Upload
auexpo-conference
View
810
Download
4
Embed Size (px)
Citation preview
The e-Privacy Directive & Performance Marketing
Andrew Tibber
Senior Associate
http://www.linkedin.com/in/andrewtibber
@atibber
The e-Privacy Directive & Performance Marketing
About Burges Salmon
UK top 50 commercial law firm
Service national/international clients from Bristol/London
IP & Technology Team advise on:
- Affiliate advertising agreements
- Use of 3rd party TMs in paid-for search keywords/ads
- Use/abuse of social media
- Domain name dispute resolution
- Data protection/privacy
The e-Privacy Directive & Performance Marketing
The e-Privacy Directive
Ed Vaizey, UK Minister for Culture, Communications and Creative Industries (29 March 2011)
“… a good example of a well-meaning regulation that will be very difficult to make work in practice”
The e-Privacy Directive & Performance Marketing
Overview
How did we get here?
- Legal framework – e-Privacy Directive 2002
- How was it implemented in the UK?
What has changed?
- Informed (prior?) consent
Possible models for informed consent
- Online Behavioural Advertising
- Browser technology – Do Not Track
Compliance
- ICO guidance (UK) and suggested actions
- Other EU states
The e-Privacy Directive & Performance Marketing
Legal framework
The e-Privacy Directive & Performance Marketing
Legal framework
ECHR, Article 8:
“(1) Everyone has the right to respect for his private and family life, his home and his correspondence.”
Data Protection Directive 1995, Article 1(1)
“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”
The e-Privacy Directive & Performance Marketing
Legal framework
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector(“e-Privacy Directive 2002”)
Sets out to protect
- rights in ECHR; and
- provide equal level of protection to Data Protection Directive for personal data and privacy of users of publicly available electronic communications services
Part of overarching Framework Directive, setting out regulatory framework for electronic communications infrastructure and services
The e-Privacy Directive & Performance Marketing
Legal framework
e-Privacy Directive 2002, Recital 24
“The use of [spyware, web bugs, hidden identifiers etc] should be allowed only for legitimate purposes, with the knowledge of the users concerned.”
e-Privacy Directive 2002, Recital 25
“… ‘cookies’… can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions ... [such] use should be allowed on condition that users are provided with clear and precise information … about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment … The methods for giving information, offering a right to refuse or requesting consent should be made as user friendly as possible.”
The e-Privacy Directive & Performance Marketing
Legal framework
e-Privacy Directive 2002, Article 5(3)
“Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”
The e-Privacy Directive & Performance Marketing
Legal framework
Storage of or access to:
- Spyware
- Adware
- Cookies
- Google analytics
- Shopping cart
- Flash cookies (Local Shared Objects)
- Post-click
- Post-impression (PI)/post-view (PV)
The e-Privacy Directive & Performance Marketing
Legal framework: Summary
Legal obligations imposed by e-Privacy Directive on Member States to legislate in relation to storage of or access to cookies:
- clear and comprehensive information about purpose of cookies must be provided
- right to refuse must be offered
- UNLESS storage/access “strictly necessary” to provide service explicitly requested
The e-Privacy Directive & Performance Marketing
Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
Regulation 6 reproduces Art 5(3) of e-Privacy Directive
Regulated by Information Commissioner’s Office (ICO)
Previous implementation in the UK
The e-Privacy Directive & Performance Marketing
Previous implementation in the UK
ICO guidance at the time – Information to be provided
“… sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so”
ICO guidance at the time - Right to refuse
“At the very least … the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to continue to store information on the terminal in question …
Where the relevant information is included in a privacy policy … the policy should be clearly signposted at least on those pages where a user may enter a website.”
The e-Privacy Directive & Performance Marketing
What has changed?
Wide review of telecoms legislation led to revised EU Electronic Communications Framework (Directive 2009/136/EC, 25 November 2009)
Includes amendments to the e-Privacy Directive 2002:
- Duty on providers of electronic communications services to notify “personal data breaches” to competent national authority
- New prohibitions on and right to bring proceedings for spam
- Cookies
- Penalties
The e-Privacy Directive & Performance Marketing
What has changed?
New recital 66 of the Amending Directive
“… Where it is technically possible and effective … the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application...”
The e-Privacy Directive & Performance Marketing
What has changed?
