This document provides information about an upcoming DMA North Legal Update event, including the agenda, speakers, and contact details. The event will cover topics like the new EU cookie law, data protection regulation, postal affairs, and industry issues. Speakers will discuss how to comply with the cookie law by the May 26th deadline, the proposed EU data protection regulation, and its potential impacts. The agenda also includes sessions on hot legal topics, a coffee break, and a panel debate.
2. Connect with the DMA…
• The #tag for this event is: #dmalegal
• LinkedIn: DMA: Direct Marketing Association (UK)
Limited
• Twitter: @DMA_UK/ @DMANorth
• DMA Website: http://www.dma.org.uk
• Email: dma@dma.org.uk or events@dma.org.uk
• Phone: 020 7291 3300 or 0161 918 6722
3. Today’s agenda
• 13.30 – 13:50 Registration and Coffee
• 13.50 – 13.55 Event Introduction
• 13.55 – 14.25 Cookies – Are you ready?
• 14.25 – 15.00 Data Protection
• 15.00 – 15:30 Hot Industry Issues
• 15.30 – 15:50 Coffee Break
• 15:50 – 16:50 Postal Affairs
• 16:50 – 17:00 Panel Debate and Close
4. DMA North
Legal Update
Tuesday 17th April 2012
Caroline Roberts
Director of Public Affairs
Janine Paterson
DMA Solicitor
5. Cookies – Are You Ready?
DMA North Legal Update
17th April 2012
6. Covering
• 26th May?
• What does the law require?
• What's the ICO saying?
• What steps should you have been taking?
• What steps have some already taken?
• What impact are these changes likely to have?
• OBA
7. 26th May
• Information Commissioner recognised the
inevitable upheaval for the online industry
• Granted a grace period until 26th May 2012
• ICO wanted companies to:
– Audit what cookies they use
– Plan for how they are going to obtain consent
8. What does the law require?
• The EU's revised privacy and communications directive
came into force on 26 May 2011
• For clarity the EU laws have been in place since 2003
and always required anyone using cookies to provide
clear information about them.
• The changes in May dramatically tightened the rules:
now, anyone depositing cookies is required not just to
provide clear information about them but also to obtain
consent from users to store a cookie on their device.
• Technically all firms must comply with the law but in the
UK we have until end May 2012 to ensure we are
compliant
9. The law doesn’t just cover cookies
• The law isn’t actually about cookies, but because it affects
them so much people have started calling it the ‘Cookie Law’
• The law covers all technologies which store information in
the “terminal equipment" of a user, and that includes so-
called Flash cookies (Locally Stored Objects), HTML5 Local
Storage, web beacons or bugs…and more
• This applies to email and mobile marketing too!
10. This is what the law requires:
• A person shall not store or gain access to information
stored, in the terminal equipment of a subscriber or
user unless the requirements of paragraph (2) are met.
• (2) The requirements are that the subscriber or user of that
terminal equipment-
• is provided with clear and comprehensive information
about the purposes of the storage of, or access to, that
information; and
• has given his or her consent.
• There is an exception to the requirement to provide
information about cookies and obtain consent where the use
of the cookie is:
• for the sole purpose of carrying out the transmission of a
communication over an electronic communications
network; or
• where such storage or access is strictly necessary for the
provision of an information society service requested by
the subscriber or user.
11. In practice
Those setting cookies must:
• tell people that the cookies are there,
• explain what the cookies are doing,
and
• obtain their consent to store a cookie
on their device.
12. Two exemptions from consent
requirement
• 1. “use of cookie is for the sole purpose of
carrying out the transmission of a
communication over an electronic
communications network“
• 2. “cookies that are strictly necessary for the
provision of a service”
– e.g. internet banking, online shopping
carts, website log-ins
13. What’s the ICO saying?
• On 13 Dec 2011 the ICO issued his half-term report
on how things are going.
• His verdict, he wrote,
"can be summed up by the schoolteacher's favourite
clichés: 'could do better' and 'must try harder'. A
report that listed the URLs of sites that were perfectly
compliant from day one would be very short indeed.
