Archive for the ‘Consent’ Category

How do EU and US privacy regimes compare?

Posted on March 5th, 2014 by



As an EU privacy professional working in the US, one of the things that regularly fascinates me is each continent’s misperception of the other’s privacy rules.  Far too often have I heard EU privacy professionals (who really should know better) mutter something like “The US doesn’t have a privacy law” in conversation; equally, I’ve heard US colleagues talk about the EU’s rules as being “nuts” without understanding the cultural sensitivities that drive European laws.

So I thought it would be worth dedicating a few lines to compare and contrast the different regimes, principally to highlight that, yes, they are indeed different, but, no, you cannot draw a conclusion from these differences that one regime is “better” (whatever that means) than the other.  You can think of what follows as a kind of brief 101 in EU/US privacy differences.

1.  Culturally, there is a stronger expectation of privacy in the EU.  It’s often said that there is a stronger cultural expectation of privacy in the EU than the US.  Indeed, that’s probably true.   Privacy in the EU is protected as a “fundamental right” under the European Union’s Charter of Fundamental Rights – essentially, it’s akin to a constitutional right for EU citizens.  Debates about privacy and data protection evoke as much emotion in the EU as do debates about gun control legislation in the US.

2.  Forget the myth: the US DOES have data protection laws.  It’s simply not true that the US doesn’t have data protection laws.  The difference is that, while the EU has an all-encompassing data protection framework (the Data Protection Directive) that applies across every Member State, across all sectors and across all types of data, the US has no directly analogous equivalent.  That’s not the same thing as saying the US has no privacy laws – it has an abundance of them!  From federal rules designed to deal with specific risk scenarios (for example, collection of child data online is regulated under the Children’s Online Privacy Protection Act), to sector-specific rules (Health Insurance Portability and Accountability Act for health-related information and the Gramm-Leach-Bliley Act for financial information), to state-driven rules (the California Online Privacy Protection Act in California, for example – California, incidentally, also protects individuals’ right to privacy under its constitution).  So the next time someone tells you that the US has no privacy law, don’t fall for it – comparing EU and US privacy rules is like comparing apples to a whole bunch of oranges.

3.  Class actions.  US businesses spend a lot of time worrying about class actions and, in the privacy realm, there have been multiple.  Countless times I’ve sat with US clients who agonise over their privacy policy drafting to ensure that the disclosures they make are sufficiently clear and transparent in order to avoid any accusation they may have misled consumers.  Successful class actions can run into the millions of $$$ and, with that much potential liability at stake, US businesses take this privacy compliance risk very seriously.  But when was the last time you heard of a successful class action in the EU?  For that matter, when was the last time you heard of ANY kind of award of meaningful damages to individuals for breaches of data protection law?

4.  Regulatory bark vs. bite.  So, in the absence of meaningful legal redress through the courts, what can EU citizens do to ensure their privacy rights are respected?  The short answer is complain to their national data protection authorities, and EU data protection authorities tend to be very interested and very vocal.  Bodies like the Article 29 Working Party, for example, pump out an enormous volume of regulatory guidance, as do certain national data protection authorities, like the UK Information Commissioner’s Office or the French CNIL. Over in the US, American consumers also have their own heavyweight regulatory champion in the form of Federal Trade Commission which, by using its powers to take enforcement against “unfair and deceptive practices” under the FTC Act, is getting ever more active in the realm of data protection enforcement.  And look at some of the settlements it has reached with high profile companies – settlements that, in some cases, have run in excess of US$20m and resulted in businesses having to subject themselves to 20 year compliance audits.  By contrast, however vocal EU DPAs are, their powers of enforcement are typically much more limited, with some even lacking the ability to fine.

So those are just some of the big picture differences, but there are so many more points of detail a well-informed privacy professional ought to know – like how the US notion of “personally identifiable information” contrasts with EU “personal data”, why the US model of relying on consent to legitimise data processing is less favoured in the EU, and what the similarities and differences are between US “fair information practice principles” and EU “data protection principles”.

That’s all for another time, but for now take away this:  while they may go about it in different ways, the EU and US each share a common goal of protecting individuals’ privacy rights.  Is either regime perfect?  No, but each could sure learn a lot from the other.

