Everything changes in May when the new “cookies law” is introduced. Delegates at the DMA Data Protection Conference heard about the arguments and solutions ahead, as David Reed reports.
“Concerns about data security are voiced by 96 per cent of consumers, according to research carried out by the ICO. That puts it in the same bracket as terrorism and crime.”
“Get ready, get real.” That was the message sent out to organisations publishing web sites by the Information Commissioner, Christopher Graham, about the new law on cookies. Due to come into force on 25th May, it is potentially one of the biggest changes presented to online data management in a decade. The data industry needs to ready itself for a new way of working, rather than continuing to discuss the options. As Graham put if firmly, “the time for lobbying was five years ago. The time for compliance is now.”
His warning was given at the DMA Data Protection Conference in mid-March where questions about the changing nature of the regulatory environment hung heavily in the air. Rules that data practitioners have been familiar with for years are either about to change or being closely looked at by legislators. At the same time, another issue is informing everything that industry and regulators do - how to maintain consumer trust.
Concerns about data security are voiced by 96 per cent of consumers, according to research carried out by the ICO. That puts it in the same bracket as terrorism and crime. Causes of those concerns vary - 80 per cent worry about privacy, 60 per cent believe they have lost control of the way their data is processed and 40 per cent of people with wi-fi at home do not understand how to change the security settings.
Such fears spur regulators to act. Google Street Map’s accidental capture of personal data streams from home wi-fi triggered a flurry of enforcement action in Germany and the UK last year. Graham pointed out that 16 per cent of consumers are unsure or unaware that they are using unsecure home networks, thereby putting their personal information at risk.
And it was the uninformed way in which cookies were used some years ago that ultimately led to the revision of the e-Privacy law coming into force. When BT allowed Phorm to run a test of its behavioural targeting system, privacy campaigners were outraged. That led to the opinion published last year by the Article 29 Working Party that current practice around cookies did not constitute “informed consent”.
“The ICO is on the side of realism and proportionality,” Graham told the conference, “but we are allies of the working party’s shopping list. It is about balancing the free flow of data with effective protection of citizen’s rights.”
The new amendment to the Privacy in Electronic Communications Regulations is aimed at getting informed consent for information to be stored on the consumer’s computer and accessed by website publishers (and advertisers). Until 25th May, this is covered by browser pop-ups telling the user this is happening and offering the chance to decline. The majority of browsers are shipped with the default setting to accept all cookies.
That will have to change - but nobody is sure what will replace it. UK legislators have yet to publish their version of the new law (at the time of going to press). Graham acknowledged that, “roll out will be a challenge, but there are benefits to people from having more control on when data is stored and controlled on their own computer.”
He read to delegates a letter received on the morning of the event from Ed Vaizey MP, Minister at the Department of Culture, Sports and Media which is leading the implementation of the change to Article 5 (3) of the e-Privacy Directive. Vaizey wrote that, “the UK does not see a ‘one-size fits all’ solution. We look to a UK ecology of solutions.”
Some of those solutions were discussed in other sessions at the conference, such as the MyDex volunteered personal information concept currently under test. Talk in the tea room was all about the uncertainty faced by commercial organisations in the absence both of the detail of the law in the UK and any obvious new approach.
Web site publishers are caught between the desire to be compliant and the need to carry on with business as usual. Most recognise that it will be unrealistic to send a pop-up every time a site wants to place a cookie onto the user’s computer. A typical site may have a dozen such cookies - the user experience would be destroyed as a result. The efficiency of the browser default setting will be looked back on as a lost treasure, even though many believe it could be several years before the new law is finally enforced. (Not a view shared by Graham, who was clear about the “wake up call” data managers need to hear.)
“The indepence of the Information Commissioner is one of the reassurances one can give to the citizen,” pointed out the Rt Hon Lord McNally, Minister of State, Ministry of Justice, who opened the conference and is responsible for the Data Protection Act among other things. “An Information Commissioner too obviously under the thumb or a tool of the Government of the day would be no reassurance at all.”
