iCompli launches new website and blog goes with it!

Another business exoskeleton is shed! Onwards and Upwards ..

'ComplianceSpeak' moves in-house on our new website platform.

To keep up-to-date head on over to the new home of ComplianceSpeak

See you there.

Duncan

February 17, 2012 | | Comments (0) | TrackBack (0)

More 'consent' nomenclature

Further to my posting in October about the variation we see in the use of the 'adverbs of consent', here's some more discombobulation (love that word!)

The Privacy Commissioner in Canada has recently issued guidelines for online behavioural advertising in which there is reference to the Canadian Law PIPEDA

"PIPEDA does recognize that the form of consent can vary: for example, express consent (opt-in) when dealing with sensitive information, and implied consent (opt-out) when the information is less sensitive"

I think that whilst this is superficially confusing, it gets very close to the heart of understanding consent and the interaction between the basic principle of 'Fair obtaining' and any subsequent explicit consent to process data for a particular purpose.

This guidance also makes interesting reading in light of how we might interpret the 5(3) requirements for Cookie consent in the UK. Note that the Canadian Privacy Commissioner has taken a much 'softer' approach than that advocated by the Article 29 Working Party.

More blog posting on this Guidance to follow!

Canadian 'Privacy and Online Behavioural Advertising Guidelines'

December 09, 2011 in Compliance and Policy Management, Cookies, Marketing and data protection | | Comments (1) | TrackBack (0)

ASA gives '1 Star!' for misleading customer reviews

This week the ASA has upheld a complaint about Ebuyer (UK) Ltd and their manipulation of user generated content (UGC) on a website.

Ebuyer helpfully informed customers that the "Foehn & Hirsch Portable WiFi Internet Radio (Black)" had a 'four and a half star' review rating out of 17 customer reviews.

The web marketing team must have skipped maths class the day they did Averages, as they failed to take account of other less favourable reviews. The Ebuyer team 'selected' the most helpful reviews (those with the highest 'star ratings') and failed to make customers aware of the poorly rated reviews.

The ASA was not impressed and upheld the view that the consumer had been 'mislead .. by omitting material information .. by hiding material information or presenting it in an unclear, unintelligible, ambiguous or untimely manner.'

Does 'pining' a favourable message to the top of a Facebook 'message wall' amount to the same thing?

The ASA Adujaction can be found here

December 08, 2011 in Information Law & Privacy, Marketing and data protection | | Comments (0) | TrackBack (0)

New Child Pornography EC Directive

A 'new' EU Directive focused on child pornography raises challenging compliance questions for HR policy makers and IT Administrators.

Our compliance service portfolio includes scanning corporate networks for illicit and illegal images, so we have first hand experience of this problem and statistics to show that the discovery of illegal child pornography is thankfully a rare occurrence on (UK) corporate networks. There is still however an awful lot of 'other' pornography that has the potential to create enormous brand and reputation damage is it exits the company on corporate emails.

Articles 12 and 13 (liability of legal persons) have 'caught our attention' as it throws a powerful spotlight on the role of the corporate policy makers and enforcers. Just how will they present a 'defensible position' w.r.t. 'lack of supervision and control' and whether an employee's actions were ultra vires. A failure to show adequate supervision and control could lead to severe penalties for corporate officers.

The inclusion of 'realistic images' in recital 9 raises concerns for our categorisation team as we frequently see 'Anime' images that must? now be considered.

We'll be watching this one closely to see what new compliance incentives it brings once on the UK statute books. In the meantime, if you'd like to get prepared our confidential scanning process could be just the defense you require to demonstrate adequate supervision and control.

PE-CONS 51/11 which focuses on combating the sexual abuse and sexual exploitation of children and child pornography can be downloaded as a pdf.

November 29, 2011 in Compliance and Policy Management, Illicit Image Abuse | | Comments (0) | TrackBack (0)

Cookie smokescreen!

Noscript-options
Is all the talk of COOKIE management just a smokescreen designed to take our attention away from the really difficult bits of complying with informed (prior) consent to access or store INFORMATION?