 

 

 

Legislative realism needed

Posted on November 25th, 2013 by



One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the chances of agreeing a new framework before the end of the current Parliament in April 2014 are pretty much nil. A few others are more hopeful and believe that the political will of those involved and the relentless enthusiasm of the European Commission may just be powerful enough to achieve a little miracle. At a more granular level, speculation about the future of Safe Harbor or BCR for processors, and about the outcome of the interlinked debates on the concept of personal data, consent, legitimate interests, profiling, one-stop-shop and a hundred other micro-issues is only creating more questions than answers.

So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in ‘Internet time’! But the reality is that the drafts we have on the table today still follow relatively closely the Commission’s vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.

Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:

Personal data – It is quite outrageous that we are still trying to figure out whether someone’s name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let’s therefore define personal data by reference to the impact that information about someone may have on that individual.

Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word ‘explicit’ in it or not, everybody is going to interpret it in whichever way they want. Let’s focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.

International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.

One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission’s proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn’t it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let’s make it happen and also apply this concept to cases where the data controllership is outside Europe.

Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.

This article was first published in Data Protection Law & Policy in November 2013.

German Federal Court: “send-to-a-friend” emails are SPAM

Posted on November 7th, 2013 by



In a recent decision of 12 September 2013 (court ref. I ZR 208/12), the German Federal Court of Justice ruled that e-mails sent via “send-to-a-friend” functionality on websites must be considered illegal spam email unless the recipient expressly consented to receive the email. According to the court, responsibility to obtain consent rests with the website service provider, not the user. The court further held that it is irrelevant that the act of sending was initiated by a user, since the indirect promotional nature of ‘send-to-a-friend’ e-mails falls  within the scope of German direct marketing regulation under Sec. 7 German Unfair Competition Act.

“Send-to-a-friend” functionality allows users to send an e-mail from the website to a third-party recipient linking to interesting content on the website.   In this particular case, the e-mail was sent through the mail server of the website provider and in the name of the website provider. As a consequence, the Federal Court ruled that the “send-to-a-friend” functionality must be considered illegal under German law.

The court emphasised illegality where the website provider appears as the sender of the recommendation email, as it is virtually impossible for the provider to meet the requirements for express consent under Sec. 7 Unfair Competition Act.  However, chances are that its reasoning would not have been different had the user been identified as the sender since the court predominantly focussed on the promotional intention of the website provider  in its ruling.    Further, if the user had appeared  as the sender, this could give rise to other claims under unfair competition law on the basis concealing   the identity of the advertiser in a promotional e-mail.

Under German Unfair Competition Law, the sending of commercial e-mails is subject to a strict and express consent requirement, usually following the so-called “double-opt-in” mechanic , i.e. the advertiser must not only obtain consent at the time of collecting the e-mail address, but  also ensure that the user who provided the e-mail address is the owner of the account by sending a confirmation email with a link for the user to click on to confirm his or her consent. In practice, these requirements seem will be very challenging to obtain for “send-to-a-friend” functionality.

Recommendations for marketers

Nevertheless, “send-to-a-friend” marketing remains a popular and powerful tool for advertisers, and this latest ruling is unlikely to diminish its popularity in the short term.  Website providers who wish to continue using “send-to-a-friend” marketing in Germany can mitigate risk by:

1.  Clearly disclosing to the user that he or she should only use the feature if they have sufficient reason to assume that the recipient consents to receive the recommendation email

2.  Identifying the user as the sender of the e-mail, not the website.

3.  Not sending “send-to-a-friend” e-mails to individuals who have previously opted out of receiving marketing communications from the provider.  An opt-out link should also be included in every “send-to-a-friend” e-mail.

4.   Capping the number of messages a user is allowed to send and not incentivising sending by, for example, offering additional competition entries for each e-mail sent (currently common in many prize draw mechanics) .

However, while taking the above measures will limit enforcement risks on a practical level, from a purely legal point of view  it seems that exposure can only be fully avoided by removing “send-to-a-friend” features from websites.  Whether or not this spells the end of “send-to-a-friend” functionality in Germany in the longer term will depend on the level and significance of any enforcement activity by individuals, competitors and/or consumer protection associations  following the court’s ruling.

