×

Evidon UK MD Damian Scragg Discusses the ePrivacy Directive

Damian Scragg, Managing Director for Evidon UK discusses the ePrivacy Directive, what impact the European initiative will have on the APAC region and what's in store for mobile privacy.

Evidon’s ad and site notice is now available in 40 countries and 39 local languages. What has been key to this growth? What is differentiating Evidon in all these markets? Or is a lot of this driven by global deals?

Enhanced notice on websites is becoming the commercial standard globally. This was first driven by our global clients, who wanted to comply with self-regulatory standards in the US and the ePrivacy Directive here in Europe. However, increasingly, web publishers and brands are beginning to see this as a clear best practice everywhere, including in markets where the standard has not become a requirement.

Working with the largest publishers and brands has certainly helped us to engage in these conversations on a global level, but we’ve also invested heavily in local markets to help us understand, and where possible, help shape what is required. There is no single solution that works across markets, even within Europe, as we’ve seen vividly this year.

What is the relationship between the icon and the Directive, and do companies need to be thinking about both?

The AdChoices icon and the Directive are really quite separate, and I know this has been confusing to many. In short: yes. You need to be thinking about both, as a solution for one does not usually satisfy the other.

The icon in an ad indicates that a company is compliant with the Self-Regulatory Programme for Online Behavioural Advertising that is endorsed by the associations and managed by the EDAA. If you are a 3rd party engaged in ad targeting, or an advertiser that buys targeted inventory like retargeting campaigns, you need to be sure that the icon is running on all of your ads where ad targeting is taking place or where related data collection is taking place. In most cases, this will mean licensing the icon from the EDAA and using technology to deploy the icon properly on ads.

The ePrivacy Directive has become law in the UK, and most of the other major markets in Europe, and applies to every page and ad on the commercial Internet. It requires consent, a higher standard than the icon, and it applies to virtually all data collection, rather than just data for ad targeting.
To comply, you need to obtain a tracking audit and implement consent tools on your site. Incorporating the icon on your ads is an additional step that you will need to take if you are involved in ad targeting.

What is the state of compliance in the UK, and is the ICO content? What about other markets in Europe?
We have made a remarkable amount of progress here in the UK, particularly over the summer, with many of the largest sites including Reuters, Nectar, BBC and BT elevating discussions about online data use to a completely new level of prominence.

Companies in the UK have taken compliance more seriously than in any other market across Europe. If you are based in the UK and you have not yet done anything, you are now beginning to stand apart from the crowd and are vulnerable to formal action from the ICO.

The questions now are really a) how literal the ICO will take the ‘consent’ standard piece of the law; and b) how other countries will approach their own versions of the law.

The ICO has so far been very tolerant of enhanced notice systems that fall well short of even an ‘implied consent’ standard. Strictly speaking, this wouldn’t meet a lawyer’s read of the law. Does the ICO mean for this to be acceptable, or are we in an interim phase, where additional pressure will force true compliance? We should know by early next year.

Across the Channel, all eyes are on The Netherlands, where a much stricter version of the law that requires ‘explicit, prior consent,’ i.e., a user’s proactive decision to allow tracking before navigating a site, will be enforced by perhaps the most vocal regulator in Europe beginning in January. How many pan-EU companies will develop systems to respond to this requirement, and will their compliance efforts bleed over into other markets? If the Dutch regulators are successful, will this put pressure on other regulators, including the French, Spanish, or even the ICO?

Over the summer, everyone was ordering tracking audits ('cookie audits'). What are companies doing with that information?

We’ve performed tracking audits for dozens of companies in the UK, initially in response to ICO instructions, and the audits have contributed to a new corporate awareness of the performance toll and other commercial implications of modern tracking activity, some of which is unauthorised. We’re now seeing a clear pattern where organisations end up holding cross-functional discussions, including privacy, marketing and IT, to better understand exactly who is collecting data, to remediate any issues, and then to implement an intentional data strategy. We’ve developed a sophisticated system that utilises our unique Ghostery data to show companies how trackers get on their sites, and alerting systems to give companies clear and actionable information. Increasingly, the true client of the tracking audit is now IT, rather than privacy.

What do you see on the horizon for the UK and Europe for the next 6-12 months in terms of privacy and transparency online?

The ePrivacy Directive will continue to unfold across Europe, this time with a focus on corporate compliance in markets outside of the UK, with potential ripple effects back and forth across markets. I don’t think anyone knows exactly how this will play out, but Evidon will be there to be sure that companies can do whatever is required and that implementation and management are as easy as possible.
The revised Data Protection Directive will continue to be debated, with important implications like an explicit consent requirement for cookies across Europe and centralised enforcement; but expect these debates to have little impact on the ground until 2014 or beyond.

Do Not Track will continue to be hotly debated, though increasingly the standard appears to be tightly knotted around intractable policy questions and rival political factions. It’s not yet clear that DNT will be meaningfully adopted.

Finally, look for notice and choice to come to mobile in a big way in 2013. The groundwork is being laid now.

Is APAC being affected by this in the same way?

Asia in particular is an area where we have not yet seen the same standards for notice and choice set by trade associations or governments. However, we are beginning to see global brands taking these systems to some of the largest markets, like Japan. This is partially because they have come to believe that consumers now have an expectation for notice and choice, and also because they see this as an opportunity to be proactive. Demonstrating that industry can credibly resolve privacy issues in advance of regulatory pressure can help them avoid what happened here in Europe.

How is mobile being targeted by the privacy advocates? What solutions do Evidon have regarding mobile?
Consumer expectations on mobile are no different than anywhere else. They expect notice when their data is being used and a means to opt-out if they don’t like it. To date, it has just been a lot harder for the market to deliver the goods on mobile privacy. Some of this has to do with the small size of the device and some of this is related to the insufficiency of cookie-based opt-out systems, which are far more effective on the desktop internet.

All of this is beginning to change. The DAA in the US is in the midst of drafting mobile principles, so you can expect formal guidelines to emerge requiring notice and choice in the next six months. Evidon is now live with mobile-optimised notice and choice systems using the industry’s icon with several of the largest ad networks in mobile, including Tapad and JumpTap. We’re approaching a tipping point, and we expect mobile privacy systems to feel mainstream in 2013.