I now am convinced that a new Directive allows Member States to introduce consent/opt-out requirements for ALL forms of electronic marketing including behavioural marketing. The only unanswered question is whether Member States offer this option to its citizens when they implement the required legislative changes by next May.
However, the Directive also allows a continuation of a minimum privacy protection policy with respect to the use of electronic marketing by organisations. For example, the current position in the UK is the bare minimum; the Directive allows that minimum to continue.
The requirement for consent (or an opt-out) of behavioural advertising from users or subscribers can be seen from a published analysis of the Directive (see references below). Although other provisions include the requirement to report a data loss, consent for cookies (“opt-in” rather than an “opt-out”), it is the electronic marketing provisions that could have significant and wider impact.
The argument depends on reading in between the lines of the Directive. For example, “electronic mail” is a defined term in the Directive; so when it is NOT used in some of the marketing provisions (in Article 13 of the Directive), one can make the inference that the provision is intended to apply to other forms of marketing that extends beyond “electronic mail” (e.g. behavioural marketing). The assumption being that if the text wanted to say “electronic mail” it would have done so.
Similarly, in Article 13 there is a conspicuous absence of the use of “personal data” in its provisions although obviously personal data are subject to these rules (e.g. an email address is often personal data – [email protected]). So where the term “personal data” is NOT used, then provisions are clearly intended to apply in circumstances where other data (i.e. beyond the narrow confines of personal data) are processed for a marketing purpose. Behavioural marketing involves such “not personal data” (according to Google and other behavioural marketers).
The text uses the term “direct marketing” which is not defined. So if one assumes a definition of “direct marketing” similar to that in Section 11 of the Data Protection Act (“direct marketing” means “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”), then one can see that behavioural marketing is captured. For example, if a marketing message depends on an individual’s browsing habits, then any individual who exhibits a required browsing behaviour, receives a particular advert directed to them.
Finally, Article 9 uses an interesting undefined term: “geographical position”. It is not clear whether a “geographical position” means “in the UK”, or “in London”, or “in Covent Garden”, or “postcode E5 6PT” or does it need precise GPS co-ordinates? Note that the less precise the meaning of “geographic position” the more impact that this provision could have, especially if marketing activities are linked to the use of “location data”. For example, certain types of behavioural marketing targeted at users or subscribers whose address can be ascertained from the location data.
As the changes to Directive 2002/58/EC have to be implemented by the end of May 2011, it will be an early test of the privacy credentials of the next Government in the UK.
References: To download the analysis (“Privacy and electronic communications: comments on the modifications to Directive 2002/58/EC introduced by Directive 2009/136/EC”, just follow the link at the end of this paragraph. Arguments that show that an IP address can be transformed unambiguously into personal data; see “Reclaiming Privacy on the Internet – 2009” . Both documents downloadable from http://www.amberhawk.com/policydoc.asp).
A new twist today in the tale of the implementation of this law change, with an ICO press release and BBC website headliner about cookies.
Do my eyes deceive me or has the BBC got it wrong - I don't think the Directive requires explicit consent for cookies?
I sense a nice tension between ICO and the Government!
More importantly for anyone who's trying to run a reasonably cost-effective and practical compliance system, surely the real story is wider and deeper. Many organisations' websites are either brochureware or informational and probably don't use cookies much. Beyond the website, the story is about how critical sales pipelining, profiling and CRM (donor and stakeholder management, lead generation, business development) are becoming for organisations in all sectors. There are plenty of organisations (not just businesses) who find data protection a real minefield when applied to those activities, and they either don't realise that DP applies, or haven't achieved compliance with the current law. It's a shame that the headline news coverage kicks off with erroneous hype and a guilt trip rather than practical case studies and encouragement.
Posted by: David Hall | 08/03/2011 at 05:21 PM