Getting cookie consent throughout the EU – latest Working Party guidance

Posted on October 19th, 2013 by



Thinking back to the early days when Europe’s controversial “cookie consent” law first passed, many in the privacy community complained about lack of guidance on obtaining consent.  The law required them to get consent, but didn’t say how.

In response to this, legislators and regulators – at both an EU and a national level – responded that consent solutions should be market-led.  The thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen.

As it transpired, this is precisely what happened.  In the four years since Europe adopted cookie consent, online operators have now evolved and embraced implied consent models across the EU to obtain their visitors’ consent to cookies.  However, this is not where the story ends.

In an opinion last week, the Article 29 Working Party published further guidance on obtaining cookie consent (“Working Document 02/2013 providing guidance on obtaining consent for cookies” – available here).   This supplements several previous opinions that, directly or indirectly, also address cookie consent requirements (see here, and here, and here, and here, for example).

The rationale behind the latest opinion, on the face of it, is to address the question: “what [cookie consent] implementation would be legally compliant for a website that operates across all EU Member States?”  But in answering this question, the guidance veers towards a level of conservatism that all but ensures it will never see widespread – let alone pan-European – adoption.

It doesn’t start off well: in discussing how a user can signify choice over whether or not to receive cookies, the guidance at one point states: “it could include a handwritten signature affixed at the bottom of a paper form“.

It then goes on to say that “consent has to be given before the processing starts … As a result a website should deliver a consent solution in which no cookies are set to user’s device … before that user has signalled their wishes regarding such cookies.”  In other words, the guidance indicates the need for a pop-up or a barrier page for users to click through before cookies can be set, harking back to the worst fears of industry at the time the cookie consent law was originally proposed.

When we’re talking about a fundamental human right, like privacy, the attraction of prior consent is obvious.  Unfortunately, it’s practically and technically very challenging.  However easy it sounds in theory (and it does sound easy, doesn’t it?), the realities are much more problematic.  For example, do you really require website operators to build two versions of their websites: one with cookies, and one without?  What happens to ‘free’ content on the web whose cost is subsidised by targeted advertising currently – who wants to return to a subscription-funded Internet?  If you’re a third party service provider, how do you guarantee prior consent when it is your customer (the website operator) who has the relationship with its visitors?

More importantly, prior consent is not what the e-Privacy Directive requires.  The word ‘prior’ never appears in the revised Article 5(3) of the e-Privacy Directive (the Article that imposes the consent requirement).  In fact, the word ‘prior’ was originally proposed, but was later dropped during the course of legislative passage.  Contrast this with Article 6(3), for example, which deals with processing of communications metadata (think PRISM) and DOES call for ‘prior’ consent.  Article 13 on unsolicited communications also uses the word ‘prior’ next to its requirement for consent.

What conclusions should we draw from this?  That’s a debate that lawyers, like me, have been having for a long time.  But, frankly, it’s all pretty academic.  Let’s deal instead in realities: if we were to be faced with cookie pop-ups or barrier pages on entry to EVERY website on the Internet, how quickly would we would become fatigued and simply click away the notices just to get rid of them?  What would that say about the validity of any ‘prior’ consents we provide?

Industry evolved implied consent as a solution that struck a balance between protecting individuals’ rights, addressing legal compliance and enabling online business.  Over time, it has done wonders to improve online tracking transparency and choice – implied consent has now become so widespread in the EU that even companies for whom cookies are their lifeblood, like Google, have implemented cookie consent transparency and choice mechanisms.

Critically, when done right, implied consent models fully satisfy the legal requirement that users’ consent must be “freely given, specific and informed”.  So here’s my suggestion: if you are looking to implement a cookie consent solution across Europe, don’t automatically jump to the most conservative standard that will put you out of alignment with your competitors and that, in most cases, will go further than national legislation requires.

Consider, instead, implied consent – but, if you do, embrace it properly:  a slight revision to your privacy policy and a new link to a cookie policy in the footer of your website won’t suffice.  Your implied consent model needs to provide prominent, meaningful notice and choice to visitors.  And to see how to do that, see our earlier post here.