Amended Article 5(3) of the e-Privacy Directive 2002
The e-Privacy Directive & Performance Marketing
What has changed?
Implemented in the UK by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)
In force: 26 May 2011
Amended reg 6 of the 2003 Regulations:
“(2) [Requirement that] the subscriber or user of that terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent …
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser
which the subscriber uses or by using another application or programme to signify consent.”
The e-Privacy Directive & Performance Marketing
What has changed?
Part V and sections 55A-55E of Data Protection Act 1998 to apply
Gives ICO new powers to:
- issue enforcement/assessment/information notices (failure to comply = criminal offence)
- impose fines of up to £500,000 for serious breaches
(“serious” = potential for “substantial damage or distress”)
Continuing right for users to take civil action for damage
The e-Privacy Directive & Performance Marketing
What has changed? Summary
Continuing requirement to provide clear and comprehensive information
Requirement of consent instead of right of refusal, ie opt-in not opt-out
New enforcement powers for ICO
Informed consent
The e-Privacy Directive & Performance Marketing
Informed (prior?) consent
7 April 2009 - Rejected amendment to Art 5(3)
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her prior consent, which may be given by way of using the appropriate settings of a browser or another application, after having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”
The e-Privacy Directive & Performance Marketing
joint Council Statement, 18 November 2009 (Austria, Belgium, Estonia, Finland, Germany, Ireland, Latvia, Malta, Poland, Romania, Slovakia, Spain, UK)
“the amended Article 5(3) is not intended to alter the existing requirement that such consent be exercised as a right to refuse the use of cookies or similar technologies used for legitimate purposes”
Informed (prior?) consent
The e-Privacy Directive & Performance Marketing
Informed (prior?) consent
Article 29 Data Protection Working Party Opinion 2/2010 on online behavioural advertising (22 June 2010)
“i) consent must be obtained before the cookie is placed and/or the information stored in the user’s terminal equipment is collected, which is usually referred to as prior consent and ii) informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user.”
The e-Privacy Directive & Performance Marketing
Informed (prior?) consent
Alexander Alvaro, European Parliament Deputy, e-Privacy Directive Rapporteur (Privacy and Security Law Report, October 2010)
“the ‘prior consent’ formulation was considered and rejected in favor of a wording where the Parliament left more room for flexibility … Consent as defined and used in the Data Protection Directive does not have to be prior or explicit …”
The e-Privacy Directive & Performance Marketing
ICO Guidance: “Changes to the rules on using cookies and similar technologies for storing information” (9 May 2011)
“You need to provide information about cookies and obtain consent
before a cookie is set for the first time”
European Commission MEMO/11/320, Brussels, 23 May 2011
“… the new rules require Member States to ensure users have given their consent before such data is stored or accessed. Before being asked for their consent, the user must be given information about what the data collected about them is to be used for (e.g. targeted behavioural advertising).”
Informed (prior?) consent
The e-Privacy Directive & Performance Marketing
Informed (prior?) consent
Ed Vaizey, UK Minister for Culture, Communications and Creative Industries, Open Letter, 24 May 2011
“… Article 5 of the revised e-Privacy Directive does not specify that the consent must be ‘prior consent’. The original text proposed by the European Parliament did do so but this was removed during negotiation ... it is possible that consent may be given after or during processing.
[But] in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing. It also supports any approach underpinned by industry’s attempts to inform users about the specific choices available and as a result allow users to make choices (ie give consent) based on that information.
Crucially, the requirement of the revised Directive is for informed consent.”
