Archive for the ‘Targeted advertising’ Category

« Older Entries

Cookie consent update – implied consent now widespread

avatar Posted on May 15th, 2013 by Phil Lee

Our latest EU cookie consent tracking table has just been published here.

Latest regional developments:

Our latest table reveals:

* ‘Implied consent’ is currently a valid solution for cookie compliance in nearly three-quarters of EEA Member States.

* Since our last update, cookie consent implementations have been introduced in Norway and Poland.

* Ongoing cookie regulatory developments in Denmark, the Netherlands, Slovenia and Spain.

Other notable developments

Aside from the regional developments shown in our table, other notable developments include:

* Growing recognition that cookie consent is every bit as relevant in mobile platforms as in desktop platforms – see, for example, the Working Party’s latest opinion on mobile apps (here).

* Major online players like Facebook and Google are adopting notice and choice solutions, likely driving wider industry compliance efforts (see here).

* Consumer protection and advertising regulatory bodies like the OFT and ASA are increasingly showing interest in online tracking and notice/choice issues (see here and here).

* Increasing co-operation between global DPAs on online privacy compliance issues (see here).

All in all, online privacy compliance continues to attract ever greater attention, both within data protection circles and from the wider regulatory environment.  As this issue continue to run and run, the picture emerging is that implied consent is the clear compliance front-runner – both from a regulatory and also from a market-adoption perspective.

Posted in Consent, Cookie rule, Profiling, Targeted advertising

If Google cares about cookie consent, so should you.

avatar Posted on April 16th, 2013 by Phil Lee

Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you’re a visitor from the US, you may have missed it: the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google’s consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that “By using our services, you agree to our use of cookies“, the banner provides a “Learn more” link that visitors can click on to watch a video about Google’s cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:

* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.

* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

This post first appeared in the IAPP’s Privacy Perspectives blog, available here.

Posted in Consent, Cookie rule, Profiling, Targeted advertising

Europe continues to embrace cookie consent

avatar Posted on February 5th, 2013 by Phil Lee

We’ve just published an updated table of European cookie consent requirements (available here), which makes clear that Member State adoption of local cookie consent laws continues to spread.

Our latest update reveals that:

*  24 out of 30 EEA Member States have now adopted national cookie consent rules.

*  Since our last update, Poland, Portugal and Slovenia have adopted new local laws governing cookie consent.

*  There are ongoing regulatory developments with regard to cookie consent guidance and enforcement in Denmark, Italy, Ireland and the UK.

With cookie consent rules have now been adopted across nearly all European territories, online businesses operating without a notice and consent strategy face real exposure that they need to address and resolve promptly.  And given the recent news of the first ever group privacy claim in the UK relating to cookies, non-compliance risk is rising from “simmering” to “boiling”!

Posted in Consent, Cookie rule, Profiling, Targeted advertising

Big Data at risk

avatar Posted on February 1st, 2013 by Eduardo Ustaran

“The amount of data in our world has been exploding, and analysing large data sets — so-called Big Data — will become a key basis of competition, underpinning new waves of productivity growth, innovation and consumer surplus”.  Not my words, but those of the McKinsey Global Institute (the business and economics research arm of McKinsey) in a report that evidences like no other the value of data for future economic growth.  However, that value will be seriously at risk if the European Parliament accepts the proposal for a pan-European Regulation currently on the table.

Following the publication by the European Commission last year of a proposal for a General Data Protection Regulation aimed at replacing the current national data protection laws across the EU, at the beginning of 2013, Jan Philipp Albrecht (Rapporteur for the LIBE Committee, which is leading the European Parliament’s position on this matter) published his proposed revised draft Regulation.  

Albrecht’s proposal introduces a wide definition of ‘profiling’, which was covered by the Commission’s proposal but not defined.  Profiling is defined in Albrecht’s proposal as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour“. 

Neither the Commission’s original proposal nor Albrecht’s proposal define “automated processing”.  However, the case law of the European Court of Justice suggests that processing of personal data by automated means (or automated processing) should be understood by contrast with manual processing.   In other words, automated processing is processing carried out by using computers whilst manual processing is processing carried out manually or on paper.  Therefore, the logical conclusion is that the collection of information via the Internet or from transactional records and the placing of that information onto a database — which is the essence of Big Data — will constitute automated processing for the purposes of the definition of profiling in Albrecht’s proposal.

