Lots of interesting discussion sparked by my last post on the new EU privacy law, so I thought it worth while to follow up and clarify a few points that were raised:
- The new EU law came into affect on 25th May and is applicable to all EU member countries – right now
- Its up to the individual member states to enforce the law in their countries
- As a website owner, you need to obey the law in the country/countries you operate from. So if you have an office in the UK and France, you need to comply with both UK and FR law – hopefully these will be very similar. Hosting your website in Barbados does not change this…
- The law is applicable to all websites – commercial and non-commercial.
- The reality is that no one (the regulatory bodies for each EU country) is ready yet and so more thought and discussion is going on – so people are not going to be prosecuted just yet.
- The UK have announced a 12 month grace period to allow site owners to sort themselves out. That means time for you to understand the new privacy law, audit your website for tracking capabilities (such as cookie collection), and adjusting your site accordingly. That means changing what information is collected, how it is collected, and how the practice is communicated to the visitor.
- The law is there to protect visitor privacy – that means no 3rd party techniques (sharing information with other organisations) and no personal information such as name, email address etc. being collected, UNLESS the explicit consent of the individual is given.
- The wording of the law is *not* technology specific. That is, although we discuss this in terms cookies, as all the major web analytics vendors use these for visitor tracking, this law still applies should an alternative technology be developed.
As you read the above list, you realise the difficulty for the authorities, such as the UK’s ICO, who are trying to word this in a legal or even guideline document. Behavioural targeting and the abuse of private information is what this law is about – and I am happy that its here. The people that work at the ICO and other authorities are smart people that work in the digital world as much as we do. Benign, anonymous, aggregate reports – such as that provided by GA is not the target of this law.
What you should do as a website owner
Don’t panic. Follow point 6 now and get a full understanding of what information you are collecting. Ensure your privacy statement is up to date and accurate – keep it simple, not full of legal jargon. There is an example privacy statement in my book, Chapter 3. Funnily enough this was the original ICO’s privacy statement (they have been using GA since 2006).
If you wish to perform behavioural targeting or collect personal information, then get explicit consent from your visitors. If your audit reveals you are benignly tracking visitors anonymously and in aggregate (as per Google Analytics), then you are going to be fine*.
*You must complete an audit in order to show this – thats the ICO guidance and I agree. Simply saying “we use GA so we are fine” is not good enough. I just worked with a Google Analytics client today and discovered they were inadvertently collecting visitor email addresses (it came from the confirmation link sent out for an opt-in subscription).
As always, please add your thoughts with a comment.
Can we just clarify your point 6 ..
“The law is there to protect visitor privacy – that means no 3rd party techniques (sharing information with other organisations) and no personal information such as name, email address etc. being collected, UNLESS the explicit consent of the individual is given.”
Not withstanding the fact that the ‘spirit’ of the legal changes to Directive 2002/58/EC Article 5(3) were ‘designed’ to limit cross domain tracking, OBA etc, the Directive has been enacted with far more stringent requirements. This means that EU Member states will enact law with far more stringent requirements. Specifically, there is no scope limitation in the current EU Directive and UK law to ..
2. ‘3rd party techniques’; I strongly suspect that is is how the law will be ‘watered down’ but as it stands ALL information is included, 1st and 3rd party. Don’t assume that your OWN tracking/analytics will be acceptable without informed consent.
Watch out too for nomenclature – express, implied, explicit are all adjectives attached to the requirement for consent. The current law requires INFORMED consent, the determination of what constitutes valid consent is given in the data protection directive i.e. consent should fulfill the requirements of Article 2(h) of the Data Protection Directive, namely it should be a “freely given, specific and informed indication of his wishes” by which the user signifies his agreement to information being stored or accessed on his terminal.
I concur with your advice to ‘not panic’! A simple three step plan would be to ..
2. ‘blue sky’ what would happen if this technology were turned off i.e the user/visitor does not consent and what impact on revenues this might have. You will need this for risk assessment and building a business case for compliance.
3. Use the time we have between now and May 2012 (end of grace period) to pilot/test methodologies for NEGOTIATING consent with your web visitors. Learn from the likes of the ICO and Swedish DPA, both of whom saw dramatic drop-offs in visitors consenting to Google Analytic cookies.
Hope this helps.
@Brian. I would love to believe that what you say is correct: “The people that work at the ICO and other authorities are smart people that work in the digital world as much as we do. Benign, anonymous, aggregate reports – such as that provided by GA is not the target of this law.”
But having read again their advice, it says of the exception to the rules:
“The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.”
Does that not mean that we still have to get visitors’ permission to collect GA data, even although it is anonymous and aggregate?
@JohnWedderburn Sadly the cookie killer banner on Swedish government’s website bit.ly/n7EdeE is almost identical the UK’s approach at ico.gov.uk
The clock is still ticking. And according to this survey, very few UK government sites seem to be doing much in the way of compliance yet:
Thanks for the clear explanations. I guess this opens a new business opportunity for analytics auditing!
Brian – That’s the rub- all debate has focused on cookies and their use rather then the actual framework that could and should be in place around the use of data.
It’s a far bigger task but the focus of the current conversations is wrong in my view. They need to take a big step back and address the underlying causes, not the methods used.
Steve: You are right, the external debate has focused on cookies, as that is what we all use and are familiar with. However, the ICO discussion is about privacy and is technology agnostic.
Steve: please see point #8 – that is, the law is not cookie specific, though the debate is centered around it at present because thats the method of the moment. Not being technology specific is actually one of the main difficulties the law makers in each country are having.
It’s good to know the ICO is actively consulting with those in the industry and that they realise the real focus of this well intentioned law should not be analytics platforms like GA.
I can’t help but feel though that the law misses the point. There are numerous ways that PII and visitor preferences can be captured and shared which doesn’t involve the now feared ‘cookies.’ The fabric of the web will change with the law as it stands – I can’t fathom why they targeted cookies rather then develop a regulatory framework which targeted egregious users of data (cookie related or not).
It’s similar to the varying frameworks around email/SPAM like CAN-SPAM and the EU privacy directive itself. I suspect that something similar will happen in that the law won’t drive change but other bodies will appear (if they haven’t already) who will regulate on a user or companies behalf (like spamhaus and spamcop does for email).
There’s got to be a better way and the 12 month grace period in the UK shows that.
Rob: the privacy law effects *all* EU member countries as of 25th May. Its not something that can be “accepted” as such i.e. it was drafted by the EU for the EU. What member states now have to do is incorporate the EU law within their own country law. This is where the delay (and confusion) is at present.
Doug: The ICO are fully aware of the difficulty in wording their guidance (which will be the foundation for the UK law) for this – hence its not battle. They are on our side i.e. the side of people who benignly need to track website activity in order to stay competitive. So the next 12 months months are about them finding a way to word this. BTW, the ICO are activity consulting with many in the industry so they are certainly not in any ivory tower…
I’m keen to understan how you see this ‘battle’ (?) panning out over the next 12 months. What likelihood is there of clarification of the law to cater for anonymous and benign data collection for web analytics usage?
Is it really ‘in effect’ in all countries? Wouldn’t the member states have had to notify the EU?
As far as I know it is only Estonia, Denmark & Sweden who accepted fully and the UK, France, Slovenia, Luxomerg, Latvia & Lithuania who accepeted partially. So in these countries the local regulators will enforce over time.
That leaves 18 others states whom, I thought, are now liable to ‘infringement procedures, ie. it is the non-conforming states, not the businesses within them, which are under scrutiny.
How does that chime with what you know?