This is not a surprise to anyone who recognises that
redeveloping and redesigning is no easy task.“
14. The ICO’s core advice remains the
same
“It is not enough simply to continue to comply with the
2003 requirement to tell users about cookies and allow
them to opt out. The law has changed and whatever
solution an organisation implements has to do more
than comply with the previous requirements in this
area.”
2. Check what type of cookies and similar technologies you
use and how you use them.
3. Assess how intrusive your use of cookies is.
4. Decide what solution to obtain consent will be best in your
circumstances.
15. Take some comfort …
• “The guidance we’ve issued today builds on the advice
we’ve already set out, and now includes specific
practical examples of what compliance might look like.
We’re half way through the lead-in to formal
enforcement of the rules. But, come 26 May next
year, when our 12 month grace period ends, there will
not be a wave of knee-jerk formal enforcement
actions taken against those who are not yet compliant
but are trying to get there.”
16. What steps should you have been
taking?
Follow the ICO’s guidelines:
5. Check what type of cookies and similar technologies
you use and how you use them.
7. Assess how intrusive your use of cookies is.
9. Decide what solution to obtain consent will be best
in your circumstances.
17. Check what type of cookies you use
• This might have to be a comprehensive audit of your
website or it could be as simple as checking what data
files are placed on user terminals and why.
• You should analyse which cookies are strictly
necessary and might not need consent.
• You might also use this as an opportunity to ‘clean up’
your webpages and stop using any cookies that are
unnecessary or which have been superseded as your
site has evolved
• And also check that you have identified ALL your
websites.
18. Assess how intrusive your use of
cookies is
• ….It might be useful to think of this in terms of a
sliding scale, with privacy neutral cookies at one end
of the scale and more intrusive uses of the technology
at the other.
• You can then focus your efforts on achieving
compliance appropriately providing more information
and offering more detailed choices at the intrusive end
of the scale.
19. Decide how to obtain consent
• Once you know what you do, how you do it and for
what purpose, you need to think about the best
method for gaining consent.
• The more privacy intrusive your activity, the more you
will need to do to get meaningful consent….
– Pop-up box
– Splash page
– Landing page
– Webpage header, banner or scrolling text
– Through T&Cs for registered website users
– Cannot currently rely on users’ browser settings!
20. What visible (and other) steps have
some taken?
• Google awareness campaign – Good to know
• Redbridge Media
• BBC
• DCMS
21.
22.
23. What impact will all this have?
• A large number of services may only be offered – free
of charge – because their providers finance them by
means of advertising and behavioural targeting has
proved to be the most efficient method of advertising
on the Internet.
• In other words, many services that are available on
the Internet could not be offered at all or at least not
free of charge, if they were not financed by
advertising.
24. What impact will all this have?
• Conservative estimates are that over 92% of websites
in the EU use cookies at the moment
• They’ll either have to stop using cookies, or start
gaining consent
• And the burning issue is … how to gain consent
• A business coalition has created a website to illustrate
how the Dutch transposition of the European E-Privacy
Directive would impact the web surfing experience …
25.
26. Impact?
• There are other sites that demonstrate the potential
impact in a humorous way including David Naylor’s
site …
27.
28.
29.
30.
31. Online Behavioural Advertising
rules on cookies will affect OBA
Retargeting of
relevant
mes s age (eg
Profile built up fas hion)
Fashion
C ons umer’s journey over Music
a week News
Car insurance
32. Online Behavioural Advertising
• European industry working group developing pan-
European framework, working with Commission
• EASA Best Practice Recommendation on OBA adopted
• Possible use of icon as indication to consumer, to give
greater transparency and control over OBA, thereby
complying with requirements of PECR.
• Self-regulation on complaints – by ASA & counterparts
in EU Member States – UK industry working through
Advertising Association on a recommendation to CAP
33. Education Education Education
• PWC Research commissioned by DCMA in February 2011
found that…
• 41% of those surveyed were unaware of any of the different
types of cookies (first party, third party, Flash/Local
Storage). Only 50% were aware of first party cookies.
• Only 13% indicated that they fully understood how cookies
work, 37% had heard of internet cookies but did not
understand how they worked and 2% of people had never
heard of internet cookies.
