UK law on behavioural advertising is due to change next month. Phil James, senior associate at law firm Lewis Silkin, advises marketers on the implications of the new ePrivacy Directive
The UK law on privacy and behavioural advertising is due to change at the end of May 2011, as a result of revisions made at European Union level to a Directive on ePrivacy. So what does this new legislation mean for B2B marketers? This article will explain what level of consent is required to operate behavioural targeting under the proposed new law.
The essential tool employed in behavioural targeting technology is the cookie. Therefore, if you want to continue to use cookies for behavioural targeting when the new law kicks in, here are some of the key issues you should consider.
The law – then and now
Current law is embodied in the UK under the Data Protection Act 1998 and Privacy and Electronic Communications Regulations 2003 (PECR). PECR is due to be amended as a result of revisions to an EU Directive passed at the end of 2009 (the ePrivacy Directive). The changes are due to be in force by end of May 2011.
Current UK law regulating cookies is Regulation 6 of PECR. It says that to place information on a person’s PC, you must (subject to certain exemptions that are essential to access the net):
- Provide clear and comprehensive information about its purpose (‘fair processing notice’);
- Allow people an opportunity to refuse.
The commonly accepted opinion to date has been to operate an ‘opt-out’ mechanism and this is generally accepted as complying with PECR.
However, the revised Regulation 6 will instead require you to:
- Ensure that a person has given consent; having been provided with a fair processing notice.
Significantly, the ‘opportunity to refuse’ requirement has been removed. This indicates that an opt-out mechanism may therefore no longer be sufficient. However, when the ePrivacy Directive was being debated, the word, ‘prior’ (before consent) was deleted, thus the jury is still out about whether an opt-in mechanic should now be mandatory.
Consent to cookies
In June 2010, the Article 29 Working Party (the EU body made up from the Information Commissioners, i.e. the people responsible in each territory for enforcing data privacy laws from leading EU member states) issued a significant opinion on behavioural targeting. This said that those operating behavioural advertising networks will need to obtain prior opt-in consent before placing cookies on a user’s computer. Once consent has been obtained, that consent will last, unless withdrawn, for a year, when it will need to be renewed.
The opinion is aimed at behavioural advertising across multiple sites (i.e. third-party behavioural targeting using third-party cookies), so does not require publishers placing first-party cookies (e.g. recommendations based on past purchases within that same site) to obtain opt-in consent.
However, where a social network (such as Facebook) is placing third-party ads served on a user’s profile, it will need to share responsibility and obtain opt-in consent (a social network is akin to a behavioural ad network).
EU versus UK attitudes
Significantly, the consultation paper reveals that the UK proposes to take a more liberal view than the opt-in consent requirement advised by Article 29.
The UK plans to incorporate the wording from the ePrivacy Directive but instead rely on Recital 66 in the Directive, which suggests that consent may be obtained via the means of appropriate browser settings or some other application (rather than opt-in). This is likely to create further conflict between the EU and the UK’s more liberal attitude towards implementation of privacy law.
What should marketers do?
While there are some sanctions (albeit not particularly hefty as yet, excluding breaches of the Regulation of Investigatory Powers Act for breaching PECR, any failure to comply is likely to result in adverse PR. Brand loyalty is built on trust and transparency. Behavioural targeting, done surreptitiously, flies in the face of such trust. Here are my top tips:
1. Keep a watching brief. If I had to call it, I would say the UK is likely to favour the US Digital Advertising Alliance’s (DAA) self-regulatory opt-out, practical solution. Take some time to review its self-regulatory principles for online behavourial advertising. You can find out more information about this at www.aboutads.info.
2. Set up a steering group. If you have not already done so, set up a steering group to develop a similar strategy to the DAA’s that fits your organisation’s current online activities.
3. Don’t delay. Start thinking about your own ePrivacy strategy sooner rather than later so that you can develop and incorporate technical and organisational means to achieve compliance when the new law comes into effect.
4. Avoid flash cookies. Avoid using flash cookies as these types of cookies make it intrinsically difficult for users to opt-out from behavioural targeting (as flash cookies re-spawn even where a user has deleted them from their computer’s ‘cookie jar’). As such, I think they are more likely to breach the requirements of the ePrivacy Directive. This is because it will be difficult to claim valid consent has been obtained where a flash cookie re-spawns despite a user’s attempt to delete it and reject behavioural targeting.