OPS Markets in London on February 9 is the place to get involved in the discussion. Right now there’s no hotter topic in the operations community than Privacy and the impending hammer coming down attached to the ePrivacy Directive.
OPS Markets London at Grange Tower Hill will feature a panel with some of the leaders and forward thinkers on the subject including a representative from Evidon, the world’s largest dedicated provider of privacy and compliance solutions for digital media. Check out their latest blog posting thoroughly examining the Directive below and then review the agenda for OPS Markets and register today!
The Regulatory Crescendo in Europe
By Colin O’Malley
For anyone following the ePrivacy Directive in Europe, 2011 is ending with a bang. In London, we at Evidon and our friends at Field Fisher Waterhouse hosted Evidon Empower Europe, where a cross section of Regulators, European Commission representatives, attorneys and executives from across the online advertising ecosystem met to discuss expectations and practical solutions. The Article 29 Working Party, an advisory body to the commission with regulators from each member state, adopted an opinion on 12/8 that was critical of the self-regulatory program for behavioral advertising in Europe. A week later, the UK’s ICO (the regulator for online advertising) released a ‘Half Term Report on Cookie Compliance,’ combined with a significant update to its guidance to companies seeking to comply with the Directive.
When it comes to tracking policy in Europe, perspective is critical. When you have multiple voices that differ on critical points, each needs to be understood in context. The Article 29 Working Party has no binding authority over the law, though it’s opinions hold significant weight. The ICO has binding authority, but only in the UK. So where does this leave us?
1. The Directive is not going anywhere: Leaving aside the content for a moment, the fact that regulators have been so active over the last 30 days is a clear indication that this law is being taken seriously, and that regulators intend to see it enforced in 2012. The Regulators in the UK and France are making it clear that this is your problem, not theirs. UK Information Commissioner Christopher Graham dealt with this head on: “…if you have decided that this is all too difficult, that you don’t want to give your users choices about how your web pages might collect information about them … then be assured that if we get complaints or have concerns then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.” When regulators are this committed, inaction is clearly not an option.
2. Despite theoretical positions requiring “prior consent” remaining unchanged from the Article 29 Working Party, the UK ICO understands the role of pragmatic solutions. The ICO continues to push for cookie audits and is open to a range of innovative ways to bring the discussion about tracking to the consumer. The ICO guidance also included several good examples for how 1st parties can acquire consent, including basic improvements that fall well short of the radical steps that some have suggested. Most importantly: elevate the dialogue and give users options, and you will be at the front of the pack.
3. Implied consent lives: After two years of discussion, no one has found a practical way to create a prior consent system without producing a terrible user experience or forcing the industry to make extreme and disproportionate sacrifices. There clearly is no consensus in the legal community that the law requires prior consent. Again, Christopher Graham: “We recognised that compliance could not be achieved overnight, that we could not simply switch off the internet and start again.” And that a company might have confidence that they are compliant if users “know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do.” Eduardo Ustaran at Field Fisher Waterhouse has an excellent post on this point.
Of course, for implied consent to work, it must be substantially more robust than the status quo. In particular, companies will need to demonstrate that consent is ‘freely given,’ ‘specific,’ and ‘informed.’
1. ‘Freely given’ can be addressed by ensuring that the user suffers no penalty for opting out.
2. ‘Specific’ requires that the notice include a complete inventory of the companies behind a particular web page or ad, and that the list be tailored to the event, rather than generic.
3. ‘Informed’ is perhaps the most challenging. Notice must be made available in a ubiquitous fashion, wherever non-essential tracking activity is taking place, on every page and every ad. To qualify as notice, companies may need to be inventive about text labeling. While we continue to believe that the self-regulatory program can be leveraged as part of a compliance strategy, including the advertising option icon, companies may need to expand on the ‘AdChoices’ text label, especially before users understand its meaning. For the notice to provide consent, it must also include a switch that allows a user to withdraw consent. Wrapping these enhancements into a practical, cohesive offering will require companies to approach the consumer in a new manner. Look for Evidon to expand it’s tools in early 2012 to help clients lead the charge.
Practical steps for compliance:
As we prepare for the ramp-up towards compliance over the first half of 2012, consensus is emerging around a core set of practical steps:
1. Understand all of the tracking on your own site. Set up a system to regularly monitor and audit all the code on your sites. This is more than just a “cookie audit.” Much of the tracking covered by the Directive doesn’t use cookies at all. You need to know the actual scripts that run on your pages. If you haven’t obtained a full tracking audit recently, be sure this is your first step. You’ll be surprised by the results. Once complete, you’ll need to categorize each tracker as essential or non-essential, and then rank them on a scale of relative intrusiveness.
2. If you engage in any online behavioral advertising, be sure to join the IAB’s self-regulatory program. The program is taking its hits right now, but it still leverages an icon with significant and growing global mindshare, and many regulators, including the ICO, believe it has a role to play.
3. Build out your implied consent model. Details here will vary based on your business model, but you’ll need to make sure that you meet the criteria above, and that the model applies to wherever you are touching the consumer, including on your own site, in online ads, and on mobile devices.
These steps help you manage your data strategy much more closely, and help you bridge the information gap with your users. Just as important, they are practical steps that do not create massive disruption, and they help you achieve compliance with the law. I won’t say it’s easy, but with the May 25th deadline approaching in the UK, the stakes are too high to sit on the sidelines.
Evidon’s Chief Strategy Officer and head of policy, Colin spear-headed the Design Partner Program, which included agency holding companies, advertisers, networks and associations. An expert in privacy matters, he was the Vice President of Strategic Partnerships & Programs at TRUSTe from 2003 to 2009, where he developed and launched self-regulatory programs for email (Bonded Sender Program, Email Privacy Seal) and Software (Trusted Download Program). Execution across these programs drove the transition of TRUSTe to for-profit status and an A-Round from Accel Partners.
Earlier he was the Manager of Product Development at NetCreations from 1999 to 2002. Colin is a published author and has a BS in Economics and Human and Organizational Development from Vanderbilt University.