Digital Forecast: A Data-Protection Storm Is Brewing In Europe
As regulators debate the new cookie law for Europe, columnist Rob Rasko explains who wins and who loses and how the expected outcome will affect some U.S. companies.
If you are like me and keep a close eye on all things related to the future of digital media, then you may remember a conversation from the late spring of 2012 when the Dutch government enacted a law that strictly defined the use of digital cookies.
At the time, there were fears that this law would be spread and adopted all over Europe with effects reaching the U.S. (For some more background, this story does a great job of defining the law enacted in 2012.)
You also may have heard about the great “Do Not Track” debates in the U.S. in 2013 — which then got quieter, and folks rallied around the Digital Advertising Alliance (DAA) and the opt-out system. (More information can be found at Your AdChoices.)
However, apparently in Europe the conversation has carried on much longer without a definitive conclusion. But one is coming…
In the European Union, regulators have spent the last three years “educating” themselves about the issue, and recently decided that they’ve learned enough and now is the time to legislate. This month in Brussels, the major leaders heading the Internet security debate will get together to hold a final negotiation, or “trilogues,” which will lay the groundwork for what will become the new cookie law for Europe.
This regulation is set to be finalized by the end of the year and enacted as law by the spring of 2016. All member states will have two years to interpret and adopt the law for their own markets. However, that “interpretation” process will allow for very little wiggle room.
Get Up To Speed On The Terms And Issues
Some key terms and issues digital media professionals should be aware of:
Implicit Consent: In order for a company to obtain implicit consent, it would have to get a user to opt in or agree in advance to terms regarding data usage before a cookie is ever used.
Article 7 of EU Directive 95/46/EC – The Data Protection Directive: If you haven’t already, take a look at the language for the pending legislation currently under review by Parliament. Section II, covering how data processing will be made legitimate, reads that personal data may be processed only if “the data subject has unambiguously given his consent.”
Basically, this means individuals will have to give permission in advance to see targeted digital advertising. Additionally, third-party ad servers will need to prove that consent was in fact given.
Data Type Blindness: Here is a question: Do you think there is a difference between your health care data, such as medical records, and data that is used to help make Internet devices function properly? Yeah, me too — although the legislation currently in the works doesn’t seem to reflect this sentiment.
The law is shaping up to treat all data the same, regardless of what it represents, giving a blanket solution to a complex issue with many nuances that require individualized consideration.
Who Wins And Who Loses?
Who are the biggest losers in this conversation?
In my opinion, it will be the companies that run the technology systems or have any third-party advertising businesses. Those two groups will have the hardest time collecting implicit consent from each and every user they come in contact with, making them the most vulnerable to the effects of this pending legislation.
Basically, it will be illegal to do retargeting or use any type of machine cookie to help run the systems without this implicit consent. Without naming names, it’s not too hard to draw your own conclusions on what companies I am talking about.
During a recent panel discussion, I saw a deputy to one of the ministers of the EU countries speak on this issue. He outlined the timeline of this legislation’s expected progression, stating quite clearly that we will have a law by early 2016, following the past three years during which regulators have spent considering the problem.
If you ask me, these regulators are still confused about the ramifications of this blanketed “solution” and have not yet come to understand that there are various types of data in this discussion which require different levels of privacy considerations. To treat cookies which are used for retargeting in the same manner as personal health care data doesn’t make any sense.
As an industry, we have some teaching to do, and hopefully we can make an impression.