A Brave New World Demands Brave New Thinking

Posted on June 3rd, 2013 by



Much has been said in the past few weeks and months about Google Glass, Google’s latest innovation that will see it shortly launch Internet-connected glasses with a small computer display in the corner of one lens that is visible to, and voice-controlled by, the wearer. The proposed launch capabilities of the device itself are—in pure computing terms—actually relatively modest: the ability to search the web, bring up maps, take photographs and video and share to social media.

So far, so iPhone.

But, because users wear and interact with Google Glass wherever they go, they will have a depth of relationship with their device that far exceeds any previous relationship between man and computer. Then throw in the likely short- to mid-term evolution of the device—augmented reality, facial recognition—and it becomes easy to see why Google Glass is so widely heralded as The Next Big Thing.

Of course, with an always-on, always-worn and always-connected, photo-snapping, video-recording, social media-sharing device, the privacy issues are a-plenty, ranging from the potential for crowd-sourced law enforcement surveillance to the more mundane forgetting-to-remove-Google-Glass-when-visiting-the-men’s-room scenario. These concerns have seen a very heated debate play out across the press, on TV and, of course, on blogs and social media.

But to focus the privacy debate just on Google Glass really misses the point. Google Glass is the headline-grabber, but in reality it’s just the tip of the iceberg when it comes to the wearable computing products that will increasingly be hitting the market over the coming years. Pens, watches, glasses (Baidu is launching its own smart glasses too), shoes, whatever else you care to think of—will soon all be Internet-connected. And it doesn’t stop at wearable computing either; think about Internet-connected home appliances: We can already get Internet-connected TVs, game consoles, radios, alarm clocks, energy meters, coffee machines, home safety cameras, baby alarms and cars. Follow this trend and, pretty soon, every home appliance and personal accessory will be Internet-connected.

All of these connected devices—this “Internet of Things”—collect an enormous volume of information about us, and in general, as consumers we want them: They simplify, organize and enhance our lives. But, as a privacy community, our instinct is to recoil at the idea of a growing pool of networked devices that collect more and more information about us, even if their purpose is ultimately to provide services we want.

The consequence of this tends to be a knee-jerk insistence on ever-strengthened consent requirements and standards: Surely the only way we can justify such a vast collection of personal information, used to build incredibly intricate profiles of our interests, relationships and behaviors, is to predicate collection on our explicit consent. That has to be right, doesn’t it?

The short answer to this is “no”—though not, as you might think, for the traditionally given reasons that users don’t like consent pop-ups or that difficulties arise when users refuse, condition or withdraw their consents. 

Instead, it’s simply that explicit consent is lazy. Sure, in some circumstances it may be warranted, but to look to explicit consent as some kind of data collection panacea will drive poor compliance that delivers little real protection for individuals.

Why? 

Because when you build compliance around explicit consent notices, it’s inevitable that those notices will become longer, all-inclusive, heavily caveated and designed to guard against risk. Consent notices become seen as a legal issue, not a design issue, inhibiting the adoption of Privacy by Design development so that—rather than enhancing user transparency, they have the opposite effect. Instead, designers build products with little thought to privacy, safe in the knowledge that they can simply ‘bolt on’ a detailed consent notice as a ‘take it or leave it’ proposition on installation or first use, just like terms of service are now. And, as technology becomes ever more complicated, so it becomes ever more likely that consumers won’t really understand what it is they’re consenting to anyway, no matter how well it’s explained. It’s also a safe bet that users will simply ignore any notice that stands between them and the service they want to receive. If you don’t believe me, then look at cookie consent as a case in point.

Instead, it’s incumbent upon us as privacy professionals to think up a better solution. One that strikes a balance between the legitimate expectations of the individual with regard to his or her privacy and the legitimate interests of the business with regard to its need to collect and use data. One that enables the business to deliver innovative new products and services to consumers in a way that demonstrates respect for their data and engenders their trust and which does not result in lazy, consent-driven compliance. One that encourages controllers to build privacy functionality into their products from the very outset, not address it as an afterthought.

