Most likely to be turned into new legislation in the short-term is the opinion published by a highly influential working party within the EC. Representatives of every EU data protection agency have decided that the way cookies are currently used for behavioural targeting is not in compliance with the demands of the ePrivacy Directive.
At the moment, advertising networks put cookies onto a user’s browser to track them across sites they serve to. Based on where that cookie has been spotted, contextual and behavioural targeting is used to decide which ads get seen.
What has vexed the Article 29 Working Party is the notion that this is informed consent. As it points out, three of the four leading web browsers come with a default setting to accept all cookies. Few consumers every change that, even if some routinely delete the cookies in their cache.
So the opinion is that networks – and software vendors – need to come up with a mechanism to allow for actual informed consent to be captured. It must also be quick and easy for consumers to change their mind and withdraw that consent.
Any suggestions as to how this can be done should be directed to Brussels. Given the influence this group has, expect regulation to emerge fairly swiftly. And it will be the digital marketing industry that is expected to work out how to comply – the EC will not be offering any help, just changing the rules.
Just to make last Thursday even more memorable, the European Commissioner for Justice decided that the UK has not given the Information Commissioner all the powers he should have under the Data Protection Directive. At issue here is that British courts have the final say over deletion or alteration of personal data, not the ICO.
As part of an escalation of its dispute with the UK, the EC has gone to stage two of its process and given the British Government two months to respond with a plan. It will be interesting to watch Kenneth Clarke chew that one over. Prior to the election, the Conservatives were talking up the ICO as one of the great agencies of the state, which may indicate a willingness to give way.
It will be some years down the line before anything much happens, especially if the UK undertakes appeals and other delaying tactics. Eventually it will have to comply, making the ICO probably the most powerful regulator in the country.
Data processors have readily accepted the enhanced fines the ICO now wields, even if some large organisations will still arbitrage the penalties of breaching the Data Protection Act with the commercial gains they might make in doing so. When disputes about personal data get settled by the ICO rather than courts of law, however, it might give many companies a real pause for thought.
It has been obvious for some time that the mood within Europe has been to tighten up data regulations considerably. Few of us expected that, like Belgian trams, two such game-changing actions would come at the same time.
By David Reed, editor, Data Strategy