The EU privacy directive is gathering speed. Here's what you need to know to stay on the right side of the lawIf you were following the EU ePrivacy directive, last year ended with a bang. In London, Evidon and Field Fisher Waterhouse hosted
Evidon Empower Europe where a cross section of regulators, European Commission representative attorneys and executives from across the online advertising ecosystem met to discuss expectations and practical solutions. The advisory body to the commission, which includes regulators from each member state,
adopted an opinion on 8 December 2011 that was critical of the self-regulatory programme for behavioural advertising in Europe. A week later, the UK ICO (the regulator for online advertising) released its
half-term report on cookie compliance, combined with a
significant update to its guidance to companies seeking to comply with the directive.
When it comes to tracking policy in Europe, perspective is critical. When you have multiple voices that differ on critical points, each needs to be understood in context. The advisory board's recommendations has no binding authority over the law, though it's opinions hold significant weight. The ICO has binding authority, but only in the UK. So where does this leave us?
The directive is not going anywhere
Leaving aside the content for a moment, the fact that regulators have been so active over the last month is a clear indication that this law is being taken seriously and that regulators intend to see it enforced in 2012. The regulators in the UK and France are making it clear that this is your problem, not theirs. UK information commissioner Christopher Graham
dealt with this head on:
"If you have decided that this is all too difficult, that you don't want to give your users choices about how your web pages might collect information about them ... then be assured that if we get complaints or have concerns then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance."
When regulators are this committed, inaction is clearly not an option.
Prior consent
Despite theoretical positions requiring "prior consent" remaining unchanged from the Article 29 Working Party, the UK ICO understands the role of pragmatic solutions. The ICO continues to push for cookie audits and is open to a range of innovative ways to bring the discussion about tracking to the consumer. The ICO guidance also included several good examples for how first parties can acquire consent, including basic improvements that fall well short of the radical steps that some have suggested. Most importantly: elevate the dialogue and give users options, and you will be at the front of the pack.
Implied consent is alive and kicking After two years of discussion, no one has found a practical way to create a prior consent system without producing a terrible user experience or forcing the industry to make extreme and disproportionate sacrifices. There clearly is no consensus in the legal community that the law requires prior consent. Again, Christopher Graham: "We recognised that compliance could not be achieved overnight, that we could not simply switch off the internet and start again." And that a company might have confidence that they are compliant if users "know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do." Eduardo Ustaran at Field Fisher Waterhouse has an
excellent post on this point.
Of course, for implied consent to work, it must be substantially more robust than the status quo. In particular, companies will need to demonstrate that consent is 'freely given,' 'specific,' and 'informed'.
Here's what you need to know: 1. 'Freely given' can be addressed by ensuring that the user suffers no penalty for opting out.
2. 'Specific' requires that the notice includes a complete inventory of the companies behind a particular web page or ad, and that the list be tailored to the event, rather than generic.
3. 'Informed' is perhaps the most challenging. Notice must be made available in a ubiquitous fashion, wherever non-essential tracking activity is taking place, on every page and every ad. To qualify as notice, companies may need to be inventive about text labelling. While we continue to believe that the self-regulatory program can be leveraged as part of a compliance strategy, including the advertising option icon, companies may need to expand on the 'AdChoices' text label, especially before users understand its meaning. For the notice to provide consent, it must also include a switch that allows a user to withdraw consent. Wrapping these enhancements into a practical, cohesive offering will require companies to approach the consumer in a new manner. Look for Evidon to expand its tools in early 2012 to help clients lead the charge.
Practical steps for compliance:As we prepare for the ramp-up towards compliance over the first half of 2012, consensus is emerging around a core set of practical steps:
1. Understand all of the tracking on your own site. Set up a system to regularly monitor and audit all the code on your sites. This is more than just a "cookie audit". Much of the tracking covered by the directive doesn’t use cookies at all.
You need to know the actual scripts that run on your pages. If you haven't obtained a full tracking audit recently, be sure this is your first step. You'll be surprised by the results. Once complete, you'll need to categorise each tracker as essential or non-essential, and then rank them on a scale of relative intrusiveness.
2. If you engage in any online behavioural advertising, be sure to join the IAB's self-regulatory program. The program is taking its hits right now, but it still leverages an icon with significant and growing global mindshare, and many regulators, including the ICO, believe it has a role to play.
3. Build out your implied consent model. Details here will vary based on your business model, but you'll need to make sure that you meet the criteria above, and that the model applies to wherever you are touching the consumer, including on your own site, in online ads, and on mobile devices.
These steps help you manage your data strategy much more closely, and help you bridge the information gap with your users. Just as important, they are practical steps that do not create massive disruption, and they help you achieve compliance with the law. I won't say it's easy, but with the 25 May 2012 deadline approaching in the UK, the stakes are too high to sit on the sidelines.
Scott Meyer is the CEO of Evidon.