If we link to that the fact that, in a commercial context, all that data will typically be used first to analyse people’s technological comings and goings, and then to make decisions based on perceived preferences and expected behaviours, it is obvious that most activities involving Big Data will fall within the definition of profiling.

The legal threat is therefore very clear given that, under Albrecht’s proposal, any data processing activities that qualify as ‘profiling’ will be unlawful by default unless those are activities are:

*      necessary for entering into or performing a contract at the request of the individual – bearing in mind that “contractual necessity” is very strictly interpreted by the EU data protection authorities to the point that if the processing is not strictly necessary from the point of view of the individuals themselves, it will not be regarded as necessary;

*      expressly authorised by EU or Member State law – which means that a statutory provision has to specifically allow such activities; or

*      with the individual’s consent – which must be specific, informed, explicit and freely given, taking into account that under Albrecht’s proposal, consent is not valid where the data controller is in a dominant market position or where the provision of a service is made conditional on the permission to use someone’s data.

In addition, there is a blanket prohibition on profiling activities involving sensitive personal data, discriminatory activities or children data.

So the outlook is simple: either the European Parliament figures out how to regulate profiling activities in a more balanced way or Big Data will become No Data.

 

Posted in 95 directive, Big Data, Data as an asset, Legislative reform, Profiling, Targeted advertising

What will happen once the ASA starts to regulate Online Behavioural Advertising?

avatar Posted on December 11th, 2012 by Phil Lee

Early next year, the UK Advertising Standards Authority (“ASA“) will start regulating Online Behavioural Advertising (“OBA“) in the UK – meaning that online advertisers who serve targeted ads to website visitors will have to worry not only about the risk of cookie consent enforcement by the ICO, but also the risk of investigation and public admonishment by the ASA.  A regulatory double-jeopardy, if you will.

This is a consequence of recent changes to the “UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing” (“CAP Code“) that will come into effect on 4 February 2013.  In effect, the CAP Code changes are designed to implement the earlier European Advertising Standards Alliance “Best Practice Recommendation on Online Behavioural Advertising” published in April 2011 – which, you may recall, the Article 29 Working Party wasn’t exactly excited about

Anyone who’s read the EASA recommendation won’t be surprised by the CAP Code’s proposals – that website visitors must be given notice and choice, with advertisers encouraged to display a small icon licensed by the European Interactive Digital Advertising Alliance (or eDAA) alongside the adverts they serve by way of achieving this goal.  Nor will they be surprised by the ‘gaps’ in the CAP Code, most notably that it doesn’t apply to first party tracking by a publisher across its own website domains.

But what are the real consequences of the ASA wading into the murky waters of OBA regulation?   Broadly speaking, they can be boiled down to the following:

1.  Cookie regulation is not going to go away.  The revised CAP Code is simply implementing recommendations already published at a European level by the European Advertising Standards Alliance.  When it published its recommendations, EASA set an ambitious – and, as it turned out, unrealistic – goal of ensuring “at least 70% of its EU SROs [national advertising self-regulatory organisations] have implemented the BPR [best practice recommendation] within a year (i.e. by the end of April 2012)“.  When the UK took the lead on implementing cookie consent rules and guidance, other EU member states quickly followed suit – so it seems a relatively safe bet here that a similar regulatory flurry will follow now among EU advertising regulators.  This means that the amount of national regulation governing online tracking will continue to grow, not decline – with all the disharmony that entails. 

2.  Confusion about what qualifies as lawful visitor tracking.   Being based on the EASA best practice recommendation, the CAP Code promotes a notice and opt-out approach.  That’s fine, but it’s not the law – which instead requires consent when serving tracking cookies.  The Article 29 Working Party have already been vocal in expressing their view that the EASA recommendation is not sufficient for obtaining consent, and CAP even acknowledges likewise – the new rules say that they “are not designed to provide compliance with the law and companies should seek their own legal advice when working to comply with privacy and data protection legislation.  The net result?  Yet more confusion about what standards, exactly, businesses are to apply when tracking online visitors.  It seems an inevitability that many businesses will (mistakenly) assume that compliance with the CAP Code is, in itself, sufficient to comply with legal cookie consent requirements – risking exposure under local data protection laws.

