Although the General Data Protection Regulation (GDPR) continues to dominate most of the headlines, the impending EU regulation on ePrivacy (ePR) deserves just as much attention given the impact it will have on the industry.
Replacing an earlier directive (implemented in 2002), the Regulation aims to:
- Ensure privacy across all electronic communications platforms
- Introduce simpler rules on cookies
- Increase transparency on direct marketing.
ISBA is actively working with the World Federation of Advertisers (WFA) ePrivacy Task Force to ensure that the industry is fully briefed and aligned with the position we have outlined with the WFA, one that works to protect advertisers’ rights online, including the collection of browsing data used for targeting online advertising.
Key issues for advertisers:
EXPERTISE AND USER TESTING ARE NEEDED TO ENSURE THAT CONSENT ISN’T JUST A BOX-TICKING EXERCISES
Over the last five years ISBA has been working with the ICO and our members on events and guidance to ensure compliance with the GDPR, due to be implemented in May 2018. ISBA believes that user testing is required to define how, where and when consent should be gathered to give consumers transparency, choice and control over their personal data.
Acknowledging the need for the Regulation to develop principles on consent, the new laws need to incorporate new technology and be future-proofed to ensure that they are relevant in a few years’ time. The best methods to ask for consent will vary depending on the context – prescriptive regulation can’t allow for this. ePR is currently too prescriptive, as it mandates:
- How consent should be gathered - via software settings
- When consent should be gathered - during installation
Currently, there is no robust evidence available to confirm that this is an effective way of informing users about their privacy and enabling them to make an objective decision. Research from KPMG shows that only 26% of UK users read the privacy policy when entering a website.
ISBA believes that advertisers are best placed to determine the most effective methods to gain consent from users, within the rules confirmed by GDPR. There are a number of ways to achieve this, including:
- Working with experts in user experience (UX), web design, e-commerce analysis and online behaviour
- Methods for gathering consent must be tested on users in real-life situations to avoid consent becoming a ‘tick-box’ exercise, with users having little or no understanding of what they are actually consenting to.
Action:
ISBA is requesting that these prescriptive requirements should be removed on browsers and other types of software to obtain consent during installation.
ISBA wants to replace language which determines how, where and when consent should be obtained with a principle-based approach.
EXCEPTIONS FOR WEB AUDIENCE MEASURING SHOULDN’T BE LIMITED TO FIRST PARTIES
Website analytics provide basic tools for website owners to understand whether or not their websites are performing effectively. Such information is needed to both ensure the website functions properly and enable owners to improve and enhance features for users.
Companies may outsource the technical elements of this analysis and tracking to third party companies with technical expertise. For ISBA members, this often means agencies or other third party companies. The current wording of the ePR could prohibit website owners from engaging agencies and other third parties to undertake this work on their behalf.
Action:
ISBA will work with the WFA to press for the ePR to allow website owners to employ agencies and other third parties to carry out necessary analysis to ensure their sites run efficiently.
CONSISTENCY WITH GDPR IS CRUCIAL FOR LEGAL CERTAINTY
ISBA members, and the industry at large, have invested heavily to ensure compliance with the GDPR. Specifically, members are currently reviewing all of their data processing activities to determine which legal bases to apply in different situations. GDPR offers six legal bases for data processing, some of which require a detailed legal and risk-based analysis in order to determine which ones can be used.
This is an ongoing work-stream, which in many cases involves employing internal and external resources to assess internal data management structures. However, the draft proposal of the ePR only makes one of these legal bases available to companies: consent. Therefore companies may need to restart the process of assessing and applying the relevant legal bases to their data processing activities once an agreement is reached in the final ePR text. This could put the work being undertaken by ISBA members to prepare for GDPR at risk. Members could be left with only a couple of months to re-assess their data processing activities in order to ensure compliance.
Action:
ePR must be consistent with GDPR. ISBA recommends maintaining the same legal bases which appear within GDPR in ePR.
A TECH-NEUTRAL, RISK-BASED APPROACH IS NECESSARY TO AVOID UNINTENTIONAL RESTRICTIONS
Although discussions regarding cookies being used for internet based advertising have dominated issues within ePR, our members are concerned that this could have unintentional consequences on other types of tracking which allow their websites to operate effectively and provide the kind of experience users’ demand.
Action:
ePR should incorporate a broad spectrum of applicable cases for tracking, which may present different levels of risk to users’ fundamental rights. This risk-based approach is a basic component of GDPR and therefore needs to be applied to ePR.
USERS SHOULD BE EMPOWERED TO MAKE INFORMED CHOICES ABOUT HOW THEIR DATA IS USED
ISBA supports the objective of enabling users to have transparency, choice and control over how information about them is used. ISBA believes that the notion of ‘value exchange’ goes with the definition of consent in GDPR - ‘freely given, specific, informed and unambiguous’. The majority of people would prefer to use free services in exchange for seeing ads. Users should be made aware of this value exchange.
Action:
ISBA would like to maintain the choice-based approach of the European Commission’s proposal. We believe that users should be able to make an active, informed choice about the collection of information stored on their devices.
ISBA rejects moves to remove the need for users to make active decisions about the collection of their information.
Next Steps:
ISBA’s work in this area is being led by our Data Action Group. Our next meeting, taking place on 27 July will feature Catherine Armitage, Senior Manager, Public Affairs and Digital Governance Exchange at the WFA. Catherine leads their lobbying in Brussels and will provide an update for members on the latest developments and insights on the ePrivacy Regulation.
If you are interested in becoming a member of this group and contributing to our thinking in this important area, please contact me.
It is anticipated that the ePR might become law by 25 May 2018, when the GDPR will also become law. Find out more about the ePR here.
DPN LEGITIMATE INTERESTS GUIDANCE – GDPR
You may also be interested to know that guidance has been published on how and when marketers can engage with audiences using Legitimate Interest as a basis under the GDPR. The guidance has been produced by the Data Protection Network with the support of ISBA and our members and is available here.