Association of online publishers Helping media owners build better digital business

Preparing for the EU Privacy Directive

Ghostery
Evidon helps businesses and customers understand and control data online, and operates the Ghostery browser extension, as well as serving ‘ad choices’ notices on online ads across the US and across Europe. This is the second in a series of articles by Evidon for us, read the first - what’s on the slate for 2012. Evidon will be speaking at our online privacy event on 18 April - book your place.

Colin O'Malley
By Colin O'Malley, Chief Strategy Officer, Evidon While much remains uncertain, the Commission and several regulators, including Data Protection Agencies (DPAs) in the UK and the Netherlands, have made it very clear that companies must take concrete action and that this law will be enforced shortly.  Fortunately, there are practical steps that companies can take now to prepare: A. Understand all tracking technologies on your own site The ICO and CNIL (the French DPA) have both listed a comprehensive tracking audit as your first step, even before you worry about consent.  Having this process in place will also buy you some time should a regulator come knocking.  Set up a system to regularly monitor and audit all the code on your sites.  This should be more than just a “cookie audit”.  In fact, the term "cookie audit", while increasingly commonplace, is misleading: much of the tracking covered by the Directive doesn’t use cookies at all.  You need to know the actual scripts that run on your pages.  For this reason, you should be wary of auditing solutions that audit cookie-based tracking, but ignore other forms of targeting.  The same is also true for analytics and targeting solutions that claim to be compliant because they are “cookie free”, but which track individuals through other means (e.g. digital fingerprinting, LSOs or similar methods).  The message is simple: If a company is tracking on your website, you must disclose this and obtain consent, cookies or no cookies.  If you haven’t obtained a full tracking audit recently, be sure this is your first step.  You’ll be surprised by the results.  Once complete, you’ll need to categorise each tracker as essential or non-essential, and then rank them on a scale of relative intrusiveness. B. If you engage in any online behavioural advertising, be sure to join the IAB’s self-regulatory programme The programme is taking its hits right now, but it still leverages an icon with significant and growing global mindshare, and many regulators, including the ICO, believe it has a role to play. C. Build out your consent model Details here will vary based on your business model, your vision of the ideal consumer experience, and the patience your organisation has to manage varying consent standards in an effort to preserve implied consent for the markets where this will be the accepted standard.  Of course, if you are domiciled in the EU, at least you can focus on the likely standard in one particular territory.  The most important take home is that you need to start planning your consent strategy now, gathering buy-in from marketing and privacy teams, and preparing a rollout plan.  You’ll need to make sure that your consent model applies whenever there is a touch point with the consumer, including on your own site, in online ads, and on mobile devices. These steps help you manage your data strategy much more closely, and help you bridge the information gap with your users.  Most importantly, with enforcement coming soon, they are clear action items that will prepare your company for the changes to come.

More on our EU Directive event here.

Join the AOP group on LinkedIn - open for all Members to join
Subscribe to AOP's e-newsletter.

Leave your comments