3.  Expansion in enforcement remit for the ASA:  The new rules regulating website tracking for targeted advertising are interesting for another reason:  they represent a significant expansion of the ASA’s enforcement remit beyond simply regulating the content of adverts into regulating the technology used to generate and deliver those advert.   The ASA’s remit already underwent a massive expansion in March 2011 when it grew beyond adverts in paid-for space to also include marketers’ own websites and communications on social networks, amid concerns over the ASA’s resourcing to effectively regulate these spaces.  That expanded remit could at least be characterised in terms of the ASA doing ‘more of the same’ online; this time around, however, its further expanded remit will require it to develop technological knowledge and skillsets it may not currently possess – raising questions over how consistent and effective its enforcement will be.

4.  Prepare for real enforcement.  Historically, the ASA has generally proven itself a better resourced and more active regulator than the ICO, having forced changes to or the withdrawal of some 4,591 ads in 2011 from a total of nearly 32,000 complaints.  While it doesn’t have the ability to fine, ASA investigations are costly, time-consuming and can result in embarrassing adjudications that are made publicly available and widely reported by the press.  The ASA is also a more familiar regulatory “brand” to many consumers who may more instinctively complain to the ASA than the ICO with concerns about targeted ads.  Long story short, there’s a good chance the ASA may well prove a more active regulator of targeted advertising than the ICO once the new rules come into effect.

So what does all this mean?  Ultimately, that online visitor tracking will remain high on the regulatory agenda for some time to come and, while it does so, the likelihood of some manner of regulatory enforcement grows all the time.  What form that enforcement will take – whether by a data protection authority, an advertising standards authority, or a consumer protection body, and whether in the UK, rest of Europe or even by a country outside the EU – remains to be seen. 

All that can be said with certainty is that businesses that aren’t already thinking about their visitor transparency, choice and education strategies for their website tracking need to get their act together and do so – now!

Posted in Consent, Cookie rule, Targeted advertising, Uncategorized

Consent revisited

avatar Posted on October 4th, 2012 by Eduardo Ustaran

If there was a prize for the most controversial provision in the draft EU Data Protection Regulation, it would probably be won by the article dealing with consent.  From Member States’ governments to European Parliament’s committees, everyone seems to have a very strong opinion of that article.  A number of European governments have already used their representation on the Council of the EU to criticise the legal uncertainty created by the draft provision.  The level of disagreement with the Commission’s proposal is perhaps not surprising given the elevated and rather emotional role that consent has in privacy matters and the potentially catastrophic consequences of setting the bar for valid consent either too low or too high.  But the point is that once again, the issue of individual’s consent is proving to be an uneasy one, to say the least.

This controversy is not driven by a purely academic interest about what may or may not happen in a few years’ time when the Regulation is adopted.  Consent is a legal basis for collecting and exploiting personal information today, and in some cases, there is little or no option than to get people’s permission to use their data.  Without a doubt, the most vibrant and present legal dilemma regarding what qualifies as consent is taking place in the context of cookies and anything else that amounts to storing or accessing information stored on someone’s device.  If it wasn’t for the innate human difficulty in establishing what kind of conduct may amount to consent, it would be odd to think that after more than 3 years of heated debate about the cookie consent rule, we still are nowhere near finding a solution that everyone is happy with.

Some attempts to find a middle ground between a rock-solid, unflappably demonstrable opt-in consent and the mere assumption that anything goes when people surf the net have been made in recent times but many of the approaches adopted by European websites fall short of the necessary standards.  So how can consent be obtained on the Internet other than by ticking a box?  Is the concept of implied consent – so commonly used and relied upon in our ordinary comings and goings in the offline world – a workable way forward online?  There isn’t a reason why it shouldn’t but to achieve a reasonable degree of legal certainty, some minimum conditions ought to be met as otherwise, we will be back to the assumption that unless someone makes a big deal of it, anything goes when you go online.

