Techblogger quoted in article on new cookies law

I am quoted in an article on the new cookies regulations in this month’s edition of B2B Marketing magazine.

B2B Marketing is a magazine for business marketers, and the article looks at some of the practical issues around implementating the necessary changes required to comply with the new regulations.

As I note in my comments, even at this late stage there is a lack of clarity on exactly what the Information Commissioner’s Office (ICO) is expecting organisations to do to achieve compliance. Interestingly, the ICO now appears to be briefing against its official guidance in media interviews, commenting that enforcement is not a priority and that things frowned upon under the guidance are unlikely to lead to enforcement action. It’s a shame that this informal briefing hasn’t been reflected in clarifications to the formal guidance.

Email campaign tracking
One last point.

I see that one of the other interviewees in the B2B Marketing article states that the new rules don’t apply to web beacons used for tracking the success of email campaigns. Whilst the ICO may not have focussed on this issue in its guidance, I don’t think that you can definitively conclude this from either the original directive or the UK regulations.

As I have noted previously, whilst the law is often referred to as the “cookies law”, the law makes no specific reference to cookies – Instead, the regulations simply talk about “information stored [on the user’s] terminal equipment.”

In practice, this means any software or code on a user’s device that can be used to track or identify that user, regardless of whether that it through a web browser or an email client. This will include mobile apps and could include open tracking in emails, depending on how the tracking is carried out.

The DMA is, understandably, lobbying the ICO to issue guidance that the new regulations do not apply to email tracking. However, the DMA is at the same time also advocating that, as a matter of good practice, marketers are up front with their users about the use of email tracking.

This is consistent with data protection principles generally, and the reasons that the European Commission introduced changes to the previous cookie law. Organisations may therefore wish to think carefully before deciding not to review how they inform users about their use of email tracking.

2 Responses to “Techblogger quoted in article on new cookies law”

  1. 1 escrivo May 15, 2012 at 9:19 am

    A good point is raised here. The general case with the new legislation is that if data is stored on the user’s equipment then it falls within the legislation – so IF web beacon images are served with an http cookie, then one assumes that the cookie would be stored on the user’s equipment and hence fall within the scope of the legislation. However, if no cookie is served with the beacon then no data is stored on the user’s equipment, and (one assumes again) that the legislation would not apply?

    Email marketers also commonly send emails which contain unique personalised links that also enable tracking of clickthru and open rates. There may be a privacy-related disclosure matter here, but is there actually a suggestion that the “cookie legislation” applies even though no data has been stored on the user’s equipment?

    There is a similar distinction between “web analytics” packages (which commonly use cookies for tracking user activity in detail) and so-called “web stats” packages (which depend on analysis of server logs rather than cookies to provide similar reports). The former stores data on the user’s equipment, but the latter does not.

    • 2 martinsloan May 15, 2012 at 11:51 am

      You are correct – the “cookies law” (both in its current form and previous incarnation) only applies where something is stored on the user’s device. IP address tracking, profiling, and device finger printing et cetera is not covered by the new regulations.

      However, the cookies law is just one part of the wider laws regulating privacy and data protection. Such profiling or tracking may still be caught by those wider data protection laws under the Data Protection Act and the specific rules on electronic marketing under the 2003 regulations.

      The ICO’s view is that depending on the device/use in question an IP address may form part of the user’s personal data. For example, it is likely that an IP address assigned to a mobile device will be part of the device owner’s personal data, as that device is unlikely to be shared with another user.

      It is therefore good practice under general data protection laws to be transparent and inform the user at the point of data collection of any other techniques used to track that user’s response to an email campaign or its use of a website. This is even more important where that tracking or profiling is specifically tied to other information held on that user.

      This is not new law, and is something that organisations should already be doing.

      It’s worth reading the ICO’s guidance on this (althogh you may struggle to do so today as the ICO’s website currently appears to be the subject of a DDOS attack!).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

May 2012
« Apr   Jun »

%d bloggers like this: