Archive for the ‘Targeted advertising’ Category

The legal and practical realities of “personal data”

Posted on September 3rd, 2014 by



Are IP addresses personal data?  It’s a question I’m so frequently asked that I thought I’d pause for a moment to reflect on how the scope of “personal data” has changed since the EU Data Protection Directive’s adoption in 1995.

The Directive itself defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity“.

That’s not the beginning and the end of the story though.  Over the years, various regulatory guidance has been published that has further shaped what we understand by the term “personal data”.  This guidance has taken the form of papers published by the Article 29 Working Party (most notably Opinion 4/2007 on the Concept of Personal Data) and by national regulators like the UK’s Information Commissioner’s Office (see here).  Then throw in various case law that has touched on this issue, like the Durant case in the UK and the European Court of Justice rulings in Bodil Lindqvist (Case C-101/01) and the Google Right to Be Forgotten case (C-131/12), and it’s apparent that an awful lot of time has been spent thinking about this issue by an awful lot of very clever people.

The danger, though, is that the debate over what is and isn’t personal data can often get so weighted down in academic posturing, that the practical realities of managing data often get overlooked.  When I’m asked whether or not data is personal, it’s typically a loaded question: the enquirer wants to know whether the data in question can be retained indefinitely, or whether it can be withheld from disclosures made in response to a subject access request, or whether it can be transferred internationally without restriction.  If the data’s not personal, then the answer is: yes, yes and yes.  If it is personal, then the enquirer needs to start thinking about how to put in place appropriate compliance measures for managing that data.

There are, of course, data types that are so obviously personal that it would be churlish to pretend otherwise: no one could claim that a name, address or telephone number isn’t personal.  But what should you do when confronted with something like an IP address, a global user ID, or a cookie string?  Are these data types “personal”?  If you’re a business trying to operationalise a privacy compliance program, an answer of “maybe” just doesn’t cut it.  Nor does an answer of “err on the side of caution and treat it as personal anyway”, as this can lead to substantial engineering and compliance costs in pursuit of a vague – and possibly even unwarranted – benefit.

So what should you do?  Legal purists might start exploring whether these data types “relate” to an “identified or identifiable person”, as per the Directive.  They might note that the Directive mentions “direct or indirect” identification, including by means of an “identification number” (an obvious hook for arguing an IP address is personal data).  They might explore the content, purpose or result of the data processing, as proposed by the Article 29 Working Party, or point out that these data types “enable data subjects to be ‘singled out’, even if their real names are not known.”  Or they might even argue the (by now slightly fatigued) argument that these data types relate to a device, not to a person – an argument that may once have worked in a world where a single computer was shared by a family of four, but that now looks increasingly weak in a world where your average consumer owns multiple devices, each with multiple unique IDs.

There is an alternative, simpler test though: ask yourself why this data is processed in the first place and what the underlying individuals would therefore expect as a consequence.  For example: Is it collected just to prevent online fraud or is it instead being put to use for targeting purposes? Depending on your answer, would individuals therefore expect to receive a bunch of cookie strings in response to a subject access request?  How would they feel about you retaining their IP address indefinitely if it was held separately from other personal identifiers?

The answers to these questions will of course vary depending on the nature of the business you run – it’s difficult to imagine a Not For Profit realistically being expected to disclose IP addresses contained in web server logs in response to a subject access request, but perhaps not a huge stretch, say, for a targeted ad platform.   The point is simply that trying to apply black and white boundaries to what is, and isn’t, personal will, in most cases, prove an unhelpful exercise and be wholly devoid of context.  That’s why Privacy Impact Assessment are so important as a tool to assess these issues and proposed measured, proportionate responses to them.

The debate over the scope of personal data is far from over, particularly as new technologies come online and regulators and courts continue to publish decisions about what they consider to be personal.  But, faced with practical compliance challenges about how to handle data in a day-to-day context, it’s worth stepping back from legal and regulatory guidance alone.  Of course, I wouldn’t for a second advocate making serious compliance decisions in the absence of legal advice; it’s simply that decisions based on legal merit alone risk not giving due consideration to data subject trust.

And what is data protection about, if not about trust?

 

EU cookie issues alive and well

Posted on June 16th, 2014 by



It’s hard to believe that it has been a few years since the updated cookie “consent” rules came into effect across Europe. At that time, it was pretty much the hot topic in the data privacy world as we all grappled with the rules’ implications and how to implement appropriate compliance mechanisms. However in recent times, one would be forgiven for almost forgetting those days. The early forecasts of intense DPA cookie enforcement activity didn’t quite happen and we’ve also had the minor issue of the new draft Regulation and the Snowden affair (not to mention the on-going daily challenges presented by data security, data processing contracts, BYOD, cloud computing issues etc) to keep us all occupied.

Therefore, it’s nice to hear that there have been enough recent cookie developments in various EU member states to remind us that it is still an important compliance issue for any organisation that uses cookies and related tracking technologies. Here’s a run-down of what’s been happening in Europe:

Italy

The Italian Data Protection Authority (Garante) has published guidance on complying with the cookie requirements in Italy in order to obtain the express consent of the user. The main points are as follows:

  • Website operators are required to implement a web banner on the landing page outlining cookies used, the right to refuse cookies and a link to a separate notice setting out full details of the cookies used and the means by which a user can turn them on or off.
  • The requirement to notify the Garante where profiling cookies and related technologies are used.
  • Penalties under Italian data protection law can range from €6,000 to €120,000 (for example for serving cookies without obtaining the appropriate consent and failing to notify the Garante of such processing activities).
  • Operators shall benefit from a one-year grace period (expiring on 3rd June 2015) to implement the relevant measures.

Spain

After being the first EU member state to issue fines for infringement of its cookie rules (see here) the law regulating the use of cookies has been amended. We highlight the following changes. It has been clarified that it is an infringement to serve cookies without the individual’s consent. Due to a legislative error this was previously not the case and the Spanish DPA could not undertake enforcement action on this issue. Infringements may be ‘low’ or ‘serious’. The latter category will apply if the organisation infringes the cookie rules on several occasions within a period of three years. The enforcement powers available to the Spanish DPA have also changed so that it is able to issue warnings for failure to comply with the cookie rules, or decide that it will apply the lowest category of fines for serious infringements under certain circumstances. Advertising networks will also now be liable for their failure to comply with the cookie rules.

Netherlands

Following the Dutch DPA’s first investigation into an organisation’s use of cookies, the online advertising agency ‘YD Display Advertising Benelux’ (YD) was found to have infringed the Dutch cookie rules by placing tracking cookies on users’ web browsers in order to provide personalised advertising without the user’s consent. The cookies enabled YD and its network of advertisers to track the behaviour of visitors through multiple websites. The DPA found that the ability of users to opt-out of receiving personalised advertising was not sufficient to construe unambiguous consent and the information provided by YD to its users on the use of use of such cookies did not satisfy the notice requirements.

The Dutch DPA noted that such violations would still exist even if the proposed amendments to the current Dutch cookie rules (currently going through the Dutch Parliament) were applied because such tracking cookies would still require user consent. This investigation follows the Dutch DPA’s earlier announcement that one of its priorities for 2014 is to focus on the profiling, tracking and tracing of internet users.

France

This year has, and will continue to be, a busy year for the French Data Protection Authority (CNIL) (see here).  A new consumer rights law came into force on 17 March, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections (in addition to the existing on-site inspections). This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the online activities of companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing. One can expect the use of cookies to also fall under this remit.

Belgium

Finally, the Belgian DPA has recently launched a public consultation on its draft cookie guidance (see our previous blog), stating that implied user consent may be an acceptable model for the use of cookies.

What this means now

Whilst the adoption of the draft Regulation may currently be grabbing all the headlines, regulating the use of cookies has not been completely forgotten by Europe’s national regulators. This presents challenges to organisations operating on an EU-wide basis as they attempt to understand and comply with the various developments and requirements in specific EU member states. Therefore the message is clear for businesses operating in Europe:

  • Audit your cookie use and find out what you’ve got
  • Assess the intrusiveness of those cookies
  • Adopt a notice and consent strategy
  • Implement forward-facing cookie management mechanisms

Belgian DPA launches public consultation on its draft cookie guidance

Posted on May 22nd, 2014 by



When looking at the action undertaken in other European countries, you might argue that cookies have not been a real priority for the Belgian regulators in the past. Not in the least because it took the European Commission to initiate infringement proceedings before the Belgian legislator decided to transpose the EU cookie consent rules. But also because of the fact that compliance with the cookie consent rules was not high on the agenda of neither the Belgian data protection authority nor the Telco regulator.

