Cookies, Tracking, current laws and the future
Earlier this week I wrote about how organisations should start gearing up for the challenges and opportunities of the forthcoming Data Protection Regulation by looking at how well they are complying with current principles, and in particular what they can learn from the mistakes of others as set out in the Annual Reports of the Data Protection Commissioner (if in Ireland) or the relevant Data Protection Authorities (e.g. the ICO in the UK).
This should be approached as a “quality systems” problem – with an emphasis on continuous improvement and making incremental changes over time rather than trying to push for a “big bang” fix. The latter approach won’t work.
In parallel with that line of thinking, I’ve been in deep strategy mode in relation to Castlebridge Associates and how our approach to marketing and communicating might need to evolve to meet the challenges of today and the opportunities of tomorrow. This was in part trigged by my involvement in a number of audits, green field projects, and reviews of the Data Protection Regulation over the past few months. In particular questions that have arisen about the scope and extent of some of the provisions ofthe Regulation had me assessing emarketing in the context of SI336 (which enacts the ePrivacy Directive in Ireland).
Email issues and the ePrivacy Directive
The ePrivacy Directive is often referred to as the Cookies Directive. Of course, the requirement for consent to be obtained when writing cookies to the devices of customers unless that cookie is essential to the service the customer is seeking to avail of is a well known aspect of that legislation. However the rules don’t apply to just web sites. Tracking of email marketing using cookies, web beacons or similar techniques is covered by the regulations. So too would be the use of Google Analytics or other analytics tools to track the actions of people after they’ve opened your email.
But these metrics are very important for the evaluation of email marketing. They help marketers refine their offerings and messages to reduce the “irritation factor”. But they require the processing of personal data, they require the systematic monitoring of identifiable people, and they often use technologies and techniques that require consent now.
It could be argued that anyone getting email marketing in this day and age should expect that there would be some level of tracking. However, the use of cookies would probably require consent (it’s not essential to the person getting or reading the email, rather it is of interest to the sender) so the “everyone should expect it” excuse won’t fly. Also any analytics use over and above what might be “reasonably expected” (such as tracking how a recipient interacts with your website) would probably require some up front disclosure to ensure you don’t fall foul of the “Fair Obtaining/Fair Processing” requirements under the Data Protection Acts and Directive 95/46/EC
So… what is a marketer to do?
Balance
The key here is to adopt a balanced approach and to
- Recognise the technology for what it is. I’m an advocate of defining things by the outcome not the mechanism. This means that you can be very technology agnostic. It stems from words of wisdom an old mentor had: “Define things as if the only technology you have is post-it notes, then you can move it into Lotus Notes or anything else a lot more effectively”. The technology here is writing data to a device or tracking personal data relating to an interaction with your organisation.
- Provide information. Sharing information with your customers when they sign upto the mailing list about tracking and how it works will make the processing fairer. It also means you have to take 30 seconds to think about how you might track their activties in order to generate a benefit for your organisation. Tell them, and let them make up their own minds.
- Provide an alternative mechanism. Web beacons and cookies are used with HTML emails for open tracking and other tracking. Plain text emails can’t be tracked in the same way. Even click through tracking in plain text requires (in most cases) the links to be routed through your mailing service provider. So… people will know that they are being tracked when they click a link and can choose not to (consent in the moment by a positive action). In this context it might be worth having a “non-tracked” link as well as the “tracked link” in your email.
Ultimately email tracking is an imperfect technology, even with cookies and web beacons. But a little bit of thought may help you make it more effective and more compliant.
Email Marketing and the Data Protection Regulation
The recently published Data Protection Regulation introduces a number of requirements for Data Controllers and Data Processors where they are engaged in “systematic monitoring” of data subjects. Among the requirements is the need to have a Data Protection Officer. Of course, “systematic monitoring” is not defined in the Regulation. However, open tracking, click through tracking, and further analytics is potentially within the scope of this concept.
Therefore, it may be that each organisation engaging in electronic marketing using tracking will need to have a Data Protection Officer, or it may be that service providers providing the platforms for that processing and tracking will require a DPO. Castlebridge Associates recommends that, regardless of the legislation, someone needs to be in charge of keeping the organisation honest.
However, the answer to the question has potential implications for the resourcing and management of Data Protection functions in organisations that use electronic marketing. The thing is… that answer isn’t available yet. And the need to comply with the Regulation has not yet manifested, regardless of the answer. But it would be intelligent at this stage for an organisation to nominate someone to be the consience of the organisation and develop skills in Data Protection Governance and start applying them to the organisation.
Just in case.
So.. what does this all mean?
Well, in pragmatic terms it means that organisations who are using electronic marketing should balance their efforts between getting their house in order for the requirements of today (which we’ve had here since July 2011) and putting in place structures and governance models to meet the challenges of tomorrow (the Data Protection Regulation).
Yes, the new Regulation has some significant changes proposed. But the key word is proposed. The focus of change in organisations at this point should be on the broad brush strokes of the Regulation. The fine detail that needs to be dealt with today is contained in the Data Protection Acts, (i.e. the current Data Protection Directive), and the ePrivacy Regulations.
Facing into these challenges with an eye to the broad scope of the Regulation will put organisations in a stronger position to make incremental changes as needed to meet the requirements of the final Data Protection Regulation when it is agreed, signed off, and in implementation. This will allow organisation to evolve their approach rather than having to jump in a crisis.