|December 15, 2011|
Previously published on December 2011
In 2011 all 27 European Union Member States were required to implement changes to the revised E-Privacy Directive relating to online behavioural advertising and tracking technologies into national law. In this Client Advisory, we look ahead to what 2012 will bring for organisations subject to European law seeking to continue to track user behaviour, and outline some practical guidance that we recommend to be considered as enforcement action against non-compliant profiling becomes increasingly likely.
Online behavioural advertising is the term used to describe targeted advertising over internet and mobile platforms. This is made possible by utilising data relating to the underlying interests or behaviour of a user collected from that user over time and/or across multiple domains. Online behavioural advertising and associated user tracking has, for understandable reasons, controversial privacy implications and there has been an increasing focus on how user information is collected.
The Data Protection Directive and the E-Privacy Directive both govern the use of tracking technologies in the European Union. The Data Protection Directive was published in 1995 and provides protection to individuals with regard to the processing of their personal data and on the free movement of such data. The E-Privacy Directive was published in 2002 and is concerned with the protection of privacy in electronic communications - this was revised in 2009 as part of the EU Citizens Rights Directive.
In the European Union, the new laws stemming from the revised E-Privacy Directive were required to be implemented by Member States by 25 May 2011, which included specific changes relating to the ability of businesses to store, or gain access to, information held on a user's computer or device, for example, through cookies. The most controversial reform relates to the requirement for consent to be obtained when tracking is undertaken. By December 2011 there were still a number of Member States yet to implement the revisions and notably those Member States that have implemented them have adopted different approaches in interpretation.
The Existing Regulatory Regime
The Data Protection Directive covers all forms of online behavioural advertising that involves the processing of the personal data of individual users. The E-Privacy Directive covers a subset of online behavioural advertising where an organisation stores information in the terminal equipment of a user and/or accesses any information from that location. The scope of the E-Privacy Directive is subtly broader than the Data Protection Directive in that it covers the storage of, or access to, any information and not simply personal information. The concept of transparency and consent runs through both the Directives insofar as they apply to online behavioural advertising.
The Data Protection Directive requires that data be processed fairly and lawfully and the E-Privacy Directive links back to the definition in the Data Protection Directive. This requirement has traditionally been satisfied by including clear and comprehensive information in website terms and conditions and/or privacy policies relating to the type of online behavioural analysis undertaken, and how that information is processed or disclosed.
The revised E-Privacy Directive introduced the requirement for consent to be obtained in respect of the storage of, or access to, any user information. This was a change to the previous requirement providing that the user must be given an opportunity to refuse such processing. The new requirement has been controversial in that it has introduced confusion around the nature of the consent required and the point at which it should be given.
The Article 29 Working Party, the independent European Union Advisory Body on data protection and privacy, is of the opinion that a strict interpretation is necessary. They insist that consent ought to be interpreted as 'prior' consent and therefore all information must be provided to the user and consent obtained before any information is sent or collected from a user’s device.
If this interpretation is adopted, this will lead to disruption of the user's internet experience by numerous and prohibitive pop-ups or similar notifications, particularly where there are other third party advertising networks involved. It is worth noting that whilst the Article 29 Working Party have the ability to shape data protection law and policy in the European Union, their opinion is only an opinion and should not be seen as a definitive interpretation of the law.
The Road Ahead for 2012
2012 promises to be pivotal year for privacy compliance in the European Union. In the United Kingdom, the Information Commissioner's Office will begin enforcement action for non-compliance with the United Kingdom's implementation of the revised E-Privacy Directive in May 2012 - this being the expiry of its one year 'lead in' period. We are also expecting a broader ‘General Data Protection Regulation’ to be published by the European Commission in January 2012 in an effort to promote greater harmonisation.
Whilst this will be published in 2012, we expect this to take a number of years before being coming into effect. This will eventually repeal the existing Data Protection Directive and replace it with a new regulation that will become directly applicable in Member States without the need for national implementation. A key part of the new regulation will be to clarify what the nature of 'consent' for online behavioural advertising means in practice. These changes will require businesses to undertake further compliance work, particularly since it is anticipated that the regulation will introduce penalties of up to 5% of worldwide turnover for the most serious data protection breaches.
In the meantime, businesses undertaking user tracking may seek to cooperate with self-regulatory bodies to monitor, contribute to and develop industry-led solutions. The Interactive Advertising Bureau Europe and the European Advertising Standards Alliance have sought to develop a pragmatic solution providing a means of opting-out from tracking.
In December 2011, it was announced that the European Digital Advertising Alliance will be launched to administer an innovative and revolutionary self-regulatory system for online behavioural advertising. The self-regulatory system aims to provide users with transparency and control over behavioural advertising. However, the Article 29 Working Party has been extremely critical of these solutions in the past, which has undermined confidence in whether they comply with law. This therefore remains an area to watch.
Whilst businesses continue to grapple with the fast-moving regulatory background, it is important for them and their advertising partners to continue to seek to be as transparent as possible and take a responsible approach to privacy compliance, particularly in respect of the processing of sensitive personal data, to mitigate the risk of enforcement action arising. Practical steps that may be taken include:
Audit - We recommend that businesses involved in online behavioural advertising undertake audits of their data collection and user profiling techniques. This includes whether they are user profiling themselves or allowing third party advertisers or networks to profile users on their platforms. As part of this audit, we recommend that businesses seek to determine how intrusive their user profiling techniques are.
Localised analysis - We recommend that businesses targeting users located in numerous Member States seek to understand the regulatory stance of the regulators located in each of those Member States. There is currently an inconsistent implementation of the revised E-Privacy Directive and, as a result, localised solutions may be required to ensure maximum compliance.
Updating privacy policies - We recommend that businesses update their privacy policies to provide clear and comprehensive information about the type of tracking technologies used, what type of data is collected, how that data is processed and whether any data is shared with third parties. This is a fundamental compliance requirement and businesses failing to meet the transparency requirements are at a greater risk of regulatory enforcement action.
Solutions for obtaining consent - The current options for obtaining consent are varied and include:
- Pop ups and similar techniques providing enhanced notice
- Default browser consent
- Active browser consent
- Settings-led consent (e.g. through user settings on the platform, such as choice of language etc.)
- Feature-led consent (e.g. through settings on a particular feature, such as a video streaming function etc.)
Until the regulatory authorities provide clear guidance on which solution will comply with applicable law, we are currently at an impasse in respect of the nature of consent required. In the meantime, we recommend that businesses seek to prioritise their analysis of existing consent mechanisms to ensure that the more intrusive user profiling techniques are dealt with first.
Advertising agreements - We recommend that businesses review their agreements in place with third party advertisers and network providers so that any regulatory risk is allocated and that uniform policies and procedures on online behavioural advertising are complied with.
ISP agreements - We recommend that businesses also review their ISP agreements to ensure that ISPs are not undertaking behavioural analysis without consent. This has been a particularly controversial area and it is once again important that the risks are appropriately understood and allocated.