brussels_eprivacy_v3

The ePrivacy Directive Review was held in the European parliament in Brussels yesterday. In attendance were hundreds of industry colleagues from around Europe including DHL, Nielsen, The DMA, Amazon, P&G, and of course – Digitonic.

The review of the ePrivacy Directive concerns the processing of personal data and the protection of privacy in the electronic communications sector. It will affect every digital business – some more than others – but often with far reaching consequences for existing business models.

The objective is to rebalance the landscape between consumers and industry, without over protection, over regulation, or crossing between other regulations (such as GDPR); a “challenging directive” which will be “difficult to get right”, admitted Claire Bury, Deputy Director General of DG Connect at the European Commission. However, the ePrivacy Directive will become aligned in both scope and principles with the existing GDPR.

It is clearer than ever that data is now essential for business, and with rising knowledge from consumers regarding the scale of data sharing practices from big businesses, the move to make GDPR specific for this sector via ePrivacy should be welcomed by the European end-user.

However, this move to “support innovation” via an evolution of current legislation requires businesses to make certain guarantees to the end user regarding use of their data. Simultaneously, the ePrivacy Directive evolves into a Regulation. Perhaps unsurprisingly, the enhancements look set to be resisted by industry during these consultative stages.

That said, it is hard to argue against the key principles being outlined – that privacy must be guaranteed on content and metadata, as well as the confidentiality of the device. To put this into perspective, the Commission noted research that highlighted 92% of consumers expect this level of privacy even as things stand today.

If we look at the direction of travel on this topic, we are heading for a space where consumers will be asked to make an informed choice as to how their information is used. However, this choice can only be made once businesses become more transparent about how they use consumer data.

But choice cannot be uniform – for example, relying on browsers to “accept all” or “reject all” parameters is not a solution that respects the needs of neither business nor consumer. However, with flexibility comes risk; risk that publishers will make access to online content be cookie-dependent. Even with transparency into how that cookie data is then used, the owner of this “choice” is not neutral.

The Commission also said that transparency cannot be confused with a verbose recital of terms. For those in the direct marketing space post-GDPR, this is not new. To quantify this the Commission presented findings that many of us will be able to relate to. They say that the combined Terms and Conditions on all the apps on the average consumer’s mobile device will take 31 hours to read. Today’s Terms and Conditions then, are considered anti-consumer.

So where does this leave us? It is clear there are many laps left towards a legislative text that has considered all the usability nuances of real world implementation. It is my hope that further industry consultation takes place quickly.

Whilst pseudonymisation provides some flexibility regarding data processing, it is not in itself a new data category – merely a technique towards better data protection during processing (Pseudonymised data is still personal data, claims Axel Voss, MEP).

Most of the thinking and discussion on ePrivacy has so far focused on cookies. But, it is important to remember this regulation will also cover IoT and machine-to-machine communication.

Digitonic still believes that a user’s MAC address is personally identifiable information, and it would be wise to understand consumer attitudes to privacy before processing this type of information without an end user’s consent.

Consider recent research in the Netherlands and presented by the Dutch DMA, (research which was based around the UK DMA’s own papers on this subject in 2012 and 2015) in which consumers – perhaps surprisingly – categorise their IP address amongst their most sensitive personal information (alongside for example, financial or medical information). Dutch consumers believe an IP address is more sensitive by far than Name, Postcode or E-mail address. Is MAC address really that much different to IP address, in practice?

The future is promising for consent-based marketing, provided marketers and organisations understand and respect consumer attitudes to privacy. At Digitonic, we will always study any regulation that affects how we handle data on behalf of our clients, or within our products. Our Entr on-location analytics product is designed specifically to only work with fully permissioned end user data, including the MAC address, and we are confident this compliance-focused approach provides mutual benefit to the end user and location operator alike.

We are pleased to return from Brussels with a clear view on where our industry’s regulatory landscape is heading, and are confident Digitonic remains ahead of the curve when it comes to organisational attitude to implementing legislative change.

We view compliance on the basis of requiring continual improvement, and so it seems fitting to end this piece with an anecdote provided by Axel Voss MEP which perhaps sums up the entire discussion: If you always do what you have always done, then you will always get what you have always got.