One could probably write a long academic article about this, but at a practical level it is possible to distil the conditions for valid implied consent into four ‘must have’ elements:

*     Deploying a visible and prominent cookie notice – For someone to be in a position to have a say on anything, they really need to know what’s going on.  So in the context of websites, that means that visitors must be presented with some kind of sufficiently clear and ‘in your face’ notice, so that it is obvious to the average user what is happening.  That way, a visitor’s indication of wishes is impliedly given when they see the cookie notice, understand its meaning and rely on the functionality available to make their cookie choices. 

*     Identifying the specific conduct that amounts to consent – Whether it is closing a box, opening a page, clicking on a link or continuing to use the site, the notice must spell out what specific action or conduct undertaken by a visitor will amount to consent to cookies being set or accessed.  Otherwise, the website operator will never truly know whether the visitor accepts the use of cookies on their device.  At the very least, if an assumption is being made that the visitor is happy to receive cookies, say so!

*     Providing a mechanism for control and decision making – The flipside of agreeing to something is having the ability to object to it.  Otherwise, there is no real choice.  With cookies, a ‘take it or leave it’ approach is still a choice, but not a genuine one.  Therefore, as part of the process of obtaining consent, website visitors should be able to make their choices freely and refuse the use of cookies (other than those that fall under the strictly necessary exemption) at any time and through simple means, even if it means that the site’s functionality is limited for the user as a result.  In an ideal world, these controls need to be sufficiently granular to allow visitors to accept the types of cookies they are happy to receive and to refuse those they are not.

*     Spelling out what cookies are for – Finally, clear and comprehensive information about the use of cookies through the site must be continuously and readily available to satisfy the transparency requirements under European data protection law.  The law is not prescriptive about the way that this information should be provided, but it should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing cookies in their devices.

The debate about whether consent should be a requirement to collect and use people’s information will no doubt continue and intensify as that information becomes more and more valuable.  Whether we will ever have a definitive answer is yet to be seen but in the meantime, let’s try to look at technology as an enabler for individual choice.  We may be surprised of what is possible.

 

This article was first published in Data Protection Law & Policy in September 2012.

Posted in Consent, Cookie rule, Profiling, Targeted advertising

Why the Big Buzz about Big Data?

avatar Posted on June 29th, 2012 by Phil Lee

Another year, another buzz word, and this time around it’s “Big Data” that’s getting everyone’s attention. But what exactly is Big Data, and why is everyone – commercial organisations, regulators and lawyers – so excited about it?

Put simply, the term Big Data refers to datasets that are very, very large – so large that, traditionally, supercomputers would ordinarily have been required to process them. But, with the irrepressible evolution of technology, falling computing costs, and scalable, distributed data processing models (think cloud computing) Big Data processing is increasingly within the capability of most commercial and research organisations.

In its oft-quoted article “The Data Deluge”, the Economist reports that “Everywhere you look, the quantity of information in the world is soaring. According to one estimate, mankind created 150 exabytes (billion gigabytes) of data in 2005. [In 2010], it will create 1,200 exabytes.“  Let’s put that in perspective – 1,200 exabytes is 1,200,000,000,000 gigabytes of data. A typical Blu-Ray disc can hold 25 gigabytes – so 1,200 exabytes is about the equivalent of about 48 billion Blu-Ray discs. Estimating your typical Blu-Ray movie at about 2 hours long (excluding special features and the like), then there’s at least 96 billion hours of viewing time there, or about 146,000 human life times.  OK, this is a slightly fatuous example, but you get my point – and bear in mind that global data is growing year-on-year at an exponential rate so these figures are already well out of date.

Much of this Big Data will be highly personal to us: think about the value of the data we all put “out there” when we shop online or post status updates, photos and other content through our various social networking accounts (I have at least 5). And don’t forget the search terms we post when we use our favourite search engines, or the data we generate when using mobile – particularly location-enabled – services. Imagine how organisations, if they had access to all this information, could use it to better advertise their products and services, roadmap product development to take account of shifting consumer patterns, spot and respond to potentially-brand damaging viral complaints – ultimately, keep their customers happier and improve their revenues.