In the absence of any guidance or enforcement action, many website operators did not implement any measures, whereas the more compliance driven ones had to look abroad for inspiration on how to tackle this issue.

It seems this is now about to change. Last month, the Belgian Data Protection Authority published a draft recommendation with regard to the use of cookies and launched a public consultation about it.

Starting off with a short recap of (i) the evolution of cookie use throughout history and (ii) the different types of cookies that exist, the draft recommendation examines in detail the legal framework and the different purposes for which cookies can be used as well as the different actors and their particular role (e.g. the internet user, the owner of a website, the website administrator, etc.).

As for the consent requirement, the draft recommendation repeats the position adopted by the Working Party 29, indicating that a user must give his or her specific, informed, unambiguous and freely given consent before the processing of personal data commences.

One of the questions that are often raised is whether it is possible to rely on implied consent. In the draft recommendation, the Belgian DPA expressly confirms that implied consent may be acceptable provided it is unambiguous. We welcome the fact that the Belgian DPA expressly confirms that an implied consent mechanism may be compliant with the cookie consent rules; However, it should be noted that the Belgian DPA continues to say that it will be difficult to qualify the total inactivity of the user as an implied consent.

It is indeed clear that many websites currently don’t pass the test of unambiguously given implied consent. As we have pointed out in the past, a proper implied consent mechanism should give the user a real choice rather than simply informing him or her about the fact that the website uses cookies

The draft recommendation also contains a helpful list of cookies that are exempt from prior consent (session cookies, cookies with regard to the change of user interface, cookies focused on user security, etc.).

Other points that are covered in the draft recommendation relate to:

  • that users have the opportunity to accept certain cookies and refuse others and that they should be able to change their choices in a later stage;
  • that the refusal of cookies should not have negative consequences for the user (e.g. completely impossible for the user to access a website);
  • that each website should provide information relating to the identity of the data controller, details of the different categories of cookies and which information is stored, retention period, to whom users can address their rights to, how to delete cookies, the applicable formalities to withdraw consent, etc.

Finally, the draft recommendation also provides examples of cookie policies.

As mentioned, this is not yet the final position of the the Belgian DPA and it has invited all stakeholders to communicate their feedback and suggestions to the text. All opinions, comments or other suggestions should be addressed to the Belgian DPA by mail (Drukpersstraat 35, 1000 Brussel/Rue de la Presse 35, 1000 Bruxelles) or by e-mail (commission@privcaycommission.be).

This public consultation shall be closed on 31 July 2014, after which the Belgian DPA will evaluate all statements and publish a final recommendation.

Tim Van Canneyt and Aagje De Graeve

Getting cookie consent throughout the EU – latest Working Party guidance

Posted on October 19th, 2013 by



Thinking back to the early days when Europe’s controversial “cookie consent” law first passed, many in the privacy community complained about lack of guidance on obtaining consent.  The law required them to get consent, but didn’t say how.

In response to this, legislators and regulators – at both an EU and a national level – responded that consent solutions should be market-led.  The thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen.

As it transpired, this is precisely what happened.  In the four years since Europe adopted cookie consent, online operators have now evolved and embraced implied consent models across the EU to obtain their visitors’ consent to cookies.  However, this is not where the story ends.

In an opinion last week, the Article 29 Working Party published further guidance on obtaining cookie consent (“Working Document 02/2013 providing guidance on obtaining consent for cookies” – available here).   This supplements several previous opinions that, directly or indirectly, also address cookie consent requirements (see here, and here, and here, and here, for example).

The rationale behind the latest opinion, on the face of it, is to address the question: “what [cookie consent] implementation would be legally compliant for a website that operates across all EU Member States?”  But in answering this question, the guidance veers towards a level of conservatism that all but ensures it will never see widespread – let alone pan-European – adoption.

