Archive for December, 2012

Cookie consent enforcement – ICO’s latest

Posted on December 19th, 2012 by

The UK Information Commissioner’s Office has quietly published today a report detailing the concerns reported to them, the current picture and the action they are taking as of December 2012 in relation to the cookie consent requirement.

The highlights of the report are as follows:

*   Consumers are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.

*   Consumers often complain about the fact that they have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.

*   The ICO is continuing to write to websites they receive concerns about – This means that nobody is off the hook.

*   The ICO has also looked at the types of cookie in use – This means that the regulator has the means to investigate and find out about cookie practices on a per site basis.  If a site operator does not have this information, how is that going to look???

*   The provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.

*   Failure to comply will result in formal action to ensure compliance, and the ICO may decide to name the site in order to make consumers aware of its use of cookies – In other words, the ICO is not going to sit still.  The prospect of facing enforcement action is there.

*   If an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using formal regulatory powers in line with our criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties – This is the clearest threat of enforcement action to date!


Technology issues that will shape privacy in 2013

Posted on December 13th, 2012 by

Making predictions as we approach a new year has become a bit of a tradition.  The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today’s uncertain world are pretty low.  Having said that, it wouldn’t be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission’s power to adopt ‘delegated acts’.  But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year’s key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time.

A so far low profile issue from a regulatory perspective has been the ever growing mobile app phenomenon.  Like having a website in the late 90s, launching a mobile app has become a ‘must do’ for any self-respecting consumer-facing business.  However, even the simplest app is likely to be many times more sophisticated than the early websites and will collect much more useful and clever data about its users and their lifestyles.  That is a fact and, on the whole, apps are a very beneficial technological development for the 21st century homo-mobile.  The key issue is how this development can be reconciled with the current data protection rules dealing with information provision, grounds for processing and data proportionality.  Until now, technology has as usual led the way and the law is clumsily trying to follow, but in the next few months we are likely to witness much more legal activity on this front than what we have seen to date.

Mobile data collection via apps has been a focus of attention in theUSAfor a while but recent developments are a clue to what is about to happen.  The spark may well have been ignited by the California Attorney General who in the first ever legal action under the state’s online privacy law, is suing Delta Air Lines for distributing a mobile application without a privacy policy.  Delta had reportedly been operating its mobile app without a privacy policy since at least 2010 and did not manage to post one after being ordered by the authorities to do so.  On a similar although slightly more alarming note, children’s mobile game company Mobbles is being accused by the Center for Digital Democracy of violating COPPA, which establishes strict parental consent rules affecting the collection of children’s data.  These are unlikely to be isolated incidents given that app operators tend to collect more data than what is necessary to run the app.  In fact, these cases are almost certainly the start of a trend that will extend toEuropein 2013 and lead EU data protection authorities and mobile app developers to lock horns on how to achieve a decent degree of compliance in this environment.

Speaking of locking horns, next year (possibly quite early on) we will see the first instances of enforcement of the cookie consent requirement.  What is likely to be big about this is not so much the amount of the fines or the volume of enforcement actions, but the fact that we will see for real what the regulators’ compliance expectations actually are.  Will ‘implied consent’ become the norm or will websites suddenly rush to present their users with hard opt-in mechanisms before placing cookies on their devices?  Much would need to change for the latter to prevail but at the same time, the ‘wait and see’ attitude that has ruled to date will be over soon, as the bar will be set and the decision to comply or not will be based purely on risk – an unfortunate position to be in, caused by an ill-drafted law.  Let that be a lesson for the future.

The other big technological phenomenon that will impact on privacy and security practices – probably in a positive way – will be the cloud.  Much has been written on the data protection implications of cloud computing in the past months.  Regulators have given detailed advice.  Policy makers have made grand statements.  But the real action will be seen in 2013, when a number of leaders in the field start rolling out Binding Safe Processor Rules programmes and regulators are faced with the prospect of scrutinising global cloud vendors’ data protection offerings.  Let us hope that we can use this opportunity to listen to each other’s concerns, agree a commercially realistic set of standards and get the balance right.  That would be a massive achievement.


This article was first published in Data Protection Law & Policy in December 2012.

What will happen once the ASA starts to regulate Online Behavioural Advertising?

Posted on December 11th, 2012 by

Early next year, the UK Advertising Standards Authority (“ASA“) will start regulating Online Behavioural Advertising (“OBA“) in the UK – meaning that online advertisers who serve targeted ads to website visitors will have to worry not only about the risk of cookie consent enforcement by the ICO, but also the risk of investigation and public admonishment by the ASA.  A regulatory double-jeopardy, if you will.