Why is hardly anyone talking about all the other ways INFORMATION is 'accessed/stored' on end user terminal equipment?

How is setting your browser to accept/reject COOKIES going to help if I have JAVASCRIPT set to run when you access my website to pull var trk_ref = escape(document.referrer)?

How will setting DoNotTrack to 'on' help if I utilise your IP address and other browser finger printing to identify and serve content?

For those who run the NoScript add-on for Firefox, you will appreciate the complexity of user settings required. A simplified version of noscript surely has to 'merged' into browser settings if this is the preferred way to gain consent to access and store INFORMATION on end user terminal equipment.

Another $0.02 from me!

 

 

 

November 04, 2011 in Cookies, Information Law & Privacy | | Comments (0) | TrackBack (0)

House Files, 'From lines', Data Owners et al.

Is it just me, or is this all a bit confusing?

ICO Help Desk, Law and Best Practice all in apparent disarray!

Try this scenario with the ICO:

I'm a data owner, I rent an opt-in 'House list' to data users, the data users create branded email messages and our subcontractor (data processor) sends them to individuals on the house list (data subjects).

What the data subject receives is email marketing clearly identifiable as 'from a Brand'. If they don't want it, they can exercise their right to opt-out from the brand via a robust, simple un-subscribe mechanism. The data subject remains on the house list, available for other data users to rent. If the data subject requires the data user to 'cease to use their personal data for direct marketing', they can reverse their opt-in to opt-out with a simple phone call or email to the data owner, this will remove them from the house list. This information was made readily available on the data owner's privacy policy at the time of obtaining.

The ICO Help Desk thinks this a perfectly reasonable scenario.

How does this 'square' with DMA Email Marketing Council: Best Practice Guidelines 2007? The guidelines state;

Section 2.4 Renting Lists – ‘Host Mailing’: the Data Owner’s name must appear in the ‘From’ box of the email as the sender of the email

.. and then further on

Section 3.3.2 Other Key Issues, From Header and Subject Line – Transparency: states the Data User (or Data Processor in the case of a hosted mailing) must ensure that their identity is clearly stated to the individual in the ‘From Header’

I agree with section 3.3.2 (unless of course it should have read data owner and not data processor), and not section 2.4.

My view would appear to agree with the law too ..

  1. The Electronic Commerce (EC Directive) Regulations 2002 where 'A service provider shall ensure that any commercial communication provided by him and which constitutes or forms part of an information society service shall ..clearly identify the person on whose behalf the commercial communication is made, and
  2. The Privacy and Electronic Communications Regulations 2003 where 'A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail where the identity of the person on whose behalf the communication has been sent has been disguised or concealed

To think I once wanted to be a pilot :-)

November 02, 2011 in Compliance and Policy Management, Data Protection Act, Information Law & Privacy, Marketing and data protection | | Comments (0) | TrackBack (0)

"Strictly come .. necessary"

PECR 2003 Regulation 6 (4)(b)

Paragraph (1) shall not apply to the technical storage of, or access to, information—

(a) for the SOLE PURPOSE of carrying out or facilitating the transmission of a communication over an electronic communications network; or

(b) where such storage or access is STRICTLY NECESSARY for the provision of an information society service requested by the subscriber or user.

This is going to present some interesting legal challenges as web teams tackle the requirement to gain consent or NOT.

JUDGE: Did you, or did you not, gain informed consent to access the information on the subscriber or user's equipment?

DEFENDANT: We did not your honour, it was just an ASP.NET SessionId which is only used for facilitating the transmission of a communication.

JUDGE: I see. And what (pray tell) is the purpose of the 'null cookie' I see you placed on the subscribers equipment without consent?

DEFENDANT: ah .. When you abandon a session your Honour, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance. At the same time, if the user opens another application within the same DNS domain, the user will not lose their session state after the Abandon method is called from one application. Sometimes, we may not want to reuse the session ID. When we do, and there are ramifications of not reusing the session ID, we use the following code to abandon a session and to clear the session ID cookie.

Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

JUDGE: I see. And the IP Address I see you obtaining. What (pray tell) is the purpose of that?

DEFENDANT: {sigh} TCP/IP ...

It's going to fun, isn't it!!

Particularly challenging is the re-use of information AFTER it has been used for a specific network purpose. IP Address is one of those 'REQUIRED' 'SHALL' parts of W3C Standards, so one assumes it is exempt from the consent requirement. But what if we then analyze the IP addresses visiting our website to gain insight into potential customers? What about the document.referrer 'value', should we use it?

It's what Google Analytics best, and it's what the ICO no longer has access to.

There has to be some middle ground, and we have to find it now!

 

November 01, 2011 in Cookies, Data Protection Act, Information Law & Privacy, Marketing and data protection | | Comments (1) | TrackBack (0)

Express, implied, explicit .. whatever!

It’s all about consent; we haven’t got it right yet and judging by the latest EC Directive we’re not about to get it right any day soon.

We have struggled for decades with legal Nomenclature and clarity of meaning. For over ten years now (yes the Data Protection Act 1998 is that old) I have been teaching marketers to think clearly and understand what makes consent different from explicit consent (Data Protection Act 1998 Schedule 3). An no it’s not a signature or a tick box!

I see it happening again with the Article 5(3) amendments to the PEC Directive (2002/58/EC) and now the new Consumer Rights Directive (2001/xx/EC). The headlines scream ‘EU bans pre-ticked website boxes’, "With the new directive, pre-ticked boxes will be banned across the European Union,".

I feel sorry for pre-ticked boxes.

What the new Directive (and soon law?) says is ..

Article 22: Additional payments

Before the consumer is bound by the contract or offer, the trader shall seek the express consent of the consumer to any extra payment in addition to the remuneration agreed upon for the trader's main contractual obligation. If the trader has not obtained the consumer's express consent but has inferred it by using default options which the consumer is required to reject in order to avoid the additional payment, the consumer shall be entitled to reimbursement of this payment.

Soo, ‘express’ doesn’t mean fast then! What was wrong with ‘explicit’? As synonyms I suppose we could use either. Explicit a.k.a. express, as I have taught it since year dot, is ‘Fully and clearly expressed; leaving nothing implied and without ambiguity’.

I propose “using default options which the consumer is required to reject in order to avoid the additional payment” could meet consensual requirements i.e.  ‘Fully and clearly expressed; leaving nothing implied and without ambiguity’. It’s how the information is presented.

I predict there will be much debate over the word ‘but’ as it appears in the Article 22 sentence ..

‘If the trader has not obtained the consumer's express consent but has inferred it by using default options which the consumer is required to reject in order to avoid the additional payment’.

If I can demonstrate that a consumer has indicated they have read and agree to terms and conditions which set out what they are contracting to/for fully and clearly expressed; leaving nothing implied and without ambiguity, then have I not met my Article 22 obligations, pre-ticked boxes or not?

And what does this mean for the current cookie consent debate?!!

Just a thought!

October 18, 2011 in Data Protection Act, Information Law & Privacy, Marketing and data protection | | Comments (0) | TrackBack (0)

It's the 'T' in DNT that matters

As Facebook refutes its own cookie tracking activities, their defensive comment reveals one of the major compliance issues organisations have, as they struggle with new regulatory and legislative requirements.

If the balance of power swings from the 'aggressive, factually correct, prior informed consent' view of the Article 29 Working Party, to the more business-centric, 'did we really say opt-in?' view of Ed Vaizey and UK Gov, we may well see organisations adopting the browser-based mechanism for acquiring consent to drop/read cookies i.e. we will honour the Do Not Track (DNT) bit you have set in your browser. (Yes, it should default install to do NOT track!).

Now comes the tricky bit [no pun intended], what does the 'T' stand for in DNT (Track, I know). What will you do when a browser visits your site with DNT set ON?