It doesn’t start off well: in discussing how a user can signify choice over whether or not to receive cookies, the guidance at one point states: “it could include a handwritten signature affixed at the bottom of a paper form“.

It then goes on to say that “consent has to be given before the processing starts … As a result a website should deliver a consent solution in which no cookies are set to user’s device … before that user has signalled their wishes regarding such cookies.”  In other words, the guidance indicates the need for a pop-up or a barrier page for users to click through before cookies can be set, harking back to the worst fears of industry at the time the cookie consent law was originally proposed.

When we’re talking about a fundamental human right, like privacy, the attraction of prior consent is obvious.  Unfortunately, it’s practically and technically very challenging.  However easy it sounds in theory (and it does sound easy, doesn’t it?), the realities are much more problematic.  For example, do you really require website operators to build two versions of their websites: one with cookies, and one without?  What happens to ‘free’ content on the web whose cost is subsidised by targeted advertising currently – who wants to return to a subscription-funded Internet?  If you’re a third party service provider, how do you guarantee prior consent when it is your customer (the website operator) who has the relationship with its visitors?

More importantly, prior consent is not what the e-Privacy Directive requires.  The word ‘prior’ never appears in the revised Article 5(3) of the e-Privacy Directive (the Article that imposes the consent requirement).  In fact, the word ‘prior’ was originally proposed, but was later dropped during the course of legislative passage.  Contrast this with Article 6(3), for example, which deals with processing of communications metadata (think PRISM) and DOES call for ‘prior’ consent.  Article 13 on unsolicited communications also uses the word ‘prior’ next to its requirement for consent.

What conclusions should we draw from this?  That’s a debate that lawyers, like me, have been having for a long time.  But, frankly, it’s all pretty academic.  Let’s deal instead in realities: if we were to be faced with cookie pop-ups or barrier pages on entry to EVERY website on the Internet, how quickly would we would become fatigued and simply click away the notices just to get rid of them?  What would that say about the validity of any ‘prior’ consents we provide?

Industry evolved implied consent as a solution that struck a balance between protecting individuals’ rights, addressing legal compliance and enabling online business.  Over time, it has done wonders to improve online tracking transparency and choice – implied consent has now become so widespread in the EU that even companies for whom cookies are their lifeblood, like Google, have implemented cookie consent transparency and choice mechanisms.

Critically, when done right, implied consent models fully satisfy the legal requirement that users’ consent must be “freely given, specific and informed”.  So here’s my suggestion: if you are looking to implement a cookie consent solution across Europe, don’t automatically jump to the most conservative standard that will put you out of alignment with your competitors and that, in most cases, will go further than national legislation requires.

Consider, instead, implied consent – but, if you do, embrace it properly:  a slight revision to your privacy policy and a new link to a cookie policy in the footer of your website won’t suffice.  Your implied consent model needs to provide prominent, meaningful notice and choice to visitors.  And to see how to do that, see our earlier post here.

Implied consent getting ever closer in the Netherlands

Posted on May 25th, 2013 by



On 20 May 2013, Dutch Minister Kamp (Minister for Economic Affairs) presented a bill to amend Article 11.7a of the Dutch Telecommunications Act (‘the cookie law’). Once it passes into law the bill will, among other things, allow website operators to rely on visitors’ implied consent to serve cookies and will also exempt analytics cookies from the consent requirement.

Why these changes are needed

In February this year the Dutch government concluded that the cookie law had overshot its intended objective. The current cookie law require website owners to obtain visitors’ opt-in consent to virtually all types of cookies, except those which are strictly necessary. This led to widespread adoption of opt-in consent barriers and pop-up screens which, the Government accepts, is undesirable from both a consumer and business standpoint.

The Government believes the problem with the current law is that it applies equally to all cookies, even those with little privacy impact. Because of this, it proposes that the scope of the consent exemptions should expand to include more types of cookies.