The e-Privacy Directive & Performance Marketing
Possible models for informed consent
Online Behavioural Advertising (OBA)
Internet Advertising Bureau (IAB) UK “Good Practice Principles” (4 March 2009)
N American “Self-regulatory principles for OBA (July 2009)
IAB European Self-regulation for OBA (14 April 2011)
- 3rd parties should give clear and comprehensible notice describing OBA collection and use practices
- Link to www.youronlinechoices.eu
- Icon in or around the ad
- Disclosure by web site operator of 3rd party arrangement
- No segmentation for under-12s
- Education (eg online videos)
1
2
3
The e-Privacy Directive & Performance Marketing
Do Not Track
- Response to US Federal Trade Commission proposed framework for protecting consumer privacy
- HTTP header notifies participants not to set tracking cookies
- Easy to use and understand
- Prevents 3rd party cookies and flash cookies
- Supported by Firefox (4, 4 Mobile and 5 Beta) & IE9
- Safari next
- BUT relies on universal buy-in
“Keep my Opt-Outs” Google Chrome extension– a “better ‘Do not Track’ mechanism”
Possible models for informed consent
The e-Privacy Directive & Performance Marketing
Possible models for informed consent
The e-Privacy Directive & Performance Marketing
“… browsers today have not harmonized the range of cookie controls in such a way as to send one clear, standardized signal to businesses that can be used as a proxy to meet compliance and respect consumer demands … realistically it’s going to be months, if not longer, to achieve clarity at a technical level. Then there’s the question of getting users to adopt new versions of browsers with enhanced controls to further support user requirements and ease compliance efforts in this area.
It’s my view that site owners and third parties need to focus on improving privacy notices and statements that inform consumers of their cookie and tracking practices. In addition, any parties engaged in tracking consumers in the EU need to address compliance as if no new browser controls emerge.”
(Alex Fowler, Global Policy and Privacy Leader, Mozilla (Firefox), May 2011)
Possible models for informed consent
The e-Privacy Directive & Performance Marketing
What cookies are “strictly necessary”?
- Exception construed narrowly
- Includes eg shopping cart
- Excludes eg remembering user preferences, analytics
- Post-click, PI/PV cookies will be caught
Browser settings cannot be used to indicate consent – for now
“You need to provide information about cookies and obtain consent before a cookie is set for the first time”
Compliance: UK ICO Guidance
The e-Privacy Directive & Performance Marketing
What sort of information?
- Be upfront about how website operates
- List of cookies and description of how they work
Obtaining consent
- Pop ups
- Easy option but spoils user experience
- Terms and conditions
- Make users aware of changes to Ts and Cs
- Positive indication that users understand & agree to changes
- Text in header/footer linked to further information
Compliance: UK ICO Guidance
The e-Privacy Directive & Performance Marketing
The e-Privacy Directive & Performance Marketing
3rd party cookies
“everyone has a part to play in making sure that the user is aware of what is being collected and by whom”
“a number of initiatives that seek to ensure that users are given more and better information about how their information might be used. These will no doubt adapt to achieve compliance with the new rule but we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device”
In other words, OBA initiative not currently compliant
Compliance: UK ICO Guidance
The e-Privacy Directive & Performance Marketing
Phased approach to implementation of changes
Lead-in period of 12 months ending in May 2012 to allow organisations to develop ways of meeting cookie-related requirements
No enforcement action in this period against organisations working to address their use of cookies
BUT organisations are expected to take action before May 2012
Warnings can be issued in this period if no action taken
Compliance: UK ICO Guidance
The e-Privacy Directive & Performance Marketing
Check what cookies you use and for what purpose
- Which cookies are strictly necessary
- Clean-up unnecessary or superseded cookies
Assess how intrusive your use of cookies is
- The more intrusive, the greater the priority for change
- Tracking cookies likely to fall into this category
Decide what the appropriate solutions to obtain consent are and have a realistic plan for compliance
Check Ts and Cs of Affiliate Agreements – require compliance with new privacy regs and indemnity for any loss suffered for breach
Compliance: Suggested actions
The e-Privacy Directive & Performance Marketing
Germany
- existing law already required prior notice and opt-in consent for tracking: enforcement now more active
Netherlands
- Draft bill allows for opt-out consent
France
- draft ordinance requiring consent for any use of cookies: can be tacit or implied, eg through easily accessible notice
- Web analytics considered exempt by CNIL
Finland
- In line with UK approach
Belgium, Ireland, Poland, Spain
- Legislation still in draft
Compliance: Across the EU
The e-Privacy Directive & Performance Marketing
Conclusion
Early days for the new regime
Clarification urgently needed on consent requirement harmonised across the EU
Browser technology/OBA approach may hold the key
BUT they need to develop further
12-month grace period in the UK
In the meantime show you are taking steps to ensure you can comply by May 2012
- Audit
- Prioritise
- Plan for compliance – empower users to make informed choices
The e-Privacy Directive & Performance Marketing
This presentation gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content.