EU Privacy and Electronic Communications Regulations

DSM cover_0INTRODUCTION

Ever since the furore over the UK phone hacking scandal in 2011 engulfed the owners of News International as well as politicians of all political parties, the Government and law enforcement officers, the issue of privacy and electronic communications has become a national obsession.

The public revulsion that followed the disclosure of the hacking of private phone messages of murder and terrorist victims and war widows didn’t just rip apart the UK’s biggest selling Sunday newspaper the News of the World but also raised serious questions about the legal safeguards in place to protect an individual’s right to privacy whilst at the same time protecting freedom of speech within the law.

And in December 2012, the Director of Public Prosecutions Keir Starmer QC, was forced to issue interim guidelines in the wake of unguarded comments made about Lord McAlpine on twitter.

With full guidelines expected early 2013, the Crown Prosecution Service (CPS) has indicated there’s a world of difference between the situation where someone makes unguarded and grossly offensive comments on Twitter or Facebook and where individuals feel victimised by being on the receiving end of credible threats of violence, harassment or stalking or where the nature of communication is so toxic as to be grossly offensive, indecent, obscene or false.

In such cases, the prosecution needs to show that the perpetrator intended or was aware that the message was grossly offensive, indecent or menacing, which can be inferred from the terms of the message or from the defendant’s knowledge of the likely recipient. The offence is committed by sending the message and there’s no requirement that any person sees the message or be offended by it.

In order to determine whether tweets and social media comments could lead to prosecution, a balance needs to be struck by the police and the CPS: evidence of wrong doing, the likelihood of a criminal conviction being achieved and whether proceedings can be seen to be in the public interest.

But it’s not just the behaviour of individuals that’s been under the spotlight but increasingly companies and organisations are expected to comply with highest standards of ethical behaviour or face the opprobrium of public anger as well as the full weight of the law.

From a marketing perspective, brand owners have come to realise just how fast they must respond to practices that can cast a dark cloud over the whole organisation and ultimately affect their bottom line.

London Evening Standard, City Editor Anthony Hilton commented: “The greatest risk in business today is not of production failure or accounting fraud or even terrorist attack. The thing that keeps company bosses awake at night is reputational risk – the fear that the behaviour of even just one rogue employee in a vast organisation will destroy the reputation of the whole business and make it so toxic that even its most loyal customers, suppliers and employees want nothing more to do with it, less they too become tainted by association in the public mind.”

The reality is that people as consumers have more power than they have as voters and this hasn’t escaped the attention of the Government, European Parliament, industry regulators and the judiciary that’s under increasing pressure to be seen to be in touch with public opinion rather than removed from it.

On the 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (2011 Regulations) came into force in the UK, providing marketers with a 12 month window in order to comply by May 2012 or risk legal action by the Information Commissioner.

These regulations affect direct electronic marketing on laptops, desktops, digital and mobile devices and the security and confidentiality of such communications. The 2011 Regulations amend the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The main practical change is in relation to cookies – small text files that are stored on a user’s device when visiting a web site. The cookie assists the web or mobile site in recognising the user’s device and delivering a more tailored and user-friendly experience.

Previously, the 2003 Regulations required that web site users be given clear information on what cookies are, how they are used and be given an opportunity to refuse to accept them being placed on their computer. Web site owners accommodated this requirement by including the necessary information and the opportunity to ‘opt-out’ in a prominent privacy policy on their web site, either included in or linked to from the web site terms of use.

The 2011 Regulations now change the ‘opt-out’ requirement to an ‘opt-in’ requirement.

What this means is that web users must clearly indicate they’ve consented to cookies to be installed on their device before the web site owner can use them.

There are very few exceptions to this requirement, such as where the cookie is ‘strictly necessary’ for a service – for example, in an online check-out context (see below).

The law change has led to redrafting of privacy policies as well as changing the operability of web sites, both of which present practical problems and severe inconvenience for web site owners.

Many web site owners are still in breach of the 2011 Regulations being slow to adopt these new requirements.

Over the next few years, adoption of the new requirements are likely to increase as the Information Commissioner uses enhanced powers of investigation and enforcement to impose penalties for breach of the 2011 Regulations that carry a theoretical maximum penalty of up to £500,000.

In 2012, Jon Woods, general manager at Coca-Cola for UK and Ireland said that the 2011 Regulations around behavioural targeting presented one of the biggest regulatory challenges for the business in the future.