New exemptions: analytics cookies, affiliate cookies and a/b-testing cookies

Currently, a website operator does not have to obtain consent if cookies are strictly necessary to provide a visitor-requested service. Once the bill enters into effect, a further category of cookies will be exempted from the consent requirement – those which are “absolutely necessary […] to obtain information about the quality and effectiveness of an information society service provided  – provided that this has no or little consequences for the privacy of the user.

First-party and third-party analytics cookies, affiliate referral cookies and a/b testing cookies all seem likely to fall within the scope of this new exemption.  However, to ensure that these cookies qualify as having “no or little consequences for the privacy of the user”:

  • the data collected by these cookies must not be used to make a profile of the visitor (e.g. for targeting purposes); and
  • if the website operator shares cookie data with a third party (e.g. an analytics service provider), it must conclude an agreement with the third party that either requires the third party not to use the data for its own purposes or, alternatively, only for defined purposes that have no or little effect on visitors’ privacy.

Implied Consent

For other types of cookies (in particular, targeted advertising cookies), the consent requirements of the cookie law apply in full.  However, the explanatory memorandum to the bill discusses the interpretation of ‘consent’ in great detail and advocates the legal validity of implied consent solutions.

In particular, it advocates that implied consent may be legally derived from the behavior of the visitor of a website – for example, in the case where a visitor is presented with a clear notice about the website’s use of cookies and given options to control those cookies but continues to browse the website.  This is at odds with previous regulatory opinions of the ACM (formerly the OPTA, the relevant regulator for these purposes) which said that implied consent would not constitute valid consent.

Although Dutch recognition of implied consent has been anticipated for a while (see here), this is a critical development for online businesses in the Netherlands.  Once the bill enters into force, website operators will be able to replace their current explicit consent barriers and pop-ups with more user-friendly implied consent banners indicating that continued use of the website without changing cookie settings will constitute consent.

All in all, the bill is a major step towards a more pragmatic implementation of the cookie law. With these changes, Dutch law will better balance the privacy interests of website visitors with online businesses’ legitimate data collection activities.

When will the bill enter into force?

The bill is open for public consultation until 1 July 2013, and the Minister must also consult the Council of State and the Dutch Data Protection Authority. On the basis of the consultation responses, the minister may then decide to amend the bill or submit it to Parliament as currently drafted. Parliamentary discussion can be completed within a few months, but may potentially take up to a year. However, given the current momentum behind adopting a more pragmatic cookie regime in the Netherlands, it is anticipated that the overall process will be toward the shorter end of this timescale.

With thanks to our friends Nicole Wolters Ruckert and Maarten Goudsmit, Privacy Attorneys at Kennedy Van der Laan, for this update. 

 

Cookie consent update – implied consent now widespread

Posted on May 15th, 2013 by



Our latest EU cookie consent tracking table has just been published here.

Latest regional developments:

Our latest table reveals:

* ‘Implied consent’ is currently a valid solution for cookie compliance in nearly three-quarters of EEA Member States.

* Since our last update, cookie consent implementations have been introduced in Norway and Poland.

* Ongoing cookie regulatory developments in Denmark, the Netherlands, Slovenia and Spain.

Other notable developments

Aside from the regional developments shown in our table, other notable developments include:

* Growing recognition that cookie consent is every bit as relevant in mobile platforms as in desktop platforms – see, for example, the Working Party’s latest opinion on mobile apps (here).

* Major online players like Facebook and Google are adopting notice and choice solutions, likely driving wider industry compliance efforts (see here).

* Consumer protection and advertising regulatory bodies like the OFT and ASA are increasingly showing interest in online tracking and notice/choice issues (see here and here).

* Increasing co-operation between global DPAs on online privacy compliance issues (see here).

All in all, online privacy compliance continues to attract ever greater attention, both within data protection circles and from the wider regulatory environment.  As this issue continue to run and run, the picture emerging is that implied consent is the clear compliance front-runner – both from a regulatory and also from a market-adoption perspective.

If Google cares about cookie consent, so should you.

Posted on April 16th, 2013 by



Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you’re a visitor from the US, you may have missed it: the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google’s consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that “By using our services, you agree to our use of cookies“, the banner provides a “Learn more” link that visitors can click on to watch a video about Google’s cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:

* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.

* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

This post first appeared in the IAPP’s Privacy Perspectives blog, available here.

