For anyone following the ePrivacy Directive in Europe, 2011 is ending with a bang. In London, we at Evidon and our friends at Field Fisher Waterhouse hosted Evidon Empower Europe, where a cross section of Regulators, European Commission representatives, attorneys and executives from across the online advertising ecosystem met to discuss expectations and practical solutions. The Article 29 Working Party, an advisory body to the commission with regulators from each member state, adopted an opinion on 12/8 that was critical of the self-regulatory program for behavioral advertising in Europe. A week later, the UK’s ICO (the regulator for online advertising) released a 'Half Term Report on Cookie Compliance,' combined with a significant update to its guidance to companies seeking to comply with the Directive. When it comes to tracking policy in Europe, perspective is critical. When you have multiple voices that differ on critical points, each needs to be understood in context. The Article 29 Working Party has no binding authority over the law, though it's opinions hold significant weight. The ICO has binding authority, but only in the UK. So where does this leave us?
- The Directive is not going anywhere: Leaving aside the content for a moment, the fact that regulators have been so active over the last 30 days is a clear indication that this law is being taken seriously, and that regulators intend to see it enforced in 2012. The Regulators in the UK and France are making it clear that this is your problem, not theirs. UK Information Commissioner Christopher Graham dealt with this head on: “…if you have decided that this is all too difficult, that you don’t want to give your users choices about how your web pages might collect information about them ... then be assured that if we get complaints or have concerns then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.” When regulators are this committed, inaction is clearly not an option.
- Despite theoretical positions requiring “prior consent” remaining unchanged from the Article 29 Working Party, the UK ICO understands the role of pragmatic solutions. The ICO continues to push for cookie audits and is open to a range of innovative ways to bring the discussion about tracking to the consumer. The ICO guidance also included several good examples for how 1st parties can acquire consent, including basic improvements that fall well short of the radical steps that some have suggested. Most importantly: elevate the dialogue and give users options, and you will be at the front of the pack.
- Implied consent lives: After two years of discussion, no one has found a practical way to create a prior consent system without producing a terrible user experience or forcing the industry to make extreme and disproportionate sacrifices. There clearly is no consensus in the legal community that the law requires prior consent. Again, Christopher Graham: "We recognised that compliance could not be achieved overnight, that we could not simply switch off the internet and start again." And that a company might have confidence that they are compliant if users "know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do." Eduardo Ustaran at Field Fisher Waterhouse has an excellent post on this point.
- 'Freely given' can be addressed by ensuring that the user suffers no penalty for opting out.
- 'Specific' requires that the notice include a complete inventory of the companies behind a particular web page or ad, and that the list be tailored to the event, rather than generic.
- 'Informed' is perhaps the most challenging. Notice must be made available in a ubiquitous fashion, wherever non-essential tracking activity is taking place, on every page and every ad. To qualify as notice, companies may need to be inventive about text labeling. While we continue to believe that the self-regulatory program can be leveraged as part of a compliance strategy, including the advertising option icon, companies may need to expand on the 'AdChoices' text label, especially before users understand its meaning. For the notice to provide consent, it must also include a switch that allows a user to withdraw consent. Wrapping these enhancements into a practical, cohesive offering will require companies to approach the consumer in a new manner. Look for Evidon to expand it's tools in early 2012 to help clients lead the charge.
- If you engage in any online behavioral advertising, be sure to join the IAB’s self-regulatory program. The program is taking its hits right now, but it still leverages an icon with significant and growing global mindshare, and many regulators, including the ICO, believe it has a role to play.
- Build out your implied consent model. Details here will vary based on your business model, but you'll need to make sure that you meet the criteria above, and that the model applies to wherever you are touching the consumer, including on your own site, in online ads, and on mobile devices.