Moving Forward Together at Evidon Empower EU II
“Frankly, I don’t want to be here.” As he led off Evidon Empower in London on Tuesday with those words, Information Commissioner Christopher Graham wasn’t implying that he was unhappy to be addressing the standing-room-only crowd of business leaders, regulators, attorneys and more. He meant that earlier action by the advertising industry on consumer privacy, based on an understanding of the imperative—and the business benefit—of giving consumers real control over their data, might have precluded his talking about enforcing a law now. But he was equally adamant that there’s a way forward, and that convincing businesses to comply with the ePrivacy Directive shouldn’t really be that hard.
Christopher Graham (click to enlarge)
While he stated that the ICO has been seeing multiple examples of websites that are getting it right—giving consumers more information and choices around how their data is used online—he made it plain that there are hurdles the market needs to cross. The first is overcoming what he called “the three myths” around the perception that compliance with the law wasn’t happening the way it should: 1) that the ICO has changed the rules; 2) no one is paying attention to the law and 3) that the law is unenforceable.
Laying blame to one entity is, of course, silly. And while guidance has often been less than perfectly clear, Commissioner Graham makes an important point: there is no “one size fits all” for this; different solutions will work for different companies.
The Commissioner’s point on enforcement was an important one. More than defending the ICO by saying that a number of companies have been contacted, he shifted the conversation: “the real enforcement mechanism will be consumers not trusting businesses.” As we’ve found in our own research—a new study was covered by Marketing Week on Wednesday—people feel better about brands that prove they care about consumer privacy, with 48% even saying directly that they’re more likely to purchase from transparent brands.
For some good examples of how proactive businesses are using Evidon to comply, click here and here.
Always one to instigate a good debate, Exchangwire’s Ciaran O’Kane moderated the day’s first panel on the law and how to comply. The sell-side on the panel concurred that it really shouldn’t be so hard.
Erich Wasserman and Ciaran O’Kane
“Why are we doing this?” asked Stuart Colman of AudienceScience. “Consumers fundamentally have a right to know what is going on. It’s not an on/off, but rather how are consumers informed. There isn’t a one size fits all. Is there enough information for my Granny to have the information she needs to basically understand, and to take some action?” Erich Wasserman from Mediamath followed “we tell our clients there’s simply no downside to giving consumers more information.”
Ciaran pointed out that fragmented approaches to compliance across different regions could cause problems, asking, for example, how someone in the Netherlands, where an explicit consent model is likely, would navigate a UK site. Michael Bond of ICC UK stated that the idea of global standards is “a pipe dream,” but that the UK should work to try to create level playing field.Stuart put it logically: “just make it easy for a consumer to make a decision.”
There was fairly firm consensus on Microsoft’s recent decision to default “do not track” to the “on” position in the new MS10 browser: don’t take the choice out of the consumer’s hands.
Philip Milton of DCMS made it plain: “Get an audit, find out what cookies you use, and depending on what comes out, decide which are intrusive, then what you need to do to inform consumers.” Michael rightly pointed out that, for companies to do this right, they should be prepared to make an effort: “Don’t try to just scrape across the finish line; embrace where this is going, work together and educate.”
Do we now know the answer to Ciaran’s question “how do we reach compliance nirvana?” Not exactly. But the conversation certainly helped get us closer.
Things certainly didn’t get any less complex as Field Fisher Waterhouse’s Eduardo Ustaran spoke with regulators and legal experts on their expectations of businesses in light of the Directive. Thomas Kranig, President of the Bavarian State Office for Data Protection, demonstrated that complexity from the start, stating that, with 18 different data protection authorities across Germany, who could all interpret consent in their own way, the answer to “what is consent” isn’t easy!
CNIL’s Alain Pannetrat spurred discussion with a key point: if a consumer lands on a web page and simply navigates away, they haven’t given their consent to be tracked. Are they cookied anyway? The answer is that it depends on which consent solution a website is using. Evidon’s solution can be integrated into a site to prevent tracking if the user leaves before providing consent. To find out more about how it works, contact us.
Hester de Vries of law firm Kennedy Van der Laan remarked on what she’s been hearing from Dutch companies, including the fact that many feel that they will be at a competitive disadvantage with other European businesses once enforcement begins on the Dutch explicit consent requirement.
Pointing to a frustrating lack of adoption in his own country, Alain closed by exclaiming “In France, if all companies would follow even the ICO’s guidelines, we’d be happy!” That key theme emerged yet again: taking some action to inform consumers and give them control over their data, despite confusion over exact requirements, can only be a good thing.
The day closed with a discussion amongst some of the biggest brands in the world—Nestlé and BP—and how they’re looking at compliance. Nestlé’s Nathan Howe made the point that, with extreme and often unknown tracker proliferation across a web presence as large as theirs, they need to make sure they’re employing an auditing solution that can find everything and continually assess their sites.