• 37% said they did not know how to manage cookies on their
computer
34. In conclusion
• Issues surrounding implementation of regulation for email
and mobile marketing still a grey area. ICO guidance?
• ICC Guide on cookies issued this month.
• Getting it wrong could result in adverse commercial impact –
and regulatory intervention?
• The rules of engagement online WILL change – How is up to
you.
36. Draft EU Data Protection Regulation
• Where are we now
• Background to the proposal
• Key points in the proposed Regulation
• DMA lobbying
37. Where are we now?
• European Commission published draft Data Protection
Regulation 25th January 2012
• Consultation process since May 2009
• Ministry of Justice Call for Evidence Jan-Feb 2012
• Jan 2012 – 2014?? – European legislative process
• ?? 2016 – New Regulation in force
38. Why revise the framework now?
1995 European Directive ( implemented into UK by 1998
Data Protection Act ) showing its age due to:
1) Law doesn’t take account of new technologies – and
more complex information networks: interconnected
data rather than held in databases
2) Lack of common European law and differences in
national implementation
3) Consumer concern over privacy – high profile data
security breaches, etc.
39. Key points in the draft Regulation
Opt-in and opt–out - obtaining consent
• General rule for direct marketing – “explicit consent by
clear statement or affirmative action” . Much more
prescriptive.
• Possible legitimate interests exemption ?
• Legacy databases – what about data collected under
current law?
• At worst, if consent cannot be proved, whole
databases could be scrapped.
• At odds with existing rules on voice calls, email and
SMS marketing
• Would almost certainly lead to requirements for
increased opt-in mechanisms
Increased burdens on business
Decrease in functionality of many consumer-
friendly services
40. Key points in the draft Regulation
IP addresses and cookies
• Definition of personal data extended so could cover
some IP addresses and cookies
• But IP addresses identify a device not an individual +
some IPs are general, e.g. in a library or internet cafe
• Huge implications for digital marketers
• Web analytics & profiling made much more difficult, if
not impossible
• Interaction with new cookie rules
41. Key points in the draft Regulation
The right to be forgotten
• Right for individuals to request organisations to delete any
information held on them
• Drafted with social media in mind – but goes beyond this
• For dm, there is an obligation to suppress, rather than
delete, i.e. “need to keep to remember to forget”.
• Also problem of information which has already been passed
on to third parties
• Possibility of misleading consumers by raising unrealistic
expectations
• Need to strike more reasonable balance between consumer
expectations and limiting use of data for legitimate business
purposes.
• A possibility that dm might be OK - but this needs to be
clarified
42. Key points in the draft Regulation
Data Breach notification
• Every organisation that suffers a data security breach
would have to notify Information Commissioner’s
Office and the individuals concerned within 24 hours
• Not always obvious if there has been a breach or how
extensive it is
• Problem of notification fatigue, so individuals could fail
to take action when it is necessary to do so.
• No threshold level specified.
43. Key points in the draft Regulation
Subject Access Requests
• Data subjects to be able to request full
information on data held on them free of any
charge
• Currently can levy a £10 fee – doesn’t cover
cost but deters time-wasters, frivolous or
vexatious requests.
• Costs organisations £50 million p.a. now to
meet SARs
• Proposal that can provide data in electronic
form if data subject agrees to this
44. Key points in the draft Regulation
- Marketing to Children
• General rule – parental consent required for
under 18’s
• Exception for online marketing to children
under age of 13
• No flexibility – a risk-based approach would
be better.
45. Key points in the draft Regulation
Compliance obligations
• Data protection obligations now shared between
agencies and clients, for example if holding client’s
database
• Appointment of designated Data Protection Officer for
organisations with 250+ staff
• Accountability/Privacy by Design/Privacy by Default
• Increase in fines/sanctions – in stages, of up to 2% of
global turnover or 1 million euros
• International transfers of data outside EEA – law
would apply to any processing of data or EU citizens.
Not always possible to tell.
46. EU Draft Data Protection Regulation
• A major concern is that much of the detail of
the Regulation will be implemented through
additional delegated legislation – some 45
Delegated Acts are mentioned.