Maybe what we need is a concept of an online “personal space.”

In the physical world, whether through the rules of social etiquette, an individual’s body language or some other indicator, we implicitly understand that there is an invisible boundary we must respect when standing in close physical proximity to another person. A similar concept could be conceived for the online world—ironically, Big Data profiles could help here. Or maybe it’s as simple as promoting a concept of “surprise minimization” as proposed by the California attorney general in her guidance on mobile privacy—the concept that, through Privacy by Design methodologies, you avoid surprising individuals by collecting data from or about them that, in the given context, they would not expect or want.

Whatever the solution is, we’re entering a brave new world; it demands some brave new thinking.

This post first published on the IAPP Privacy Perspectives here.

Implied consent getting ever closer in the Netherlands

Posted on May 25th, 2013 by



On 20 May 2013, Dutch Minister Kamp (Minister for Economic Affairs) presented a bill to amend Article 11.7a of the Dutch Telecommunications Act (‘the cookie law’). Once it passes into law the bill will, among other things, allow website operators to rely on visitors’ implied consent to serve cookies and will also exempt analytics cookies from the consent requirement.

Why these changes are needed

In February this year the Dutch government concluded that the cookie law had overshot its intended objective. The current cookie law require website owners to obtain visitors’ opt-in consent to virtually all types of cookies, except those which are strictly necessary. This led to widespread adoption of opt-in consent barriers and pop-up screens which, the Government accepts, is undesirable from both a consumer and business standpoint.

The Government believes the problem with the current law is that it applies equally to all cookies, even those with little privacy impact. Because of this, it proposes that the scope of the consent exemptions should expand to include more types of cookies.

New exemptions: analytics cookies, affiliate cookies and a/b-testing cookies

Currently, a website operator does not have to obtain consent if cookies are strictly necessary to provide a visitor-requested service. Once the bill enters into effect, a further category of cookies will be exempted from the consent requirement – those which are “absolutely necessary […] to obtain information about the quality and effectiveness of an information society service provided  – provided that this has no or little consequences for the privacy of the user.

First-party and third-party analytics cookies, affiliate referral cookies and a/b testing cookies all seem likely to fall within the scope of this new exemption.  However, to ensure that these cookies qualify as having “no or little consequences for the privacy of the user”:

  • the data collected by these cookies must not be used to make a profile of the visitor (e.g. for targeting purposes); and
  • if the website operator shares cookie data with a third party (e.g. an analytics service provider), it must conclude an agreement with the third party that either requires the third party not to use the data for its own purposes or, alternatively, only for defined purposes that have no or little effect on visitors’ privacy.

Implied Consent

For other types of cookies (in particular, targeted advertising cookies), the consent requirements of the cookie law apply in full.  However, the explanatory memorandum to the bill discusses the interpretation of ‘consent’ in great detail and advocates the legal validity of implied consent solutions.

In particular, it advocates that implied consent may be legally derived from the behavior of the visitor of a website – for example, in the case where a visitor is presented with a clear notice about the website’s use of cookies and given options to control those cookies but continues to browse the website.  This is at odds with previous regulatory opinions of the ACM (formerly the OPTA, the relevant regulator for these purposes) which said that implied consent would not constitute valid consent.

Although Dutch recognition of implied consent has been anticipated for a while (see here), this is a critical development for online businesses in the Netherlands.  Once the bill enters into force, website operators will be able to replace their current explicit consent barriers and pop-ups with more user-friendly implied consent banners indicating that continued use of the website without changing cookie settings will constitute consent.

All in all, the bill is a major step towards a more pragmatic implementation of the cookie law. With these changes, Dutch law will better balance the privacy interests of website visitors with online businesses’ legitimate data collection activities.

When will the bill enter into force?

The bill is open for public consultation until 1 July 2013, and the Minister must also consult the Council of State and the Dutch Data Protection Authority. On the basis of the consultation responses, the minister may then decide to amend the bill or submit it to Parliament as currently drafted. Parliamentary discussion can be completed within a few months, but may potentially take up to a year. However, given the current momentum behind adopting a more pragmatic cookie regime in the Netherlands, it is anticipated that the overall process will be toward the shorter end of this timescale.