Europe continues to embrace cookie consent

Posted on February 5th, 2013 by



We’ve just published an updated table of European cookie consent requirements (available here), which makes clear that Member State adoption of local cookie consent laws continues to spread.

Our latest update reveals that:

*  24 out of 30 EEA Member States have now adopted national cookie consent rules.

*  Since our last update, Poland, Portugal and Slovenia have adopted new local laws governing cookie consent.

*  There are ongoing regulatory developments with regard to cookie consent guidance and enforcement in Denmark, Italy, Ireland and the UK.

With cookie consent rules have now been adopted across nearly all European territories, online businesses operating without a notice and consent strategy face real exposure that they need to address and resolve promptly.  And given the recent news of the first ever group privacy claim in the UK relating to cookies, non-compliance risk is rising from “simmering” to “boiling”!

Big Data at risk

Posted on February 1st, 2013 by



“The amount of data in our world has been exploding, and analysing large data sets — so-called Big Data — will become a key basis of competition, underpinning new waves of productivity growth, innovation and consumer surplus”.  Not my words, but those of the McKinsey Global Institute (the business and economics research arm of McKinsey) in a report that evidences like no other the value of data for future economic growth.  However, that value will be seriously at risk if the European Parliament accepts the proposal for a pan-European Regulation currently on the table.

Following the publication by the European Commission last year of a proposal for a General Data Protection Regulation aimed at replacing the current national data protection laws across the EU, at the beginning of 2013, Jan Philipp Albrecht (Rapporteur for the LIBE Committee, which is leading the European Parliament’s position on this matter) published his proposed revised draft Regulation.  

Albrecht’s proposal introduces a wide definition of ‘profiling’, which was covered by the Commission’s proposal but not defined.  Profiling is defined in Albrecht’s proposal as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour“. 

Neither the Commission’s original proposal nor Albrecht’s proposal define “automated processing”.  However, the case law of the European Court of Justice suggests that processing of personal data by automated means (or automated processing) should be understood by contrast with manual processing.   In other words, automated processing is processing carried out by using computers whilst manual processing is processing carried out manually or on paper.  Therefore, the logical conclusion is that the collection of information via the Internet or from transactional records and the placing of that information onto a database — which is the essence of Big Data — will constitute automated processing for the purposes of the definition of profiling in Albrecht’s proposal.

If we link to that the fact that, in a commercial context, all that data will typically be used first to analyse people’s technological comings and goings, and then to make decisions based on perceived preferences and expected behaviours, it is obvious that most activities involving Big Data will fall within the definition of profiling.

The legal threat is therefore very clear given that, under Albrecht’s proposal, any data processing activities that qualify as ‘profiling’ will be unlawful by default unless those are activities are:

*      necessary for entering into or performing a contract at the request of the individual – bearing in mind that “contractual necessity” is very strictly interpreted by the EU data protection authorities to the point that if the processing is not strictly necessary from the point of view of the individuals themselves, it will not be regarded as necessary;

*      expressly authorised by EU or Member State law – which means that a statutory provision has to specifically allow such activities; or

*      with the individual’s consent – which must be specific, informed, explicit and freely given, taking into account that under Albrecht’s proposal, consent is not valid where the data controller is in a dominant market position or where the provision of a service is made conditional on the permission to use someone’s data.

In addition, there is a blanket prohibition on profiling activities involving sensitive personal data, discriminatory activities or children data.

So the outlook is simple: either the European Parliament figures out how to regulate profiling activities in a more balanced way or Big Data will become No Data.

 

What will happen once the ASA starts to regulate Online Behavioural Advertising?

Posted on December 11th, 2012 by



Early next year, the UK Advertising Standards Authority (“ASA“) will start regulating Online Behavioural Advertising (“OBA“) in the UK – meaning that online advertisers who serve targeted ads to website visitors will have to worry not only about the risk of cookie consent enforcement by the ICO, but also the risk of investigation and public admonishment by the ASA.  A regulatory double-jeopardy, if you will.

