Updated EU legislation surrounding the use of tracking technologies (in particular cookies) and its relationship to consumer privacy is going to have significant implications for marketers and publishers. Amid all the
discussion and speculation on how the new law will be implemented and enforced, online advertisers and marketers need to gain an understanding of the technologies involved and how the privacy landscape will affect the way they do business. Without a deep understanding of how websites and third parties collect data -- with the latter often doing so surreptitiously -- legal council will more than likely miss the mark when auditing standard terms and conditions.
The updated EU legislation came into force on 26 May 2011 in the form of the
Privacy and Electronic Communications (EC Directive). Equally, in a similar vein, the FTC in the USA is talking of a possible
Do Not Track Bill. Given the widespread use of tracking technologies by marketers for both operational and promotional purposes, how should the industry prepare itself in order to comply with the new regulations?
Engagement is up for criticismThe fundamental issue boils down to engagement. Not engagement as a simple campaign or social media driver, but rather how relationships are built and maintained with customers, prospective customers and potential employees through tracking technologies.
It is fair to say that in the name of getting the digital marketing acquisition and retention job done, the sector is widely at fault for overusing technologies like cookies to achieve its goals -- often at the expense of the relationships it is trying to forge with stakeholders. Therefore, it was only a matter of time before the industry had the spotlight put on it.
The Privacy and Electronic Communications Directive (EC Directive) To better understand the legislation let's look at the current state of play. Within the European Union a survey (or directive) was conducted on the implementation of the new rules on cookies through the EU Telecoms Reform Directive 2009/136/EC (TRD). This directive was passed on 25th November 2009 and requires member states to achieve a particular result, without dictating the means of achieving that result. It differs from a regulation in the sense that regulations are self-executing and do not require implementation measures, and local interpretation is allowed.
Directives, on the other hand, leave member states with a certain amount of leeway regarding exact rules to be adopted. They can be adopted by means of a variety of legislative procedures depending on their subject matter.
After this, an Amends Directive 2002/58/EC was passed, concerning the processing of personal data and the protection of privacy in the electronic communications sector (as implemented in the UK by the privacy and Electronic Communications (EC Directive) Regulations 2003). The changes, although subtle, are significant.
The difference between the two is that the former directive assumes consent has been given to advertisers to track via cookies and that web users can opt out at their convenience, and that compliance can be achieved by doing this. The new wording demands companies explicitly ask for consent from web visitors to track online behaviour through the active action of opting into participation.
Enforcing, implementing and regulating the directiveLeadership and guidance comes from four channels. In the first instance, the EU is guiding and enforcing the TRD; second, the UK Department for Culture, Media and Sport will implement the legislation by putting a system in place for businesses to follow; third, the Information Commissioner's Office (ICO) will regulate the directive; and fourth, the Internet Advertising Bureau (IAB) has created an Online Behavioural Advertising (OBA) certificate of compliance that businesses can sign up to.
What advertisers can do immediately To become compliant, advertisers need to get a handle on the data they are collecting, by whom (in-house or via agencies), and establish how they are using it. As a first step, businesses need to audit their sites' data sets: without knowing what they are tracking they cannot manage their data. When auditing, advertisers also need to take into account the idea of the intended use of tracking technologies and cookies, against not knowing at all what they are used for.
Another way to think about an audit is like this: if organisations got their customers into a room and told them about the technologies used to run their business, how would customers react? If they're not happy, organisations should evaluate their stance.
Advertisers need to ask themselves: if our brand was truly engaged in relationship-building with customers and prospects, if customer data management was at the core of what we do, and if we had the internal tools and best practice methodologies -- would we really need to use the amount of technologies that we do?
Cameron Hulett, senior VP, Acceleration