• Details of this secondary legislation will not be
clear until Regulation passed
• These areas of secondary legislation will
include:
• powers to specify further procedures
• technical standards for Privacy by Design/Default
• specification of lawful processing condition
• additional responsibilities for national data protection
authorities; etc.
• European Commission will be taking
significant powers to itself away from the
national authorities - raises serious issues of
subsidiarity and accountability
47. EU Draft Data Protection Regulation
- DMA View
• DMA welcomes the Commission’s aim to
reduce red tape and simplify bureaucracy –
but proposals do not achieve that: overly strict,
bureaucratic and unworkable
• Hard to say how Commission’s estimate of 2.3
billion euros saving to businesses was
calculated
• Needs to be a fair balance between privacy
and legitimate business interests
• Current proposals will stifle innovation, add
considerably to business costs and place
unnecessary obstacle to e-commerce jobs
growth
• Will be particularly harmful to SMEs
48. What the DMA is doing
• DMA working on this since European Commission began review
in 2009; responding to European Commission consultations and
participating in stakeholder sessions.
• Federation of European Direct and Interactive Marketing
Associations (FEDMA) in Brussels leading collective EU dm
effort – UK DMA chairs Legal Affairs Committee
• Lobbied Commission intensively after unofficial draft leaked in
Dec 2011 – with some success
• Responded to Ministry of Justice’s Calls For Evidence in 2010
and 2012, with input from DMA members.
• Now lobbying UK Government and European institutions as the
proposal goes through the European legislative process
• Leading UK Data Industry Group response to the proposed
legislation & participating in CBI Group on Data
• Key research on consumer attitudes to privacy and on the
economic value of the dm industry
49. Other legislative areas
• London 2012 Olympic Games
• Consumer Rights legislation
• Marketing to children
• Telemarketing
• Financial services
• Alcohol marketing
• Environment
50. London 2012 Olympic and
Paralympic Games
• Begins 27th July 2012 and ends on 12 Aug 2012.
• Legal restrictions on marketing and advertising around
Games to protect sponsors’ investment and prevent
ambush marketing
• Covers all media - print, direct, outdoor, TV, radio,
video, cinema, ambient, & online advertising (inc.
Google Adwords)
51. Rights protection
• Honouring commitments to the IOC & IPC
• Preserving the long term reputation and value of the
Olympic and Paralympics brands
• Protecting commercial partners’ investment in the
Games - protecting the Olympic brand is central to
funding the Games
52.
53. Do’s and don’ts
• Do respect the investment made by sponsors
to gain an exclusive right of association to the
Games
• Don’t suggest an association between your
product or services and the Games or London
2012 – this includes:
• Using protected symbols, motto, words, etc. as
to likely to create in the public mind an
association
• Marketing materials and sales promotions
• Internal corporate marketing
• Employee engagement activities
• See www.london2012.com
54. Consequences of infringement
• Priority is to ensure infringing promotion
is stopped via cease and desist
requests
• LOCOG (and the BOA/BPA) are entitled
to seek:
• damages
• an account of profits
• an injunction
• orders for delivery up of goods etc.
55. Consumer Landscape
MOJ/BIS – A Common Sales Law for the EU – call for evidence
• European Commission have long talked of a European sales
law as the solution to the challenges of differing national laws
across the EU. A common sales law to kick-start the economy
in the single market
• EC issued consultation on 11th October 2011
• Call for evidence issued on 28th February running to 21st May
• UK Government are not convinced that the benefits will be as
significant as the EC believes and they feel that there may be
costs to business that have not been considered.
• Government needs views to form policy and help their
negotiations in Europe
56. Consumer Landscape
BIS Enhancing Consumer Confidence through Effective
Enforcement
• Powers of enforcement bodies are spread across around 60
pieces of legislation causing confusion for both businesses
and enforcers. Consulting on proposals in 5 areas:
– Consolidating and simplifying consumer law powers into a
generic set;
– Improving cross boundary cooperation and authorisation;
– Encouraging proportionate enforcement by removing
barriers to the use of civil enforcement;
– More flexible qualification and competency requirements;
– Enabling competition in the calibration of measurement
standards market
57. Marketing to children
• General political concern about over-
commercialisation
• Bailey Review on Commercialisation and
Sexualisation of Childhood – “Letting Children
Be Children” - report published 6th June 2011
• Says role and practice of advertising in broadly
good shape – praises industry initiatives, e.g.