With thanks to our friends Nicole Wolters Ruckert and Maarten Goudsmit, Privacy Attorneys at Kennedy Van der Laan, for this update. 

 

Cookie consent update – implied consent now widespread

Posted on May 15th, 2013 by



Our latest EU cookie consent tracking table has just been published here.

Latest regional developments:

Our latest table reveals:

* ‘Implied consent’ is currently a valid solution for cookie compliance in nearly three-quarters of EEA Member States.

* Since our last update, cookie consent implementations have been introduced in Norway and Poland.

* Ongoing cookie regulatory developments in Denmark, the Netherlands, Slovenia and Spain.

Other notable developments

Aside from the regional developments shown in our table, other notable developments include:

* Growing recognition that cookie consent is every bit as relevant in mobile platforms as in desktop platforms – see, for example, the Working Party’s latest opinion on mobile apps (here).

* Major online players like Facebook and Google are adopting notice and choice solutions, likely driving wider industry compliance efforts (see here).

* Consumer protection and advertising regulatory bodies like the OFT and ASA are increasingly showing interest in online tracking and notice/choice issues (see here and here).

* Increasing co-operation between global DPAs on online privacy compliance issues (see here).

All in all, online privacy compliance continues to attract ever greater attention, both within data protection circles and from the wider regulatory environment.  As this issue continue to run and run, the picture emerging is that implied consent is the clear compliance front-runner – both from a regulatory and also from a market-adoption perspective.

Poland and cookies – what’s the story?

Posted on April 22nd, 2013 by



Last month Poland joined the club of EU Member States to implement Europe’s consent requirement for cookies set on users’  devices.  Rumoured to be one of the Member States contemplating strict opt-in, all eyes were watching to see how exactly it would implement the cookie consent rule.

Cookie rules

Poland’s cookie consent law entered into force only on 25 March 2013 and seemingly introduced an opt-in requirement before setting cookies - with potential fines of up to 3% of revenue for website operators in breach.

Specifically, the new law imposes an obligation to inform users in advance, in a clear, unambiguous and easily understandable manner about:

1)      The fact that cookies are being placed on their devices;

2)      The purposes for which cookies are used;

3)      The user’s right to access information about them; and

4)      The ability to accept or refuse the cookie.

Like most Member States, consent is not needed for strictly necessary cookies.

So does Poland really require opt-in?

During the legislative work on the amendment various approaches to valid consent form were proposed: implied, written and even signified through  a  simple “I accept” button. In the end, Article 173 (2) of the amended Telecommunication Law says that:

The subscriber or end user can express consent (…) by means of settings of a software installed on the telecommunication device they are using or through settings of the service

The two main regulator’s websites in Poland have both adopted an implied cookie consent banner approach and even the Polish Ministry of Administration and Digitization (Ministerstwo Administracji i Cyfracji)  has indicated it supports consent obtained through browser settings.  It is unclear whether this would extend to default browser settings.

What does this mean?

For businesses still building out their cookie consent strategy for the EU, this is good news: Poland was one of a couple of  ‘outlier’ states threatening to adopt strict opt-in consent for cookies.  Had it adopted strict opt-in as the standard for consent, businesses operating on a pan-EU basis would have had to implement a different consent solution for Poland than for other, more relaxed EU territories where they could instead rely on implied consent.

In the end, this hasn’t happened and the other key outlier territory, the Netherlands, also looks set to acknowledge the validity of implied consent in the very near future.  When the cookie consent rule first came into effect in Europe back in 2011, nobody knew what a robust but pragmatic cookie consent solution would look like; now, two years on, both business and regulators alike are increasingly settling on implied consent as the answer.

If Google cares about cookie consent, so should you.

Posted on April 16th, 2013 by



Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you’re a visitor from the US, you may have missed it: the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google’s consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that “By using our services, you agree to our use of cookies“, the banner provides a “Learn more” link that visitors can click on to watch a video about Google’s cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:

* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.

* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

This post first appeared in the IAPP’s Privacy Perspectives blog, available here.