“We need to be transparent about what data is being taken and what cookies are being used so that consumers feel confident using our brands. The issue is that the agencies we rely on to manage digital are experts but this might mean that what they learnt yesterday and what they’re telling us today may be out of date because technology changes in this area are moving so fast,” he said.

In 2012 Coca-Cola updated its Responsible Marketing Code in response to the challenges that the new 2011 Regulations presents.

“With digital marketing being one of the fastest-moving areas, it remains a key pillar within our Responsible Marketing Code. As we increase our marketing in the digital area, our priority is to set the standard across the industry and drive best practice going forward allowing Coca-Cola Great Britain to continue to deliver creative, cutting-edge and responsible campaigns.

“We have a Responsible Marketing Policy that covers all our beverages, and we do not market any products directly to children under 12. One example which is integral to our approach is our Traffic Light System. This is applied across all our brands to ensure that our online campaigns are targeting the right audience and age profile. The system allows us to evaluate the content of a site that we are integrating into our digital activity and provides an outline of the audience of any given website. Given that content can be easily shared and passed on in the digital environment, the age targeting buffer allows us as a business to gain an understanding into the suitability of any given website at any time and adapt our plans accordingly”, explained Laura Misselbrook, communications manager at Coca-Cola.

IMPLEMENTATION OF THE ‘COOKIE DIRECTIVE’ IN THE UK

Marketers increasingly need to use electronic means to market directly to customers and clients. Direct marketing consists of any advertising or marketing communication – whether trying to sell products/services or promote a company or brand – that’s directed to particular individuals or customer segments.

The rules covering this apply to any message consisting of text, voice sounds or images and so cover e-mails, text, pictures and video messages and answer phone and voicemail messages. It’s not clear whether the rules cover ‘push’ marketing techniques delivered by Bluetooth and near field communication (NFC) devices although a user’s setting to ‘on’ mode would seem to indicate that consent to receive such packets of data has been given.

There are restrictions on how companies collect data about customers, and how they send marketing information that hasn’t been requested by a customer, known as unsolicited marketing.

If marketers don’t comply with these rules then they run the risk of incurring significant fines as the Tetrus Telecoms case illustrates.

The directors of the Manchester-based company had been using unregistered pay-as-you-go sim cards to send out as many as 840,000 illegal text messages to mobile users that netted them an income of around £8,000 a day.

Examples of these text messages included ‘CLAIM TODAY you may be entitled to £3500 for the accident you had. To claim free, reply CLAIM to this message. To opt out text STOP. Thank you.

As a result of action taken by the Information Commissioners Office, fines in excess of £400,000 were imposed on both directors of the company and the company was put out of business.

In order to comply with the law in this area, marketers must remember to provide the following information to the web site or mobile user at the point of collection of personal data:

  • name of the organisation on whose behalf the marketer or agency is making contact;
  • explanation of the use of the information, particularly uses that aren’t obvious, for example, if third parties or group companies will use the data or if the marketer intends to send marketing out under different trading names;
  • if there’s other information that the marketer might hold or collect at a later date, how it will collect this, for example, via marketing surveys and the reasons why that data is being collected; and
  • if the web site owner intends to use cookies, there needs to be an explanation as to what they are and the purposes for which they are being used (see below). Marketers will only be able to use cookies that are strictly necessary for the provision of a service requested by the customer without the customer’s consent.

Guidance on the reliance of ‘implied consent’ has been given by the Information Commissioner. The word ‘implied’ doesn’t mean that web site owners can skip obtaining ‘informed’ consent and so the standards expected from web site owners are no less vigorous:

  • If you’re relying on implied consent, you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you don’t have their informed consent;
  • you shouldn’t rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand; and
  • in some circumstances, for example where you’re collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate in the circumstances.

2011 Regulations

Under the 2011 Regulations, cookies can only be placed on laptops, desktops, digital and mobile devices where the user or subscriber has given its consent.

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment-

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

There are two exceptions to the ‘opt in’ cookie rule

The first is where the marketer is places a cookie for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

The second exception to the ‘opt-in’ rule is if what the marketer is doing is ‘strictly necessary’ for the provision of an information society service requested by the subscriber or user.

This exception is a narrow one but might apply, for example, to a cookie a marketer can use to ensure that when a user of its web site has chosen the goods it wishes to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the web site ‘remembers’ what it chose on a previous page.