CHECK
• 5 key recommendations:
• Sexual imagery on billboards, magazine covers,
• No under-16 brand ambassadors & peer to peer
techniques
• Harmonisation of the age of a child at 16
• Website for parents to complain
• Improving industry and regulatory understanding of
parental concerns
58. Marketing to children – industry
response
• Children’s Panel set up to monitor advertising to
children and take forward issues of concern
• Parent Port – gateway portal for parents for information,
advice, complaints, etc.
• Research - Credos, Advertising Association think tank
• UK Brand Ambassador and Peer-to-Peer Marketing
Pledge:
• Agreed principle that
“ Young people under the age of 16 should not be
employed directly or indirectly paid or paid-in-kind to
actively promote brands, products, goods, services,
causes or ideas to their peers, associates or friends”
• 30+ national company signatories + 13 trade
associations, including DMA
• Industry awareness campaigns
59. Telemarketing
• OFCOM issued consultation 4th April on
Simplifying Non-geographic Numbers - Detailed
proposals on the unbundled tariff and Freephone
http://stakeholders.ofcom.org.uk/consultations/simpli
• Non-geographic numbers include 03, 080,
0845,0870, 083/4, 0871/2/3, 09 and 118
numbers. These numbers are used to call
businesses and Government agencies, to get
information, make payments for services and
vote on TV shows. Nearly every consumer and
every company in the country uses these
numbers in some way.
60. Telemarketing
The system does not work for consumers – issues include:
– Confusion about the price:
People are confused about what these numbers
mean and how much calls cost. As a result, they
lack confidence and trust in these services.
– Even freephone is not clear cut:
It is not free on most mobile services and this is
leading to consumers having doubts about the cost
on landlines (where is it normally free)
– Concerns about revenue sharing:
A lack of transparency and high charges by some
phone companies means many customers have
suspicions that they are deliberately being exploited
by companies, being held on the line unnecessarily
for example. This is unduly causing consumers to
restrict calls to these numbers - reducing the benefit
to companies of using them.
61. Telemarketing
• Main proposals:
– Freephone: (080 and 116 numbers) to be free
from all telephones, landline and mobile;
– 03: to become the only non-geographic number
range linked to the price of a call to a geographic
number (i.e. the 01/02 number ranges);
– Revenue sharing ranges: (084, 087, 09 and
118 numbers -where a portion of the retail charge
is passed back to the receiver of the call) are to
have a common simplified structure.
• Consultation closes 27th June 2012
62. Financial Services
• EU Gender Directive
– In force 21st December 2012
– ECJ ruled 1st March 2011 that gender sensitive pricing
is contrary to the principle of equal treatment in EU
law
– Therefore gender neutral pricing will become the norm
– Unisex premiums would see the lower-risk gender
paying more to subsidise the high-risk gender
63. Financial Services – consumer credit
• Consumer Credit in limbo?
– Investigations into payday loans and payment
protection insurance have raised the issue of
standards in the consumer credit market
– BIS Committee of MPs has called for tighter
controls on debt management companies and
payday lenders
• Outline timetable within 6 months to decide
whether control of consumer credit will go to
Financial Conduct Authority
• Charge higher licensing fees for higher risk
credit businesses
• Put in place a fast track procedure to suspend
credit licences
• Give the regulator the power to ban harmful
products
64. Alcohol
• Government issued its Alcohol strategy on 23rd March
• Focus on pricing issues
• Positive comments on the work of self-regulation
• Following this, the Commons Health Committee have
announced it will hold an inquiry into the Governments’
proposals
• The inquiry will look at:
– The effects of marketing on alcohol consumption, in
particular in relation to children and young people.
– International evidence of the most effective
interventions for reducing consumption of alcohol and
evidence of any successful programmes to reduce
harmful drinking, such as:
– Public health interventions such as education and
information;
– Reducing the strength of alcoholic beverages;
– Raising the legal drinking age; and
– Plain packaging and marketing bans.