The familiar perils of the mobile ecosystem

Posted on March 18th, 2013 by



I had not heard the word ‘ecosystem’ since school biology lessons.  But all of a sudden, someone at a networking event dropped the ‘e’ word and these days, no discussion about mobile communications takes place without the word ‘ecosystem’ being uttered in almost every sentence.   An ecosystem is normally defined as a community of living things helping each other out (some more willingly than others) in a relatively contained environment.  The point of an ecosystem is that completely different organisms – each with different purposes and priorities – are able to co-exist in a more or less harmonious but eclectic way.  The parallel between that description and what is happening in the mobile space is evident.  Mobile communications have evolved around us to adopt a life of their own and separate from traditional desktop based computing and web browsing.  Through the interaction of very different players, our experience of communications on the go via smart devices has become an intrinsic part of our everyday lives. 

Mobile apps in particular have penetrated our devices and lifestyles in the most natural of ways.  Studies show that apparently an average smartphone user downloads 37 apps.  The fact that the term ‘app’ was listed as Word of the Year in 2010 by the American Dialect Society is quite telling.  Originally conceived to provide practical functions like calendars, calculators and ring tones, mobile apps bring us anything that can be digitised and has a role to play in our lives.  In other words, our use of technology has never been as close and personal.  Our mobile devices are an extension of ourselves and mobile apps are an accurate tool to record our every move (in some cases, literally!).  As a result, the way in which we use mobile devices tells a very accurate story of who we are, what we do and what we are about.  Conspiracy theories aside, it is a fact that smartphones are the perfect surveillance device and most of us don’t even know it!

Policy makers and regulators throughout the world are quickly becoming very sensitive to the privacy risks of mobile apps.  Enforcement is the loudest mechanism to show that nervousness but the proliferation of guidance around compliance with the law in relation to the development, provision and operation of apps has been a clear sign of the level of concern.  Regulators in Canada, the USA and more recently in Europe have voiced sombre concerns about such risks.  The close and intimate relationship between the (almost always on) devices and their users is widely seen as an aggravating factor of the potential for snooping, data collection and profiling.  Canadian regulators are particularly concerned about the seeming lightning speed of the app development cycle and the ability to reach hundreds of thousands of users within a very short period of time.  Another generally shared concern is the fragmentation between the many players in the mobile ecosystem – telcos, handset manufacturers, operating system providers, app stores, app developers, app operators and of course anybody else who wants a piece of the rich mobile cake – and the complexity that this adds to it.

All of that appears to compromise undisputed traditional principles of privacy and data protection: transparency, individuals’ control over their data and purpose limitation.  It is easy to see why that is the case.  How can we even attempt to understand – let alone control – all of the ways in which the information generated by our non-stop use of apps may potentially be used when all such uses are not yet known, the communication device is undersized and our eagerness to start using the app acts as a blindfold?  No matter how well intended the regulators’ guidance may be, it is always going to be a tall order to follow, particularly when the expectations of those regulators in terms of the quality of the notice and consent are understandably high.  In addition, the bulk of the guidance has been targeted at app developers, a key but in many cases insignificant player in the whole ecosystem.  Why is the enthusiastic but humble app developer the focus of the compliance guidelines when some of the other parties – led by the operator of the app, which is probably the most visible party to the user – play a much greater role in determining which data will be used and by whom?

Thanks to their ubiquity, physical proximity to the user and personal nature, mobile communications and apps pose a massive regulatory challenge to those who make and interpret privacy rules, and an even harder compliance conundrum to those who have to observe them.  That is obviously not a reason to give up and efforts must be made by anyone who plays a part to contribute to the solution.  People are entitled to use mobile technology in a private, productive and safe way.  But we must acknowledge that this new ecosystem is so complex that granting people full control of the data generated by such use is unlikely to be viable.  As with any other rapidly evolving technology, the privacy perils are genuine but attention must be given to all players and, more importantly, to any mechanisms that allow us to distinguish between legitimate and inappropriate uses of data.  Compliance with data protection in relation to apps should be about giving people what they want whilst avoiding what they would not want.

This article was first published in Data Protection Law & Policy in March 2013.