This is a consequence of recent changes to the “UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing” (“CAP Code“) that will come into effect on 4 February 2013.  In effect, the CAP Code changes are designed to implement the earlier European Advertising Standards Alliance “Best Practice Recommendation on Online Behavioural Advertising” published in April 2011 – which, you may recall, the Article 29 Working Party wasn’t exactly excited about

Anyone who’s read the EASA recommendation won’t be surprised by the CAP Code’s proposals – that website visitors must be given notice and choice, with advertisers encouraged to display a small icon licensed by the European Interactive Digital Advertising Alliance (or eDAA) alongside the adverts they serve by way of achieving this goal.  Nor will they be surprised by the ‘gaps’ in the CAP Code, most notably that it doesn’t apply to first party tracking by a publisher across its own website domains.

But what are the real consequences of the ASA wading into the murky waters of OBA regulation?   Broadly speaking, they can be boiled down to the following:

1.  Cookie regulation is not going to go away.  The revised CAP Code is simply implementing recommendations already published at a European level by the European Advertising Standards Alliance.  When it published its recommendations, EASA set an ambitious – and, as it turned out, unrealistic – goal of ensuring “at least 70% of its EU SROs [national advertising self-regulatory organisations] have implemented the BPR [best practice recommendation] within a year (i.e. by the end of April 2012)“.  When the UK took the lead on implementing cookie consent rules and guidance, other EU member states quickly followed suit – so it seems a relatively safe bet here that a similar regulatory flurry will follow now among EU advertising regulators.  This means that the amount of national regulation governing online tracking will continue to grow, not decline – with all the disharmony that entails. 

2.  Confusion about what qualifies as lawful visitor tracking.   Being based on the EASA best practice recommendation, the CAP Code promotes a notice and opt-out approach.  That’s fine, but it’s not the law – which instead requires consent when serving tracking cookies.  The Article 29 Working Party have already been vocal in expressing their view that the EASA recommendation is not sufficient for obtaining consent, and CAP even acknowledges likewise – the new rules say that they “are not designed to provide compliance with the law and companies should seek their own legal advice when working to comply with privacy and data protection legislation.  The net result?  Yet more confusion about what standards, exactly, businesses are to apply when tracking online visitors.  It seems an inevitability that many businesses will (mistakenly) assume that compliance with the CAP Code is, in itself, sufficient to comply with legal cookie consent requirements – risking exposure under local data protection laws.

3.  Expansion in enforcement remit for the ASA:  The new rules regulating website tracking for targeted advertising are interesting for another reason:  they represent a significant expansion of the ASA’s enforcement remit beyond simply regulating the content of adverts into regulating the technology used to generate and deliver those advert.   The ASA’s remit already underwent a massive expansion in March 2011 when it grew beyond adverts in paid-for space to also include marketers’ own websites and communications on social networks, amid concerns over the ASA’s resourcing to effectively regulate these spaces.  That expanded remit could at least be characterised in terms of the ASA doing ‘more of the same’ online; this time around, however, its further expanded remit will require it to develop technological knowledge and skillsets it may not currently possess – raising questions over how consistent and effective its enforcement will be.

4.  Prepare for real enforcement.  Historically, the ASA has generally proven itself a better resourced and more active regulator than the ICO, having forced changes to or the withdrawal of some 4,591 ads in 2011 from a total of nearly 32,000 complaints.  While it doesn’t have the ability to fine, ASA investigations are costly, time-consuming and can result in embarrassing adjudications that are made publicly available and widely reported by the press.  The ASA is also a more familiar regulatory “brand” to many consumers who may more instinctively complain to the ASA than the ICO with concerns about targeted ads.  Long story short, there’s a good chance the ASA may well prove a more active regulator of targeted advertising than the ICO once the new rules come into effect.

So what does all this mean?  Ultimately, that online visitor tracking will remain high on the regulatory agenda for some time to come and, while it does so, the likelihood of some manner of regulatory enforcement grows all the time.  What form that enforcement will take – whether by a data protection authority, an advertising standards authority, or a consumer protection body, and whether in the UK, rest of Europe or even by a country outside the EU – remains to be seen. 

All that can be said with certainty is that businesses that aren’t already thinking about their visitor transparency, choice and education strategies for their website tracking need to get their act together and do so – now!

Article 29 Working Party pushes for Binding Safe Processor Rules

Posted on December 9th, 2012 by


The Article 29 Working Party has taken another crucial step towards the full recognition of BCR for processors or ‘Binding Safe Processor Rules’. Following the unqualified backing by the European Commission in the proposal for a Data Protection Regulation early in 2012 and the publication of the criteria for approval by the Working Party itself last summer, an agreement has now been reached by the European data protection authorities on the application and approval process.

The official announcement of a mutual recognition and cooperation procedure-type approach will take place in January 2013 and shortly after, the Working Party will issue the appropriate application form. This is the strongest indication to date that applications for BCR for processors will be dealt with in the same way as the traditional BCR, opening the door for hybrid BCRs for those organisations with global data protection programmes that apply to their dual role as controllers (in respect of their own data) and processors (in respect of their clients’ data, as in the case of cloud service providers).