Alastair Tempest reports on how regulators are bowling with leg-break action at online behavioural advertising. 

As I write this, the summer has come and it’s all downhill to the beaches and blue seas (in theory!).

It’s also the time of year when Brussels’ regulators traditionally toss out a couple of googlies (I choose that word carefully; the definition, for those who have not played cricket, is ‘an off-break ball bowled with leg-break action’). 

So far, one googly has appeared aimed at Google and the other online behavioural advertising (OBA) ad networks. 

This is a non-binding opinion from the national data protection authorities on OBA and it is a pretty merciless googly, which basically says all cookies should be used only after prior, informed consent has been given. 

In its 24 or so pages, the opinion doesn’t express much praise for industry attempts to self-regulate OBA here in Europe, or elsewhere. The data protection authorities say they don’t see many opt in forms online for OBA and they expect to; however, the paper does praise the idea of an icon to provide information on cookies to the user. 

One of the main challenges when imposing prior, informed consent (opt in) on cookies is how this could be achieved technically without completely disrupting the smooth running of the Internet. Open any website and you will encounter on average two to five cookies, so having to do anything active and specific (like tick a tick box) would be extremely disruptive. People would get furious and (quite rightly) politicians would be blamed! In the USA, the National Advertising Initiative, allows anyone to opt out of marketing cookies placed by any of the NAI members. An American OBA code, agreed back in July 2009 by a wide alliance, including the US DMA, the IAB, the advertisers, agencies and printed press, will use an icon behind which will be an opt–out for cookies. This will be supported by the Better Business Bureaux, which is a self-regulatory body. However, almost a year onwards, the US initiative is still being tested. Until it is up and running, it cannot be used on this side of the Atlantic. 

Time is running out, and I feel the writing is on the wall, and the storm clouds have gathered!

Rewrite or revise

A second EU initiative of great importance will be a ‘hearing’ around the time of going to press. At this, we expect to be told the European Commission plans to review and revise the general data protection directive, which dates back to 1995. It is not a state secret that the commission plans to put forward new proposals by the end of this year. We are not quite clear how these will be presented (ie, do they intend to tear up the old 1995 directive and re-write it completely or just revise bits?).

The European Commission has 60 questions for the hearing, which gives a good picture of the issues they might like to include in a new data protection directive. These include strict rules on children’s data – a child defined as under 18; financial data would become sensitive (only used if consent was given – a requirement in the USA); giving the national data protection authorities more powers to enforce the law, including criminal sanctions; banning profiling – and a whole range of other issues.

An area which has been attracting a lot of notice recently is profiling. Regulators note ‘with alarm’ that online behaviour advertising uses profiling techniques to identify potential targets for advertising. Somehow, it is felt, this is either very intrusive, or discriminatory in some way (why do they target me and not them, or vice versa). The Council of Europe, which is responsible for human rights in Europe (and not related to the European Commission!) has been busily working on a recommendation on profiling which is likely to influence strongly the European Commission’s work. Briefly, the recommendation does not favour profiling.

Meanwhile, on the other side of the Atlantic, Congressman Rick Boucher (Democrat, Virginia) plans to present a Bill which is pretty radical even by EU standards (personal data is defined as both individuals and also machines; opt-in required for each and every reuse of data by a third party, etc).

We have a restrictive ‘Bill on the Hill’ in Washington (OK, like many proposals, US draft laws are often designed to be cut down to size during the debates); a threatening recommendation about to be adopted by the Council of Europe on profiling. The European Commission has promised it wants to revise the 1995 general directive on data protection and is looking at a whole list of new issues to be included.

This means that, over the next months FEDMA will be preparing for a serious amount of work . . . and we welcome all and any help! 

Especially, we are looking for research on relevant topics – like how consumers value their privacy; or what is the take-up of opt-in compared to the drop-out of opt-out? We are searching for other resources too. Do look at our website (www.fedma.org). We will be surveying our members on what they feel are the most important issues. To take part in this survey, email me: atempest@fedma.org (you have my consent!).

I will use this column to let you all know the main developments over the next 18-24 crucial months.

Alastair Tempest is director general, FEDMA (Federation of European Direct and Interactive Marketing).