This exception needs to be interpreted quite narrowly because the use of the phrase ‘strictly necessary’ means its application has to be limited to a small range of activities and because the use of the cookie must be related to the service explicitly requested by the web site user.

For example, the exception won’t apply just because the marketer decided that the website is more attractive if it remembered users’ preferences or was keen to harvest behavioural analytics in order to improve the user experience of the site.

Audit of cookies used on the web site

Depending on the nature of the business, a marketer may decide to carry out a comprehensive audit or simply check what data files are placed on web site users’ devices and why.

Marketers should identify which cookies are strictly necessary and might not need consent. This could also present an opportunity to ‘clean up’ web pages and to cease using any cookies that are unnecessary or which have been superseded as the site has evolved.

The 2011 Regulations are intended to add to the level of protection afforded to the privacy of web site users and therefore the more intrusive the use of cookies, the more priority a marketer will need to give to gaining informed consent for the use of such cookies.

Some of the things done on a web site won’t have any impact on the privacy of a web site user and could even be helpful in keeping information safe. Other technologies will simply allow the marketer to improve the web site based on information such as which links are most frequently used or which pages get the lowest number of unique views. However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. In such a case, it’s clear that this is intrusive and requires consent.

It might be useful to think of the requirement of obtaining consent as a continuum where at one end of the scale are neutral cookies and at the other end of the scale is the intrusive use of technologies such as online behavioural advertising techniques. Compliance with the 2011 Regulations is therefore far from straightforward.

Reliance on the web site user’s own browser settings to help comply with the ‘opt-in’ regime

The regulators recognised that compliance with the new regime would raise all sorts of practical problems. One suggestion was to get the user to pre-determine which cookies they would allow and which cookies they would not and the consent mechanism would be built into the internet browser used by the user to visit the web site.

At present, most browser settings aren’t that sophisticated for a marketer to assume that the web site user has given its consent to allow the website to set a cookie and whether this will change in the immediate term remains to be seen.

The other issue is that not every web site user will use a browser to access the site. For example, a user may access the site through an application on a mobile phone. So for the time being, consent to accept a cookie needs to be achieved through other means (see below).

Pop ups and similar techniques

Pop-ups or interstitials could be used as an opt-in device on the web site. On the surface, this may appear to be an attractive option but it’s also one which might well spoil the experience of using a website if the site uses several cookies.

Many websites routinely and regularly use pop ups or ‘splash pages’ to make web site users aware of changes to the site or to ask for user feedback. Similar techniques could, if designed well enough, be a useful way of informing users of the techniques that are being used and the choices they have. It’s important to remember though that gaining consent in this potentially frustrating way isn’t the only option.

Web site terms and conditions

There are already lots of examples of gaining consent online using the terms of use or terms and conditions to which the web site user agrees when they first register or sign up.

Where a user opens an online account or signs in to use the services on offer, it will be providing consent to allow the marketer to operate the account and offer the service. However, it’s important to note that changing the terms of use alone to include consent for cookies wouldn’t be sufficient to comply with the 2011 Regulations even if the web site user had previously consented to the overarching terms.

Marketers need to make web site users aware of the changes and specifically that the changes refer to the use of cookies. Marketers will then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that it consents to the new terms. The key point is the need to be transparent with web site users about how the website operates. Consent can only be gained by giving the web site user specific information about what it is agreeing to and providing it with a way to show its acceptance.

Any attempt to gain consent that relies on a user’s ignorance about what it’s agreeing to is unlikely to comply with the 2011 Regulations.

User-driven settings for the web site

Some cookies are deployed when a web site user makes a choice about how the site works for it.

In such circumstances, the consent could be gained as part of the process by which the user confirms what it wants to do or how it wants the site to work. For example, some websites ‘remember’ which version a user wants to access such as version of a site in a particular language.

If this feature is enabled by the storage of a cookie, then the web site owner could explain this to the user and this could alleviate the need to ask the web site user each time it visits the site by explaining to them that by allowing the site to remember its choice the user is in effect giving consent to set the cookie.

This would apply to any feature where the marketer tells the user that it can remember certain settings it has chosen. For example, it may be the size of the text it wants to have displayed; the colour scheme on the site or even the ‘personalised greeting’ it sees see each time it visits the site.

Feature-led consent on the web site

Some objects are stored when a user chooses to use a particular feature of the site such as watching a video clip or when the site remembers what it has done on previous visits in order to personalise the content the user is served and thereby enhance the user experience.