Lord McNally pointed out that the speed and reach of technology is one of the main drivers of revisions to data laws. The origins of most existing legislation are thirty years in the past when the immediacy and global reach of the Internet was not foreseen.
His Ministry conducted a consultation exercise on data protection laws last year, which attracted 160 responses. A key question being asked was whether the principles-based approach was still effective or whether technology change should force more prescriptive laws. Notification of data breaches emerged as a key area to be addressed.
“It is a big issue. We need to establish the right threshold to trigger notification in order to avoid the notification fatigue we are seeing in the United States,” he said. “Being consistent and informing consumers through privacy notices is important to both organisations and customers. We are encouraged by the efforts of data controllers, but we did also get examples of bad experiences.”
The UK is behind many of the proposals being made for changes to the Data Protection Directive while seeking to maintain the balance between the needs of business and the rights of the individual. By coincidence, Viviane Reding, vice-president of the European Commission and EU Justice Commissioner was speaking in Brussels about those proposed changes on the very same day as the conference.
“Peoples’ rights need to be built on four pillars: The first is the ‘right to be forgotten’ - a comprehensive set of existing and new rules to better cope with privacy risks online,” she said. “When modernising the legislation, I want to explicitly clarify that people shall have the right – and not only the ‘possibility’ – to withdraw their consent to data processing. The burden of proof should be on data controllers – those who process your personal data. They must prove that they need to keep the data rather than individuals having to prove that collecting their data is not necessary.”
Lord McNally noted that, “there is a need for data protection, but the danger is this - Commissioner Reding sees it as her mission to protect the consumer. We see it as our mission to protect them, and also to create the environment that allows legitimate industry to flourish and prosper.”
A struggle between these views seems likely as the revisions make their way through the legislative process. An outline of proposals that may or may not get into the revised directive was provided by Bridget Treacy, managing partner at Hunton & Williams. A key point of argument may be around the notion of accountability.
In North America, accountability means, “companies are required to comply with legal standards and demonstrate to the regulator that they are complying, when asked to do so. To incentivise that, they are given things like safe harbours.” This concept may be adopted in the revised directive.
But Treacy underlined why new legislation can be so hard to get right. “Accountability does not translate to other parts of Europe. In some languages, there is not even the right word - in French, it is more akin to ‘self-regulation’, which is not the same,” she noted.
While the regulators and lawyers worry about the best way to protect the consumer, marketers have another focus - how to maintain consumer engagement with their brands in an era when data is critical, yet ever harder to get. As Gregory Roekens, chief technology officer at Wundermans, put it: “The way data is used is not currently trusted by consumers. We need to introduce a new trust framework.”
He noted that technology was changing the way consumers expect to interact, from the iPad to the X-Box Kinect, and that the range and scope of personal information involved means, “very soon, we are all going to have a virtual PA.”
For marketers, the implications are becoming clear. “Personalisation is a real benefit to the consumer, but data is at the core. We need to get data for them to get personalisation. That drives issues around data protection,” said Roekens. The trade-off is that total personalisation would demand total transparency. While consumers are becoming aware that their data has a value, the new value exchange is not yet completely clear.
Data’s value might seem significant now, when it is both abundant, yet precious. But it is really only the starting point for a transformation process that moves from data to information, onto knowledge and wisdom and perhaps, ultimately, to vision. Roekens noted that if data is worth 1p, information 10p and knowledge £1, then wisdom is worth £10 and vision £100.
Achieving that value will only be possible of the base materials remain available. He warned: “The main challenge to the industry is to challenge the paranoia around data. that is why we have got to establish a trust framework.”
That was a suggestion everybody at the conference could agree with. What is not clear is how trust will be built and whether the forthcoming changes to data protection laws - from new ways of gaining consent to cookies to a possible “right to be forgotten” - will lead to that outcome, assuming they can be put into practice. For now, just thinking about what could replace cookies might drive data managers crackers.