Facebook said .. "it does use cookies to personalise some
content on the site, but that this information is not used to serve
users with targeted ads, is not sold on and is either deleted or
anonymised within three months".

I can just here the laughter round the table at the Article 29 Working Party lunch; 'They don't use cookies to serve ads .. whateeever!'

The technology neutral stance of the amended PEC Regs now works against us, as we clearly have to consider all information stored/accessed on the users terminal equipment, not just cookies for ad serving!

For an interesting US view on the issue and a possible solution, take a look at Chris Soghoian's blog

He recommends that we stick with HTTP Headers (Domain privacy issues mean Opt Out cookies are not well placed solutions) but expand the options to give individuals more choice, namely don't track and don't target ad serve ..

X-Behavioral-Ad-Opt-Out: 1
X-Do-Not-Track: 1

Interestingly this is converging on the EASA best practices guidelines which differentiates between 1st and 3rd party use of data stored on terminal equipment. 

Good idea, but .. as I 'spin round the web' I will have vastly differing relationships with the sites I visit, some I trust, some I don't (I will be blogging on this soon, but for in-depth analysis Soren Preibusch's article is empirically informative). That means I have to constantly swap my DNT bits! Not convinient, so I end up leaving DNT set on to the detriment of marketing revenue streams.

So here's an idea I came up with whilst chatting with the IAB 'Lead Generation' team (drum roll) ..

Let's resurrect the dead, and deploy Zombie/Ever cookies for GOOD things! What if an 'evercookie' were deployed which identifed my particular site preference? The great thing about evercookies is that they keep remembering, so they can keep remembering important stuff like whether a site should i) honour my DNT bits or ii) over-ride them

Sites could drop and DNT evercookie which the user controls through a UI and then honour the settings recorded in the evercokie. If no evercookie is present, honour the browser setting.

Might even satisfy the A29WP!



September 29, 2011 in Information Law & Privacy, Marketing and data protection | | Comments (0) | TrackBack (0)

So, it’s Do Not Track (DNT) then!

Neelie Kroes Vice-President of the European Commission responsible for the Digital Agenda Online privacy – reinforcing trust and confidence Online Tracking Protection & Browsers Workshop Brussels, 22 June 2011. Her speach here..

So, it’s Do Not Track (DNT) then!

Neelie Kroes comments at the Online Tracking Protection & Browsers Workshop in Brussels, 22 June 2011 seem to confirm that Industry and Regulators are settling on a consensual ‘half-way house’

What began as ‘PRIOR informed consent’ was then re-drafted as ‘informed consent [whenever you can get it, notwithstanding that this normally means before the event]’ has now become ‘unless you tell me you don’t want it’. Mmmm.

Ms Kroes said;

“it is encouraging to see that the advertising associations EASA and IAB Europe recently adopted a Best Practice Recommendation and Framework on behavioural advertising. Their approach consists of an icon on each targeted ad, coupled with an information website that allows the user to switch off behaviourally targeted display ads from any participating company. This currently works by setting opt-out cookies and is backed by an enforcement mechanism.”

DNT-Logo

Forgive me, but shouldn’t the user be switching behaviourally targeted display ads ON, not OFF. 

Is the ‘regulator’ suggesting that it is alright for the ‘cookie setter’ to ASSUME  CONSENT ON THE BASIS OF NON-RESPONSE?

95/46/EC defines 'the data subject's consent' as meaning  ‘any freely given specific and informed INDICATION of his wishes by which the data subject SIGNIFIES his agreement to personal data relating to him being processed’

Should I fail to see the icon telling me that I am being tracked (I’m easily distracted), at what point do I INDICATE to the ‘cookie setter’ that I consent to their processing of my personal data? I don’t!

As Ms Kroes points out;

‘The point, therefore, is that users should be able to know, and control, when and to whom they give their information and how it will be used. Hence we need, once again, transparency, fairness and user control’

 .. but not informed consent.

Guess that 'eighteen wheeler' is getting closer :-)

 

June 24, 2011 | | Comments (1) | TrackBack (0)

»
Add me to your TypePad People list