In these cases, presuming that the user is taking some action to tell the web page what it wants to happen – either opening a link, clicking a button or agreeing to the functionality being ‘switched on’ – then the marketer can ask for the user’s consent to set a cookie at this point.

Provided the marketer makes it clear to the user that by choosing to take a particular action then certain things will happen the marketer may interpret this as the user’s consent.

The more complex or intrusive the activity the more information the marketer will be expected to provide. In practice, it’s likely that a web site of even a minimum level of sophistication will need to employ one or more of the above means to obtain consent to use each type of cookie.

Where the feature is provided by a third party, the marketer will need to make web site users aware of this and point them to information on how the third party might use cookies and similar technologies so that the user is able to make an informed choice as to whether to consent or not.

Functional uses

Marketers will often collect information about how users access and use the web site and this data is often collected in the background and not at the request of the user.

An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but the marketer still needs consent of the user.

The marketer should consider how it currently explains its policies to users and make that information more prominent, particularly in the wake of the changes created by the 2011 Regulations. The marketer should also consider providing users more details about what it does do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.

One possible solution might be to place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when the marketer wants to set a cookie on the user’s device. This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to it.

If the information collected about website use is passed to a third party the marketer should make this absolutely clear to the user. The marketer should review what this third party does with the information about web site users.

The marketer may be able to alter the settings of the user’s account to limit the sharing of visitor information. Similarly, any options the user has should be prominently displayed and not hidden away.

Third party cookies

Some websites allow third parties to set cookies on a user’s device. If the marketer’s website displays content from a third party, for example, from an advertising network or a streaming video service, then this third party may read and write its own cookies or similar technologies onto the marketer’s users’ devices.

The process involved in gaining consent for these cookies by third parties is more complex. There are a number of initiatives that seek to ensure that users are given more and better information about how their information might be used. These will no doubt adapt to achieve compliance with the 2011 Regulations as marketers and the industry becomes more familiar with these rules.

The Information Commissioner’s Office (ICO) advises anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.

This may be the most challenging area in which to achieve compliance under the 2011 Regulations and it’s likely to require an industry wide response involving other European data protection authorities. The ICO has undertaken to issue guidance in future as possible technical solutions are evaluated and developed.

MODIFICATION TO THE LAW OF PRIVACY AS A RESULT OF THE 2011 REGULATIONS

Outside of the changes introduced with respect to the protection of to the use of cookies on web sites, the 2011 Regulations make a number of important changes to the 2003 Regulations with respect to safeguard of data; spam emails and third party information notices.

Spam

Regulation 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 regarding anonymous emails for the purpose of direct marketing has been amended to incorporate two new subsections regarding compliance with Regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002.

Regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002 provides that commercial communications by service providers shall be clearly identifiable as such and shall further clearly identify the person behind the communication. In addition, the service provider must give full details of any promotional offers and related conditions within that email in clear and unambiguous language.

Regulation 23 additionally states that emails must not contain any encouragement to recipients to visit web sites that contravene Regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002.

Security of Services

Regulation 5 of the 2003 Regulations already stated that a provider of a public electronic communications service, such as Microsoft and BT, had to take appropriate measures to safeguard the security of their service. The Regulation has been amended by the insertion of a new paragraph (1A) that specifies the minimum efforts expected of providers in relation to fulfilling this duty with respect to security of services.

An example of these particular efforts includes the obligation to implement a security policy with respect to the processing of personal data and ensuring that personal data can only be accessed by authorized persons for legally authorized purposes.

Personal data

Under Regulation 3(b) of the 2011 Regulations “personal data breach” now has a new definition:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

New Regulation 5A then puts an obligation on public electronic communications service providers to notify the Information Commissioner of the occurrence of a personal data breach and where the breach is likely to adversely affect the personal data or privacy of the web site user or subscriber. The Regulation also places a duty on the service provider to notify the breach to the web site user or subscriber concerned. Service providers won’t have to notify users should they be able to demonstrate that the relevant data accessed was in a form unintelligible to persons not authorized to view it. Service providers must also keep an inventory of all personal data breaches, so that the Information Commissioner may verify compliance with the notification obligations.

Regulations 5B and 5C provide that the Information Commissioner may audit service providers’ compliance with Regulation 5A, and may issue a fixed monetary penalty of £1000 if it finds the provider to be in breach of any of the notification obligations. Service providers should exercise particular care when handling personal data and also comply with these notification obligations.

