Respect for personal data and the means to ensure that it is not misused is very important to advertisers. It is also high on the political agenda in the UK, EU and in most countries.
The maturing of digital media, into mainstream communications, means that access to data is swifter and of growing political and public concern. Some advertisers seek to target their communications to consumers with a known preference to receive them. If the targeting is in the form of Interest Based Advertising (or Online Behavioural Advertising), knowing what you have looked at previously, using information from cookies placed on a consumers equipment then the E-Commerce Directive applies. The UK implemented the directive from 25 May 2011. Full implementation for advertisers is necessary by May 2012.
ISBA and the UK ICC are helping to define exactly what informed or explicit consent to the placing of cookies means. In the mean time the ICO has offered some general guidance and acknowledged that a stream of pop ups is not desirable, but that prior opt in is the safe option. The extent of the actions needed may yet depend on the intrusiveness of the data collection. DCMS is in consultation with browser providers about how users can more easily access and understand the options.
Three significant amendments to the EU e-Privacy Directive came into force in December 2009, one of which requires consent to be sought if accessing or placing information, via cookies on a user’s machine.
The Self-Regulatory Framework for Online Behavioural Advertising gives users the option to easily opt out of receiving cookies used for behavioural targeting, although the Directive covers all types of cookies, from those deemed ‘strictly necessary’ to operate the site to those used to improve the performance and functionality of the site.
The Framework was drafted prior to amendments to the EU ePrivacy Directive being made, being incorporated into the European Advertising Standards Alliance’s Best Practice Recommendation (BPR) on OBA in April 2011, when it was adopted in the UK by the Department for Culture, Media and Sport (DCMS).
Strict implementation of the Directive will treat information stored in cookies as personal data, leading to an ‘opt-in’ approach across all digital platforms, threatening to close down many commercial uses of the online economy. Advertisers would be denied the opportunity to track customers’ online behaviour.
The Directive offers users notice and control over their privacy and personal data, aiming to ensure that business can’t abuse the trust of users by mis-using their data.
Last year the Department for Culture, Media and Sport (DCMS) adopted the framework, which is a consumer-led approach for increased transparency and control on-line.
In May 2011 the Information Commissioner’s Office gave UK businesses a 12 month ‘period of grace’ to comply with the Directive, dubbed the ‘Cookies Law.’ Organisers now need to comply with the Cookies Law by 26 May 2012.
ISBA has been working closely with the Internet Advertising Bureau (IAB) in the UK and the World Federation of Advertising (WFA) in Europe over the last couple of years to prepare a self-regulatory framework for Online Behavioural Advertising (OBA). The framework allows users, via an icon (see www.youronlinechoices.com) to easily opt out of behavioural targeting.
The obligation is on the third party, i.e. the ad networks, who have been signing up to the standard.
However, the Directive covers all types of cookies, not just those used for OBA, and the ICO has been keen to encourage organisations to adopt an ‘ecology of solutions.’
Other initiatives are being developed, including enhancing browser settings to meet the wider requirements of the Directive, thereby allowing users to make a choice about a variety of cookies.
The Commission has proposed a EU wide Regulation with no national reinterpretation. It has tighter definitions and practices. Through the WFA ISBA is making representations. More details for members can be found here.
On 25 January the European Commission published its proposals for a comprehensive reform of the EU's 1995 data protection rules, with their intention being to ‘strengthen online privacy rights and boost Europe's digital economy’, aiming to create a consistent data protection regime.
The main proposals are as follows:
- Personal data: The definition is extended to “any information relating to a data subject”, explicitly applying to digital forms of data, including an anonymous identifier such as a cookie, a full name or an IP address.
- A reinforced ‘right to be forgotten’: able to delete data if there are no legitimate reasons for retaining it.
- Increased burdens for those processing personal data: companies must notify serious data breaches to individuals as soon as possible (as a rule, within 24 hours).
- Businesses will be required to have a data protection officer if they are “large” or where the “core activities of the controller consist of processing operations which require regular monitoring.”
- People will be able to refer cases where rules on data protection have been violated to the data protection authority in their country, even when their data is processed outside the EU.
- Independent national data protection authorities will be strengthened to better enforce the EU rules, being empowered to fine companies that violate EU data protection rules (2% of global annual turnover).
- A child is defined as anyone under 18. “Verifiable” parental consent is required collecting data from children under 13.
- Automated profiling will be prohibited unless acquired with user consent.