“Then we have to take the information we get from the audit and present it to our business,” he said. With multiple stakeholders, from the marketers employing trackers to capitalize on data, to the engineers making sure those trackers don’t hinder their website, to the privacy leads making sure they’re respecting the consumer, strong internal communications is key.
BP's Ellis Parry noted that compliance can be “Easier for less complicated sites that are not built for a heavy consumer audience.” Following on BP’s example, other business to business brands might find that compliance can arranged with lower overhead and a more modest approach to consent, as the trackers used are often smaller in number and less intrusive.
Ultimately, Nathan brought things full circle, making the same point about the value of a strong compliance strategy that Commissioner Graham made at the start. “In the end, anything that happens with our website impacts our brand,” he said.
Master of Ceremonies Eduardo Ustaran closed the day with a challenge to the market. “We’ve crossed the line,” he said. “We see examples of leader companies doing it now; from now on, it’s a matter of what everyone else does.” With every uncertainty still not figured out, businesses still owe it to consumers—and to themselves—to take action now and implement a robust consent solution.
For a look at Evidon and Field Fisher Waterhouse’s compliance solutions, please join us for a webinar next week. Check back here for the precise date shortly. To read more coverage of the Evidon Empower EU II, check out the V3.co.uk article here.
Christopher Graham (click to enlarge)
Erich Wasserman and Ciaran O’Kane
Philip Milton of DCMS made it plain: “Get an audit, find out what cookies you use, and depending on what comes out, decide which are intrusive, then what you need to do to inform consumers.” Michael rightly pointed out that, for companies to do this right, they should be prepared to make an effort: “Don’t try to just scrape across the finish line; embrace where this is going, work together and educate.”
Do we now know the answer to Ciaran’s question “how do we reach compliance nirvana?” Not exactly. But the conversation certainly helped get us closer.
Things certainly didn’t get any less complex as Field Fisher Waterhouse’s Eduardo Ustaran spoke with regulators and legal experts on their expectations of businesses in light of the Directive. Thomas Kranig, President of the Bavarian State Office for Data Protection, demonstrated that complexity from the start, stating that, with 18 different data protection authorities across Germany, who could all interpret consent in their own way, the answer to “what is consent” isn’t easy!
CNIL’s Alain Pannetrat spurred discussion with a key point: if a consumer lands on a web page and simply navigates away, they haven’t given their consent to be tracked. Are they cookied anyway? The answer is that it depends on which consent solution a website is using. Evidon’s solution can be integrated into a site to prevent tracking if the user leaves before providing consent. To find out more about how it works, contact us.
Hester de Vries of law firm Kennedy Van der Laan remarked on what she’s been hearing from Dutch companies, including the fact that many feel that they will be at a competitive disadvantage with other European businesses once enforcement begins on the Dutch explicit consent requirement.
Pointing to a frustrating lack of adoption in his own country, Alain closed by exclaiming “In France, if all companies would follow even the ICO’s guidelines, we’d be happy!” That key theme emerged yet again: taking some action to inform consumers and give them control over their data, despite confusion over exact requirements, can only be a good thing.
The day closed with a discussion amongst some of the biggest brands in the world—Nestlé and BP—and how they’re looking at compliance. Nestlé’s Nathan Howe made the point that, with extreme and often unknown tracker proliferation across a web presence as large as theirs, they need to make sure they’re employing an auditing solution that can find everything and continually assess their sites.
“Then we have to take the information we get from the audit and present it to our business,” he said. With multiple stakeholders, from the marketers employing trackers to capitalize on data, to the engineers making sure those trackers don’t hinder their website, to the privacy leads making sure they’re respecting the consumer, strong internal communications is key.
BP's Ellis Parry noted that compliance can be “Easier for less complicated sites that are not built for a heavy consumer audience.” Following on BP’s example, other business to business brands might find that compliance can arranged with lower overhead and a more modest approach to consent, as the trackers used are often smaller in number and less intrusive.
Ultimately, Nathan brought things full circle, making the same point about the value of a strong compliance strategy that Commissioner Graham made at the start. “In the end, anything that happens with our website impacts our brand,” he said.
Master of Ceremonies Eduardo Ustaran closed the day with a challenge to the market. “We’ve crossed the line,” he said. “We see examples of leader companies doing it now; from now on, it’s a matter of what everyone else does.” With every uncertainty still not figured out, businesses still owe it to consumers—and to themselves—to take action now and implement a robust consent solution.
For a look at Evidon and Field Fisher Waterhouse’s compliance solutions, please join us for a webinar next week. Check back here for the precise date shortly. To read more coverage of the Evidon Empower EU II, check out the V3.co.uk article here.