The potential benefits of Big Data are vast and, as yet, still largely unrealised. It goes against the grain of any privacy professional to admit that there are societal advantages to data maximisation, but it would be disingenuous to deny this. Peter Fleischer, Google’s Privacy Counsel, expressed it very eloquently on his blog when he wrote “I’m sure that more and more data will be shared and published, sometimes openly to the Web, and sometimes privately to a community of friends or family. But the trend is clear. Most of the sharing will be utterly boring: nope, I don’t care what you had for breakfast today. But what is boring individually can be fascinating in crowd-sourcing terms, as big data analysis discovers ever more insights into human nature, health, and economics from mountains of seemingly banal data bits. We already know that some data sets hold vast information, but we’ve barely begun to know how to read them yet, like genomes. Data holds massive knowledge and value, even, perhaps especially, when we do not yet know how to read it. Maybe it’s a mistake to try to minimize data generation and retention. Maybe the privacy community’s shibboleth of data deletion is a crime against science, in ways that we don’t even understand yet.” (You can access Peter’s blog “Privacy…?” here.)

This quote raises the interesting question of whether the compilation and analysis of Big Data sets should really be considered personal data processing. Of course, many of the individual records within commercial Big Data sets will be personal – but the true value of Big Data processing is often (though not always) in the aggregate trends and patterns they reveal – less about predicting any one individual’s behaviours, reactions and preferences, and more about understanding the global picture. Perhaps its time that we stop thinking of privacy in terms of merely collecting data, and look more to the intrusiveness (or otherwise) of the purposes to which our data are put?

This is perhaps something for a wider, philosophical debate about the pros and cons of Big Data, and I wouldn’t claim to have the answers. What I can say, though, is that Big Data faces some big issues under data protection law as it stands today, not least in terms of data protection principles that mandate user notice and choice, purpose limitation, data minimisation, data retention and – of course – data exports. These are not issues that will go away under the new General Data Protection Regulation which, as if to gear itself up for a fight with Big Data proponents, further bolsters transparency, consent and data minimisation principles, while also proposing a new, highly controversial ‘right to be forgotten’.

So what can and should Big Data collectors do for now? Fundamentally, accountability for the data you collect and process will be key. Your data subjects need to understand how their data will be used, both at the individual and the Big Data level, to feel in control of this and to be comforted that their data won’t be used in ways that sit outside their reasonable expectations of privacy. This is not just a matter of external facing privacy policies, but also a matter of carefully-constructed internal policies that impose sensible checks and balances on the organisation’s use of data. It’s also about adopting Privacy Impact Assessments as a matter of organisational culture to identify and address risks whenever using Big Data analysis for new or exciting reasons.

Big Data is, and should be, the future of data processing, and our laws should not prevent this. But, equally, organisations need to be careful that they do not see the Big Data age as a free for all hunting season on user data that invades personal privacy and control. Big issues for Big Data indeed.

Posted in 95 directive, Accountability, Cloud computing, Data minimisation, Right to be forgotten, Targeted advertising

Mobile privacy – is there an app for that?

avatar Posted on April 20th, 2012 by Phil Lee

Next week I’ll be chairing a session at the IAPP’s Data Protection Intensive in London on mobile privacy. In advance of my session (and without giving too much away – I highly recommend attending the event!), I thought I’d set out a few key thoughts on the issues mobile operators and developers need to consider when launching mobile apps:

