The new ePrivacy Directive – what UK businesses need to know and do

dectective In May 2011, the UK became the first EU Member State to pass the amended ePrivacy Directive. Currently 10 countries have passed the law, including the UK, France, Ireland, Sweden and Finland. The ICO gave the industry a 12 month enforcement extension which expires on the 26th of May 2012. This means that time is running out for many advertisers, publishers, and media buyers to get to grips with how this impacts their business. And most importantly, understanding the influence it will have on how they use cookies and online data to deliver highly targeted advertising.

Cookies are essential for today’s marketers, allowing them to gather anonymous information on user’s web viewing behaviour, to drive highly personalised and relevant advertising.

However, concerns over privacy issues resulted in the European Commission introducing the revised Directive which is designed to create a transparent environment for consumers and states users must be “…provided with clear and comprehensive information about the purposes of, the storage of, or access to, that information;” and “has given his or her consent”.

Key items to note from the new Directive:

    • The UK Government has stipulated that ‘consent’ means ‘informed consent’ and not ‘prior consent’. This means there will be an opt-out approach rather than an opt-in regime.
    • While a period of grace has been given to allow businesses adequate time to understand the law and prepare for its enforcement this is set to expire soon.
    • The ICO understand that compliance is difficult to ‘technically’ achieve at the moment, so are looking to companies to demonstrate that they are making progress towards compliance.
    • The Government supports the approach the industry has developed to address the new law.

How has the industry responded?

Recognising that Industry self-regulation is the most preferential way to address key parts of the law and protect the £4bn online advertising industry, The IAB Europe introduced a self regulation framework for online behavioural advertising (OBA). Designed to address the legislation, the OBA now has over 100 company signatories across Europe. The Framework introduces seven Principles:

1. Notice

2. User Choice

3. Data Security

4. Sensitive Segmentation

5. Education

6. Compliance and Enforcement

7. Review

The Framework sees the introduction of the Enhanced Notice Icon which will need to be shown on or near any online advert that has used behavioural targeting or when third parties are collecting data on a website. By clicking on it, users will be able to see a clear notice describing data collection and usage, and also link to the new site, www.youronlinechoices.eu to manage their privacy preferences.

The industry has agreed that 80% of behaviourally targeted online ads in the UK and Europe will carry the icon by June 2012.

How can UK business comply with the regulations?

    • Be transparent and promote user choice
      Be transparent about how you collect, use and store data. Many consumer concerns stem from a lack of understanding and knowledge. Provide your consumers with user friendly information on how to delete, control or limit cookies and include a link to www.youronlinechoises.eu.
    • Understand your site
      The ICO expects every website to know what cookies are present when a user visits their property. It is favourable therefore to look at carrying out a site cookie audit to understand what is on your site and what control, if any, you have over these cookies.
    • Use your data responsibly
      Ensure you are using your data responsibly and have appropriate safeguards in place for the collection, control and storage of data for targeting. Be aware of all cookies used within your website and recognise that the regulation has obligations for both publishers and third parties engaged in OBA.
    • Be aware of sensitive segments
      You should not build segments that target children (aged 12 or under) and segments built on sensitive data (e.g. health related) will require the user’s explicit (given) consent.
    • Comply and use the Enhanced Notice Icon
      Users of behavioural targeting should sign up to the self-regulatory programme. One measure of the success of self-regulation to the EU Commission will be around the use and recognition of the icon. The sooner companies across the industry use it the better.

You can find out more by reading the IAB’s new pan-European website www.youronlinechoices.eu.

How non-compliance will affect your business

IAB Europe plans to introduce a system to independently monitor third party compliance across Europe. This will potentially be backed up by a new trading seal, designed to provide the market with confidence in who they are working with. Sanctions could also be introduced by the Advertising Standards Authority to deal with complaints and non-compliance.

Self-regulation is an important stage in our industry’s development and will enhance the way we deliver behavioural advertising, how we collect and store data and most importantly will encourage consumer confidence. The aim of the Directive is right for our time – to enhance transparency, user control and protect consumer privacy by putting them in control. As an industry we should see this as an opportunity to redefine the industry’s relationship with the public. Through education, transparency, diligence and commitment, we can develop a new dimension in targeted advertising.

Work in Digital Marketing?

Get weekly emails with the latest news, advice and more. No spam guaranteed.

By Stuart Colman