What the DCMS consultation means for marketing, privacy and electronic communications.

The Department for Digital, Culture, Media and Sport (DCMS) consultation to revamp the UK’s data protection landscape is underway and, whilst the government says the “consultation is the first step in the process of reforming the UK’s regime for the protection of personal data”, there is concern that the new governmental proposals will create a level of uncertainty around data protection and privacy, and as such, will lead to an increased burden on organisations.

Our latest UK Data Protection Index survey, produced in conjunction with Data Protection World Forum, has found that privacy experts believe UK companies want to do the right thing when it comes to privacy and data protection, but that the new proposals within the DCMS consultation could encourage smaller businesses in the UK to disregard data protection rules and regulations.

When asked ‘To what degree do you think the proposals within the DCMS consultation will affect the way SMEs will implement data protection compliance?’, privacy specialists tipped more towards believing that the consultation will encourage small businesses to disregard privacy and data protection compliance if the new rules are brought into effect. They gave a score of 6 out 10, with 1 being encouraged to comply with data protection rules and 10 being encouraged to disregard them.

At The DPO Centre, we believe that the current accountability framework is already sufficiently flexible to meet business needs, especially as many organisations already take a risk-based approach when it comes to compliance. However, for marketing and data professionals, there are a number of proposed changes in the DCMS consultation that they should consider, largely around the UK’s Privacy and Electronic Communication Regulation (PECR) that governs the use of cookies and electronic marketing communications.

Cookies

Analytics cookie reform

One of the DCMS proposals that has received the most attention is the proposed removal of the consent requirement for analytics cookies and other similar technologies covered by Regulation 6 of PECR.

When looking at what types of data are collected and processed by cookies that come under the banner of ‘analytics cookies’, we believe that provided the analytics information collected is limited to non-identifiable data (e.g. information that is used in an aggregated form to understand how visitors interact with and use an organisation’s products and services and how a site performs following proposed changes (A/B Tests)), removing the need for prior consent seems sensible.

In addition, at The DPO Centre we suggest that this should also include metrics that allow businesses to measure the effectiveness of their online advertising, such as cookies that report on how visitors access the site (e.g. links from other services such as Facebook) provided that it is collected and assessed in the aggregate and not at an individual level.

Using the data collected from analytics cookies in the above ways has a very minimal impact on individuals’ privacy but is extremely useful to businesses trying to understand how their services are used, the effectiveness of their campaigns and return on online advertising spend, and the impact of changes that they make to their online services.

Furthermore, we see a key element of cookie fatigue as being the volume of choices that individuals must be given to meet the requirements of the legislation as written. We therefore believe that focusing user choice on the types of cookies that have a greater privacy impact (such as those used to build advertising profiles) would have a greater beneficial impact on individuals’ privacy and their attitude towards cookies.

Other cookie consent

Aside from analytics cookies, the consultation also considers the possibility of prior consent being removed in a wider range of circumstances. In this respect, we believe more discussion within the industry is needed. The circumstances in which the Government envisions this applying are those in which the data controller can demonstrate a legitimate interest for processing the data, such as for the purposes of detecting technical faults or enabling the use of video or other enhanced functionality on websites.

Whilst the removal of the consent requirement for functional cookies as highlighted above seems sensible, largely due to the fact that they have a minimal privacy impact on individuals and could in fact be utilised without collecting any personal data, questions remain over whether these instances should be framed as acting in a company’s “legitimate interest”, as this leaves room for interpretation and consequent abuse of the rules.

Instead, our suggestion would be to prescribe that cookies that do not collect personal data or cookies that are not used at an individual level (e.g. to provide a personalised service) are exempt from the consent requirements. In this event, anonymisation could play a vital role. For example, if the information the cookie collects is completely anonymous and cannot be attributed to an individual, it may be placed without consent.

In Section 202 of the consultation document, the DCMS does acknowledge that consent requirements must remain in place where cookies are used in privacy-intrusive ways, recognising that this is important to service users.

In this regard, we strongly believe that organisations should give their users choice over whether their data is used either to provide a personalised or targeted services, or used in any way to market goods or services to them. Many users want choice as to whether companies can process their data in this way.

At The DPO Centre, we believe that by limiting the requirement for consent to only cookies that collect data for targeting purposes, consent can be gathered along with other marketing consents and so be far more transparent for individuals, whilst also helping to combat cookie fatigue by limiting the number of requests for consent to those which really matter.

Consumer preferences

When considering cookie consent, a proposal that will likely have a big impact on organisations is the possible move to users being able to set their preferences at a browser/device settings level rather than on each individual website/application. When looking at the benefits and risks of this approach, we see a clear benefit to organisations if they are able to rely on browser, application or software settings. This is because it will remove the need for cookie banners on every individual website.

In addition, this approach would benefit individuals by giving them the ability to control their preferences in one central location, providing a general opt out that is analogous to that provided by the Telephone Preference Service.

This could also be combined with “just in time” notifications to individuals if they attempt to interact with a cookie-based feature. Such notifications would inform them of the need for a cookie and how the information will be used, giving users the opportunity to consent to cookies on an as-needed basis. This process is already in use on mobile applications for access to location information – many phone operating systems require that app developers gather express permission to enable specific functionality.

Further regulatory guidance

Regardless of the outcome of the consultation and to what degree the different proposals are implemented, the government is looking at producing further regulatory guidance setting out the circumstances in which information can be accessed on, or saved to, a user’s terminal equipment and the various consent requirements. We think that further guidance in this area would be welcomed as this is a challenging area of compliance for many organisations, especially given that there is a clear competitive disadvantage for organisations that follow the regulations.

Electronic marketing communications

Soft opt-in expansion

Under PECR, businesses can generally only contact individuals with marketing materials who have previously been in touch during a sale or transaction, and have not refused or opted out of receiving marketing communications about similar products. This is known as the ‘soft opt-in’ exception to gaining actual consent.

Traditionally, this exception has only applied to commercial organisations, meaning that non-commercial organisations such as charities and political parties have not been able to benefit from it. The government consultation, however, asks if the soft opt-in should be extended to apply to all organisations, commercial or otherwise. At The DPO Centre, we believe that there is a good justification for extending soft opt-in requirements to non-commercial organisations such as charities, provided that the same protections are in place as currently apply to their commercial counterparts (data given voluntarily in the course of a relationship, requirement to offer an opt out at the point of data collection and in all subsequent communications, and only similar products/services are promoted). This will assist charities in reaching individuals who have previously donated to them without the need for full consent, with the soft opt-in protections meaning that there would be minimal impact on individuals.

ICO’s power

With regard to the Information Commissioner’s Office’s (ICO) monitoring and enforcement of the rules laid out in PECR, the consultation reveals plans for updating the ICO’s powers around the sanctioning of organisations making unsolicited marketing calls. The proposals include increased powers allowing the ICO to take action against organisations for the number of unsolicited direct marketing calls ‘sent’. Currently, the ICO can only take action against calls which are ‘received’ and connected. This means that if the ICO receives intelligence about companies making tens of thousands of unsolicited marketing calls, it can only base enforcement action upon the number of calls that actually connected. The ICO is not permitted to take account of the potential risk of harm posed by the number of calls actually ‘sent’ with the intention of connecting when determining the most appropriate form of enforcement action.

We believe that there is a good case for extending the ICO’s power in this area because the ICO should be able to take into account the “intention” of the organisation because regardless of whether calls were connected, the organisation making the calls clearly has the intention to contact individuals without a lawful basis.

Whatever your views on the latest government consultation on data protection in the UK, it is clear that marketing and data professionals will be facing changes in the near future that their organisations will need to be ready for.