65. Environment
• The DMA and Defra signed a Responsibility Deal in 2011.
• Part of this was the introduction of a new website where
householders can opt-out of receiving all types of advertising
mail.
• Aim to reduce the amount of unwanted advertising mail put
through the letterbox
• Doorstop Preference Service is ready to launch – awaiting
final Defra input
66. Any Questions?
caroline.roberts@dma.org.uk
020 7291 3346
janine.paterson@dma.org.uk
020 7291 3356
DMA members can contact DMA Legal
Department for free advice:
by email: legaladvice@dma.org.uk
or call: 020 7291 3300
69. Background
• Postal Services Act 2000
– Set up Postcomm, Postwatch
– “universal service”
– Removal of monopoly
• Postal Services Act 2011
– Prepare for private ownership
• State Aid – pensions, loans
• Postcomm Ofcom
• “Commercial return” on Universal
Service
70. OFCOM
• “Light touch” regulation
– Commercial freedom
– Ex anteEx post
– Protect the Universal Service
• Consultations
– Securing the Universal Postal
Service
– Review of Regulatory conditions
– Decisions published 27th March
71. What is changing?
Price control
•Postcomm formula
– Too complex
– Ineffective
•OFCOM decision
– No price control
– Except for 2nd class letters, some
packets
72. What is changing?
Price Control - implications
•Royal Mail have commercial freedom
– “opportunity pricing” not cost related
– More scope for individual contracts, sales
etc
– Ability to negotiate?
•VAT
– HMRC rules state only exempt if
– Part of Universal Service
– Or subject to price control
73. What is changing?
Terms and conditions From 2nd April
Universal service products eg 3 months notice of price 1 month’s notice of price
stamped and metered mail changes changes
3 months notice of changes to 1 month’s notice of price
terms and conditions changes
Regulatory approval of “non “Fair and reasonable” terms and
beneficial” changes conditions for universal services
Royal Mail “retail” eg products 3 months notice of price changes None
bought directly from Royal Mail
including all bulk mail products 3 months notice of changes to None
terms and conditions
Regulatory approval of “non No requirement
beneficial” changes
74. What is changing?
Terms and conditions - implications
•Pricing changes could be more frequent
•Product specifications changed at short
notice – “beneficial and non-beneficial”
•No formal appeals process
75. What is changing?
Return to sender
•Currently in product specs but no
requirement
•Chargeable option in future?
Quality of Service
•No obligation to do this for services
outside Universal service
•Will RM continue?
•Will they make public?
•Research and private monitoring?
76. VAT
• Historically post VAT exempt
• TNT challenge
– ECJ ruling
• “Services for the public good”
• Individually negotiated prices
– HMRC interpretation
• USO exempt
• Services subject to price control
• DSA “Agency agreements”
77. VAT
• Some services already subject to
VAT
• RM “Retail” services outside USO
subject to VAT from 27/3/2012
– All bulk mail
– Standard account mail
• RM “Wholesale” subject to some
“price control”
– 2nd class letters and large letters VAT
exempt
78. VAT
Royal Mail Retail Royal Mail Wholesale
Subject to VAT All bulk mail. All services except “standard” 2nd class letters
All standard account mail and large letters
Business mail.
Packets through account, Packetpost,
Packetsort.
Response services
International contract services to EU
countries
VAT Exempt 1st and 2nd class stamped mail. Metered “standard” ie 2nd class letters and large letters
mail through single piece account.
Special delivery not through account.
79. VAT mitigation
• RM “single piece” account
• DSA competitors – but only 2nd
class letters/large letters
• Beware of “single source”!
– Used with VAT exempt print
– What is an “ancillary” service?
– Supply of “goods” or “service”
– Risk of severe penalties!
80. Summary
• Postal Market very different after
April
– Scale and pace of change
• More complex but opportunities for
postal users
• Help and advice available
81. We hope you enjoyed today’s session
Presentations will be emailed to you
tomorrow.
A final thank you to all of today’s
speakers:
Janine Paterson, DMA
Caroline Roberts, DMA
Alex Walsh, DMA
Please return your completed evaluation forms and badges to
the registration desk we look forward to seeing you again!