E-privacy Directive 2002/58 of 2002Upcoming EU E-privacy Directive
Belgian Privacy Law of 8 December 1992Telecom law of 2014 on use of cookies
Privacy law…
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Electronic processingPersonal dataUsually –but not always- for commercial purposesEU Data Protection Directive 95/46/ECE-privacy Directive 2002/58
Current Privacy Law
Based on EU Directive 95/46/ECTransferred –differently- into national law by each member stateSet of rules dates back to ninetiesBased on location of company and/or serverAt the time most elaborate and progressive set of rules in the world
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Current Privacy Law
Definition of personal data is very largeCfr B2B vs B2CECJ 2015: Even IP address – browser history –information on social media – payment history…
Impact on data collection for trigger based action is considerable
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Impact on Real Time ad Trigger Based Marketing
All real time or trigger based action is based on data and profiling
Data collection is core – Same discussion as “previous” hype Big data
Considerable impact of privacy lawAlmost all available data is ‘personal data’
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Impact on Real Time and Trigger Based Marketing
Almost all available data is ‘personal data’Classic data sources: “public data” – statistical data – private dataFact that data is publicly available or accessible does not in itself justify collection & treatmentCfr: data available online remains “personal” dataEven at first sight “statistical” info (cfr heatmapping) can be “personal” data
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Impact on Real Time and Trigger Based Marketing
Birthday – marriage – major life eventOrder history – content of basket – heatmapping on sitePayment historyBrowser historyDemographic dataInfo on hobbies, preferences, interests, …
if linked, even indirectly, to individual = Are all –protected- personal dataReal-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Current Privacy Law
Actually straight and simple:
Basic rule = prior “opt-in” for all processingOr implicite opt-in if “legitimate grounds” for processing“Free and informed” opt-inTransfer of data to third party = additionnal opt-in
Cfr. Analytics tools, apps, cookies, database enrichment through mailings and actions, …: always opt-inCfr. also social media contentReal-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Impact on Real Time ad Trigger Based Marketing
Prior opt-in is not always presentExisting client relationship vs. Prospects
“Legitimate grounds”Law does not define “legitimate grounds” (Privacy Commission: “cfr CRM”)Justification for profiling = compare interests of profiler and data subject
Information duty: client should know what data is being processed and why
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Current Privacy Law
Rights of data subjectsopposition – access – correction – information
Obligations of data processorInformation – opt-in – data security – (export)
Information duty: client should know what data is being processed and why
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Future Privacy Law
2016 – 2017
Regulation in stead of Directive – 1 law for 28 states
Work in progress since 2012Agreement reached in December 2015Signature to be expected in Spring 2016Into force end of 2017
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Future Privacy Law
Heavily influenced by consumer protection activists in EPResult:Consumer friendly, but serious restraints for direct marketing sector, e-commerce sector and especially real time and trigger based marketing and (big) data processing
Full trainings by BDMA and by Sirius Legal to follow this spring
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
For all services offered in EU (even free services)Personal data = also online identifiers, “pseudonymous data”Direct marketing can be a legitimate interestInformation obligation (icons)Right not to be submitted to profilingWarning obligations in case of data breachRight to be forgottenConsent for children“Data protection by design”“Data protection officer” Sanctions: up to 4% of yearly turnover or 20 million euroReal-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Future Privacy Law
Impact on Real Time ad Trigger Based Marketing
Right not to be submitted to profiling
“right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other significant effects concerning him or her.”
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Impact on Real Time ad Trigger Based Marketing
Right to object to further processing
“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Impact on Real Time ad Trigger Based Marketing
Consent for children
The regulation requires parental consent for individuals of less than 16 years.
Member States are allowed to foresee other limits between the age of 13 and 16.
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Prepare for the new Regulation
Follow up on discussion (eg through our website www.siriuslegal.be)Start review vendor contracts (in view of data security obligation) Start to prepare for full update of policies, contracts, business processesPut in place data breach notification procedureAppoint (temporary) data security officerPut in place impact assessment and/or risk analyses policyCreate compliance statements for annual business reportsTrain staffSit back and wait for final text of regulation for final details…
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Cookies
EU e-privacy directive 2002/58/ECBelgium: article 129 in Telecomwet since October 2012Already under review in upcoming e-privacy directive
Legal update in e-commerce Unizo Ondernemersforum 3 september 2015
Cookies
Basic principle:
Always obtain opt-in before use of any technique to place or extract data from user device (much broader than cookies)
Exception: strictly functional cookies
Legal update in e-commerce Unizo Ondernemersforum 3 september 2015
Cookies
Opt-in should beFree (i.e. also visit website without opt-in)Explicite (requires active consent fom website visitor)InformedPreceed any actual intervention (placing cookie, fingerprinting, heatmapping, ….) Revokable
Legal update in e-commerce Unizo Ondernemersforum 3 september 2015
Cookies
2015Netherlands softens lawFrance holds big “cookie sweep”Spain inflicts high finesBelgium…?
Legal update in e-commerce Unizo Ondernemersforum 3 september 2015
Cookies
Recommendation Privacycommissie 4 Feb 2015
• Implicite opt-in possible if visitor was informed
• Visitor van revoke consent• cookie-policy with info required• Advertizers contract with website owner
required if re-use of data + mention in cookie policy
• Analytics: no excemption, but limited privacy risk in the eye of Privacy Commission
Legal update in e-commerce Unizo Ondernemersforum 3 september 2015
Impact on Real Time ad Trigger Based Marketing
If cookies, markers, fingerprint, etc… used to collect data:
Mention on websiteDetailed mention in cookie policy or privacy policyNever without warning!Never without consent!Never after request to stop!
Real-time & trigger based direct marketingBDMA, Brussels Stanhope Hotel, 25 February 2016
Media & advertisement lawCopyright - trademarks - datebase - software - knowhowTravel & consumer protectionTax & tax planningIT, Internet & e-commercePrivacy & cookiesGambling & gaming
Sirius LegalMedia & advertisement lawIP lawInternet & e-commercePrivacy & cookiesGambling lawTravel & consumer protectionCommercial contractsCorporate / taks / labour / real estate
[email protected]@BartVdBrandeLinkedin.com/in/bartvdb