Third Party Notices

Under Regulation 31A, the Information Commissioner can serve notices on communications providers requesting that they provide information about other people’s use of an electronic communications network or service, where that person’s compliance with the 2003 Regulations is in question. It’s thought that the rationale behind this provision is to make it easier for the Information Commissioner to serve notices on those who engage in cold calling or sending spam emails in breach of the 2011 Regulations.

ON-LINE ADVERTISING AND MARKETING

Since the enactment of the 2011 Regulations, many advertising and marketing agencies have been scratching their heads over what they need to do to comply with what many regard as one of the most annoying marketing laws of the decade!

In 2011, members of the Internet Advertising Bureau (IAB) Europe and the European Advertising Standards Alliance (EASA) attempted to navigate through the requirements of the 2011 Regulations by drawing up their own code of Online Behavioural Advertising (OBA) only to discover that this wasn’t compliant with the conditions contained in the 2011 Regulations.

For example, an icon that allowed a web site user a one-click option to access further information around behavioural adverts as well as managing preferences and opt-out of receiving OBA was deemed to be a “highly intrusive practice” by the European Data Protection Supervisor and fell short of the 2011 Regulations requirements.

In this situation, cookies are being collected to enable marketers to send advertisements for products and services to web site users in the hope that they may be interested in these based on their online activity.

The main objection voiced was that the proposed joint practice adopted by the IAB and EASA to enable web site users to object to being tracked for the purposes of serving behavioural advertising was that it didn’t meet the requirement to obtain informed consent as the tracking and serving of adverts takes place unless people object. For consent to be valid, it must be freely given, specific and informed. Absence of action can’t indicate consent.

Despite a few web sites featuring a cookie notice on every page and a tick box requesting opt-in consent, these are still in the minority with the vast majority of marketers choosing to ignore these new conditions. For example, few, if any web sites, will block access to other parts of the site that serve cookies when the user doesn’t actually tick the box. There’s been a universal allergic reaction from marketers to defacing every landing page with a notice drawing attention to the use of cookies and asking for consent to their use before the web site user goes any further into the site.

The solution, as highlighted in the checklist (below) is to ensure that the web site only uses cookies that are absolutely necessary for the delivery of the service and it could signal the rapid decline of behavioural advertising techniques unless express consent for these highly effective but deeply intrusive techniques have been consented to.

On current industry estimates, only 10 per cent of web site users consent to such techniques so the continuing practice by marketers in 2013 and beyond is likely to lead to several high profile enforcement actions by the ICO.

CHECKLIST

  • Web site operators should review and list the various cookies used on their web site, such as flash cookies, browser cookies and third party cookies to assess which ones are strictly necessary to provide users with web-based services and those which aren’t and remove those in the latter category. As a general rule of thumb, the less intrusive the cookie, the lower the risk and the need for obtaining specific and active consent.
  • Remember that the aim of the 2011 Regulations is to improve internet users’ privacy, so the more intrusive the use of cookies then a higher priority must be given to considering how to change that use.
  • Any attempt to gain consent that relies on web site users’ ignorance about what they are agreeing to is unlikely to be compliant.
  • Consider how intrusive the use of cookies are and discuss this with third party cookie providers to agree a suitable approach to obtain users’ consent.
  • Remember that the more intrusive the activity, the more priority a marketer must give to obtaining meaningful consent from the web site user. For example, using a cookie to create detailed profiles of an individual’s browsing activity would be considered very intrusive and would therefore require meaningful consent.
  • Web site operators should decide what solution to adopt to obtain consent in the circumstances. Information about cookies needs to be provided to all users before placing a cookie for the first time. Once consent is gained at that point, there’s no requirement to gain consent each time the same person uses the same cookie for the same purpose in the future.
  • Requesting consent could be achieved through a variety of mechanisms, such as the use of standard terms and conditions, pop-up check boxes or general browser settings. There’s no one simple solution and it will very much depend on the user experience and the type of cookies involved that will dictate the form of consent used.
  • Begin to create and implement appropriate and tailored solutions to gain web site users’ consent.
  • The ICO is likely to be taking enforcement action against web site owners early 2013 so marketers need to review their cookie practices and to have implemented a practical and effective strategy to obtain users’ consent as soon as possible.

REFERENCES

  1. Information Commissioner web site 
  2. Kolah, A (2013), Essential Law for Marketers 2nd edition (Kogan Page)
  3.  Journal of Social and Digital Media Marketing 

 

Leave a reply