This is a consequence of recent changes to the “UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing” (“CAP Code“) that will come into effect on 4 February 2013.  In effect, the CAP Code changes are designed to implement the earlier European Advertising Standards Alliance “Best Practice Recommendation on Online Behavioural Advertising” published in April 2011 – which, you may recall, the Article 29 Working Party wasn’t exactly excited about

Anyone who’s read the EASA recommendation won’t be surprised by the CAP Code’s proposals – that website visitors must be given notice and choice, with advertisers encouraged to display a small icon licensed by the European Interactive Digital Advertising Alliance (or eDAA) alongside the adverts they serve by way of achieving this goal.  Nor will they be surprised by the ‘gaps’ in the CAP Code, most notably that it doesn’t apply to first party tracking by a publisher across its own website domains.

But what are the real consequences of the ASA wading into the murky waters of OBA regulation?   Broadly speaking, they can be boiled down to the following:

1.  Cookie regulation is not going to go away.  The revised CAP Code is simply implementing recommendations already published at a European level by the European Advertising Standards Alliance.  When it published its recommendations, EASA set an ambitious – and, as it turned out, unrealistic – goal of ensuring “at least 70% of its EU SROs [national advertising self-regulatory organisations] have implemented the BPR [best practice recommendation] within a year (i.e. by the end of April 2012)“.  When the UK took the lead on implementing cookie consent rules and guidance, other EU member states quickly followed suit – so it seems a relatively safe bet here that a similar regulatory flurry will follow now among EU advertising regulators.  This means that the amount of national regulation governing online tracking will continue to grow, not decline – with all the disharmony that entails. 

2.  Confusion about what qualifies as lawful visitor tracking.   Being based on the EASA best practice recommendation, the CAP Code promotes a notice and opt-out approach.  That’s fine, but it’s not the law – which instead requires consent when serving tracking cookies.  The Article 29 Working Party have already been vocal in expressing their view that the EASA recommendation is not sufficient for obtaining consent, and CAP even acknowledges likewise – the new rules say that they “are not designed to provide compliance with the law and companies should seek their own legal advice when working to comply with privacy and data protection legislation.  The net result?  Yet more confusion about what standards, exactly, businesses are to apply when tracking online visitors.  It seems an inevitability that many businesses will (mistakenly) assume that compliance with the CAP Code is, in itself, sufficient to comply with legal cookie consent requirements – risking exposure under local data protection laws.

3.  Expansion in enforcement remit for the ASA:  The new rules regulating website tracking for targeted advertising are interesting for another reason:  they represent a significant expansion of the ASA’s enforcement remit beyond simply regulating the content of adverts into regulating the technology used to generate and deliver those advert.   The ASA’s remit already underwent a massive expansion in March 2011 when it grew beyond adverts in paid-for space to also include marketers’ own websites and communications on social networks, amid concerns over the ASA’s resourcing to effectively regulate these spaces.  That expanded remit could at least be characterised in terms of the ASA doing ‘more of the same’ online; this time around, however, its further expanded remit will require it to develop technological knowledge and skillsets it may not currently possess – raising questions over how consistent and effective its enforcement will be.

4.  Prepare for real enforcement.  Historically, the ASA has generally proven itself a better resourced and more active regulator than the ICO, having forced changes to or the withdrawal of some 4,591 ads in 2011 from a total of nearly 32,000 complaints.  While it doesn’t have the ability to fine, ASA investigations are costly, time-consuming and can result in embarrassing adjudications that are made publicly available and widely reported by the press.  The ASA is also a more familiar regulatory “brand” to many consumers who may more instinctively complain to the ASA than the ICO with concerns about targeted ads.  Long story short, there’s a good chance the ASA may well prove a more active regulator of targeted advertising than the ICO once the new rules come into effect.

So what does all this mean?  Ultimately, that online visitor tracking will remain high on the regulatory agenda for some time to come and, while it does so, the likelihood of some manner of regulatory enforcement grows all the time.  What form that enforcement will take – whether by a data protection authority, an advertising standards authority, or a consumer protection body, and whether in the UK, rest of Europe or even by a country outside the EU – remains to be seen. 

All that can be said with certainty is that businesses that aren’t already thinking about their visitor transparency, choice and education strategies for their website tracking need to get their act together and do so – now!