Data protection: Latitude

Melanie Hutton

In 2002 the EU passed a directive governing data ­protection and privacy online. Widely known as the ­ e-privacy directive but correctly entitled Directive 2002/58 on Privacy and Electronic Communications, this set out a range of provisions requiring service providers to safeguard the security of internet and mobile telephone communication.

Among the provisions was a section governing the use of cookies. In internet terms, cookies are pieces of text stored by a web browser. They are used to identify a user – for example, by storing passwords – and can also track what you do online to determine the sort of thing you are interested in.

It is this aspect of the directive that concerns Melanie ­Hatton, general counsel for online marketing agency Latitude Digital Marketing. Latitude’s business is all about targeting online marketing to users. Therefore, the future of the ­legislation will be crucial for the company and how it operates.

The directive requires subscribers to be “provided with clear and comprehensive information” about the use of ­cookies. They also have to be provided with the right to refuse the ­processing of information gained through cookies.

In the UK the directive was transposed into law through the Privacy and Electronic Communications Regulations 2003, using the same language as the original EU law. In guidance published in 2006, the Information Commissioner’s Office (ICO) said an uncomplicated, easily understandable approach was important.
Cookie selection

But the current regulations are set to change later this year. In May EU member states are required to implement changes to the e-privacy directive contained in a directive commonly known as the ’telecoms reform package’. Instead of giving ­people the chance to opt out of the use of cookies, the revisions could force internet users to opt in.

Under the changes, article 5(3) reads: “Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal ­equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her ­consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.”

“As ever, the devil is in the detail, or in this case the lack of it,” says Hatton. “The directive is open to interpretation, in ­particular in relation to the issue of website operators serving cookies to its visitors to track users’ behaviour.”

In June last year a European Commission working party issued guidance on the changes. Although Hatton welcomes the fact that the revisions’ recitals allow for web browsers to be used to gain consent and also state that the right to refuse should be “as user-friendly as possible”, she notes that the working party interpreted the requirement quite strictly.

“The new law provides regulators with an opportunity to explore how consumers’ privacy is protected at a time when it is already in the spotlight,” she says. “Behavioural advertising and customised pricing practices have been the subject of recent OFT investigations, and there is steadily becoming more publicity about the online ’trade’ in personal data and behavioural patterns in exchange for information. ­Behavioural advertising is an important tool used by some advertisers in the competitive online world, and some see this new law as a threat to the way they can carry out that advertising.”

Quite what the changes will mean for Latitude is still to be determined. Hatton reveals that the directive ­ initially caused consternation among online advertisers.

“The steps which might have had to be taken by a website operator to ensure compliance were quite startling for ­advertisers; pop-ups, pop-ups referring the visitor to the ­website’s cookie policy, pop-ups which contain comprehensive information on the nature and purpose of all cookies operating on a particular website,” says Hatton. “This is a webmaster’s nightmare as it’s just not conducive to a streamlined user experience.”

Hatton points to recent developments by Firefox and Google to deal with compliance issues through web browsers as an example of how the industry has responded to the problems.

Hatton says Latitude expects the ICO to issue flexible guidance for the new law. “That guidance will, of course, affect the way website operators organise their sites, and the extent to which they have the ability to track users’ behaviour – the availability of that data will of course affect the way in which advertisers can run their campaigns and target ­potential customers online,” Hatton explains. “It would be a shame if the ability to track behaviour was cut short. That data helps website operators provide users with a helpful and ­targeted online experience.”

Latitude has been proactive about dealing with the potential issues. Last year the company carried out research with ­Lancaster University students, to analyse the way they reacted to behavioural advertising.

“We found that the younger generation are much more ­willing to trade that online profile for relevant and targeted information and also advertisements,” Hatton says.

In order to comply with the new e-privacy directive ­Latitude will have to juggle the requirements of the law, the way it will ultimately be applied by regulators, and the ever-changing environment of the internet.

Implementation is unlikely to be straightforward, but the legislation will affect not only lawyers but also everyone who uses the internet.