Early next year, the UK Advertising Standards Authority (“ASA“) will start regulating Online Behavioural Advertising (“OBA“) in the UK – meaning that online advertisers who serve targeted ads to website visitors will have to worry not only about the risk of cookie consent enforcement by the ICO, but also the risk of investigation and public admonishment by the ASA. A regulatory double-jeopardy, if you will.
This is a consequence of recent changes to the “UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing” (“CAP Code“) that will come into effect on 4 February 2013. In effect, the CAP Code changes are designed to implement the earlier European Advertising Standards Alliance “Best Practice Recommendation on Online Behavioural Advertising” published in April 2011 – which, you may recall, the Article 29 Working Party wasn’t exactly excited about.
Anyone who’s read the EASA recommendation won’t be surprised by the CAP Code’s proposals – that website visitors must be given notice and choice, with advertisers encouraged to display a small icon licensed by the European Interactive Digital Advertising Alliance (or eDAA) alongside the adverts they serve by way of achieving this goal. Nor will they be surprised by the ‘gaps’ in the CAP Code, most notably that it doesn’t apply to first party tracking by a publisher across its own website domains.
But what are the real consequences of the ASA wading into the murky waters of OBA regulation? Broadly speaking, they can be boiled down to the following:
1. Cookie regulation is not going to go away. The revised CAP Code is simply implementing recommendations already published at a European level by the European Advertising Standards Alliance. When it published its recommendations, EASA set an ambitious – and, as it turned out, unrealistic – goal of ensuring “at least 70% of its EU SROs [national advertising self-regulatory organisations] have implemented the BPR [best practice recommendation] within a year (i.e. by the end of April 2012)“. When the UK took the lead on implementing cookie consent rules and guidance, other EU member states quickly followed suit – so it seems a relatively safe bet here that a similar regulatory flurry will follow now among EU advertising regulators. This means that the amount of national regulation governing online tracking will continue to grow, not decline – with all the disharmony that entails.
2. Confusion about what qualifies as lawful visitor tracking. Being based on the EASA best practice recommendation, the CAP Code promotes a notice and opt-out approach. That’s fine, but it’s not the law – which instead requires consent when serving tracking cookies. The Article 29 Working Party have already been vocal in expressing their view that the EASA recommendation is not sufficient for obtaining consent, and CAP even acknowledges likewise – the new rules say that they “are not designed to provide compliance with the law and companies should seek their own legal advice when working to comply with privacy and data protection legislation.“ The net result? Yet more confusion about what standards, exactly, businesses are to apply when tracking online visitors. It seems an inevitability that many businesses will (mistakenly) assume that compliance with the CAP Code is, in itself, sufficient to comply with legal cookie consent requirements – risking exposure under local data protection laws.
3. Expansion in enforcement remit for the ASA: The new rules regulating website tracking for targeted advertising are interesting for another reason: they represent a significant expansion of the ASA’s enforcement remit beyond simply regulating the content of adverts into regulating the technology used to generate and deliver those advert. The ASA’s remit already underwent a massive expansion in March 2011 when it grew beyond adverts in paid-for space to also include marketers’ own websites and communications on social networks, amid concerns over the ASA’s resourcing to effectively regulate these spaces. That expanded remit could at least be characterised in terms of the ASA doing ‘more of the same’ online; this time around, however, its further expanded remit will require it to develop technological knowledge and skillsets it may not currently possess – raising questions over how consistent and effective its enforcement will be.
4. Prepare for real enforcement. Historically, the ASA has generally proven itself a better resourced and more active regulator than the ICO, having forced changes to or the withdrawal of some 4,591 ads in 2011 from a total of nearly 32,000 complaints. While it doesn’t have the ability to fine, ASA investigations are costly, time-consuming and can result in embarrassing adjudications that are made publicly available and widely reported by the press. The ASA is also a more familiar regulatory “brand” to many consumers who may more instinctively complain to the ASA than the ICO with concerns about targeted ads. Long story short, there’s a good chance the ASA may well prove a more active regulator of targeted advertising than the ICO once the new rules come into effect.
So what does all this mean? Ultimately, that online visitor tracking will remain high on the regulatory agenda for some time to come and, while it does so, the likelihood of some manner of regulatory enforcement grows all the time. What form that enforcement will take – whether by a data protection authority, an advertising standards authority, or a consumer protection body, and whether in the UK, rest of Europe or even by a country outside the EU – remains to be seen.
All that can be said with certainty is that businesses that aren’t already thinking about their visitor transparency, choice and education strategies for their website tracking need to get their act together and do so – now!