  • Why does m-privacy matter? It’s simple: if you’re anything like me, your mobile device has become your closest, must trusted friend. No one know more about you: your phone knows where you go, who you know, and the passwords to your banking, shopping and social networking accounts. It looks after your diary and has access to all your most treasured and personal photos. This is all very sensitive information – and your phone holds an awful lot of it.
  • Why is m-privacy hard (practically)? Because the actors, devices and consumer expectations are so many and so varied. In the course of downloading, installing and running an app, a consumer will share data with or through its device platform, the relevant app marketplace, the application developer, and various ad networks, analytics providers, payment processors and mobile carriers. Consumers can access apps through smartphones, tablets, netbooks or other mobile devices – each with different platforms having their own data access permissions, device unique data types, and screen sizes and resolutions, thereby making efforts to design a simple ‘one size fits all’ privacy notice a real challenge. Adopting a privacy by design approach is not a nice to have in the mobile environment – it’s a necessity.
  • Why is m-privacy hard (legally)? From a privacy perspective, data protection, e-privacy, communications interception and data retention laws – both in the EU and beyond – can all apply to data collected from mobile devices. Widen the picture out into general consumer law, and issues arise around applicable law, mandatory consumer terms, liability and enforceability of terms (to name but a few). As a few press reports have highlighted recently, just because you CAN access data, doesn’t mean you should – the recent furore surrounding the Girls Around Me app being a very good case in point (see here). And to make matters more complicated, the data protection laws we have can often apply in surprising and unexpected ways – remember, many of them date back to before any of us even had a mobile. Should device ID data really be considered ‘personal data’? Why do ‘cookie consent’ rules apply to mobile apps? Do SoLoMo applications REALLY need to get opt-in consent to location data use?

If you’re attending the IAPP Intensive next week, then do come along and join my session to answer all of these questions – and more!

Tags:,
Posted in 95 directive, Applicable law, Cookie rule, Mobile telecoms, Privacy by design, Targeted advertising

The extra-territorial application of the new EU law

avatar Posted on February 15th, 2012 by Eduardo Ustaran

One of the most expected changes likely to be introduced by the new EU Data Protection Regulation proposed by the European Commission is the criteria to determine the applicability of EU law – quite an important issue.  To recap briefly, under the current Data Protection Directive, the rules are essentially as follows: 

*   If the controller is based in an EU Member State (e.g. Acme (UK) Limited based in the UK), that controller will be subject to the law of that Member State (e.g. the UK Data Protection Act) and to the scrutiny of the regulator of that country (e.g. the UK Information Commissioner).

*   If the controller is based outside the EU (e.g. Acme Inc.) but uses equipment (e.g. servers or people’s computers) to collect information, that controller will be subject to the laws of every single Member State and to the scrutiny of each and every regulator. 

However, the rule that determines the applicability of the law to non-EU controllers produces bizarre situations like the potential application of EU law to organisations that have no presence, employees or customers in the EU but happen to engage an EU-based service provider (with equipment in Europe), or like the non-application of EU law to organisations who may be dealing with millions of Europeans over the Internet but have no real processing equipment in the EU.

Therefore, under the proposed Data Protection Regulation, the rules would be as follows: 

*   If the controller is based in an EU Member State and it has one main establishment (e.g. Acme (UK) Limited based in the UK), then it will still be subject to the Regulation but it will only be subject to the scrutiny of one regulator (e.g. the UK Information Commissioner).

*   If the controller is based outside the EU (e.g. Acme Inc.) and offers products or services to EU residents or monitors the behaviour of EU residents, it will be subject to the Regulation and to the scrutiny of each and every regulator.

For non-EU organisations, the million dollar question is what does the Regulation mean by “offering products or services” or, more intriguingly, “monitoring the behaviour”?  The answer to this question will undoubtedly become clear as the legislative process progresses, but in the meantime it is helpful to consider the explanations given in the recitals to the Regulation.

First of all, the whole point of the extra-territorial reach of the law (both under the Directive and even more under the Regulation) is to protect people who live in Europe where their data is used elsewhere.  The “offering products or services” side of the equation is also clearly aimed at capturing visible commercial relationships where, typically via the Internet, an organisation is making its goods or services available to EU residents.

The meaning of “monitoring the behaviour” is slightly trickier because the recitals only refer to one very specific form of monitoring: Internet tracking and profiling.  So the commonplace practice of building an Internet user’s picture through the use of cookies with a view to targeting that individual with tailored advertising will definitely be caught – not a very “technologically neutral” provision, it must be said.  The question that we will need to address over the coming months is what is the intended scope of the phrase “monitoring the behaviour” beyond Internet tracking and more precisely, how granular or detailed that monitoring must be to trigger the application of the law.  The debate is wide open.

Posted in 95 directive, Applicable law, Targeted advertising

How to run a successful cookie audit

avatar Posted on February 1st, 2012 by Phil Lee

Cookie audits sound so simple in theory, don’t they?  I mean, how hard can it be to identify what cookies you have, assess their intrusiveness, and decide on your strategy for obtaining consent?

Having now worked with a number of clients to conduct cookie audits, I can report that they are in fact fraught with legal, commercial and technical difficulties that only website operators with the most minimal online presence could hope to escape.  For operators with more substantial web portfolios, cookie audits can prove very complex and time-consuming. 

As a case in point, we recently helped a client audit its web portfolio of some 60+ Internet domains, serving around 3,000 cookies.  Fully identifying all the cookies they served, let alone what they do and how intrusive they are, was a substantial task in itself.  Another client has set up a large internal stakeholder group to address cookie consent requirements, comprising representatives from legal, IT, marketing and data analytics teams, all of whom have different needs and face different demands when deciding how to use the humble cookie.  Some of our clients are technology service providers, many non-EU based, who want to pursue risk-based consent strategies that are odds with those of the website operators they serve, and reaching a common ground can therefore be a challenge.

So, for enterprises struggling to figure out a way to deal with their cookie consent compliance demands, here are the top tips I have gleaned from our experience running cookie audit projects to date:

1.  Outsource your technical cookie audit.  While it may be manageable for a website operator with just one (or maybe just a few) Internet domain(s) to rely on their IT staff to audit their cookie use, this approach just doesn’t scale for large enterprises.  Sophisticated websites will often drop 10, 20 or more cookies through a page and, when scaled up across hundreds of pages and tens of different domains, this quickly becomes an unassailable task for any internal IT function, who often will have little knowledge of how third party service providers deploy their cookies.  A number of third party vendors now offer comprehensive cookie audit services, and engaging one of these vendors to help you in your task is a must.  A good example is Evidon, which offers a comprehensive technical audit service that scales easily across large web portfolios and provides detailed cookie reporting in a well-structured, readily-accessible format. 

2.  KYC – Know your cookies!  Lawyers need to know and understand what cookies do in general and, more precisely, they need to know what each specific cookie served through the website(s) does.  Without this, there’s simply no way that they can meaningfully assess their intrusiveness or advise on an appropriate strategy for obtaining cookie consent.  If relying on an in-house legal function to perform this role, take time to ensure your in-house lawyers are fully educated by your IT, analytics and marketing teams, all of whom will use different cookies for different purposes.  It’s important that your lawyers can ‘speak the language’ of your IT, analytics and marketing teams in order to turn their technical descriptions of the cookies they use into meaningful, legal disclosures that meet e-privacy transparency requirements.  A careful choice of vendor for your technical cookie audit will simplify this task enormously – Evidon, for example, maintains a lookup database of third party tracking cookies that describes the purposes these cookies fulfil and the technical basis on which they collect data, significantly simplifying legal investigation into cookie intrusiveness.

3.  Disclosures by type, not by identity.  For large scale cookie deployment, listing in a privacy policy every single cookie that your website serves and what it does is a laborious, back-breaking task that helps no one.  The purpose of the e-Privacy cookie rules is to better inform users about what cookies do and to put them in control of cookie data collection.  A cookie-by-cookie list of tens, hundreds or thousands of cookies does not achieve this.  It’s far better to group cookies by type (‘advertising cookies’, ‘analytics cookies’, ‘content sharing cookies’ etc.) and disclose these categories of cookies, explaining what they do and allow consumers to choose whether or not they want to receive those types of cookies.  This is not only easier to understand, it also makes forward-facing maintenance of your cookie disclosures much, much simpler.

4.  One size does not fit all.  Don’t take a sledgehammer to crack a nut – a single consent strategy across the entire cookie environment cannot hope to obtain meaningful consumer consent and can impair legitimate data collection practices.  Enterprises need to understand the different consent strategies available to them – from cookies that are exempt from the consent requirement, to cookies where implied consent strategies are an acceptable solution (with or without enhanced contextual notices, depending on the intrusiveness of the cookies in question), to cookies where more express forms of consent may be appropriate.  Adopting a tiered consent strategy allows for better, clearer disclosures to consumers, more granular control and better levels of data collection.

 

Posted in Cookie rule, Profiling, Targeted advertising

« Older Entries