RSS Alerts
The EU e-Privacy Directive will have far-reaching implications for any company that does business in the region
George Thompson, KPMG

Share

More services

Related Links

  • KPMG
  • Elsevier Ltd is not responsible for the content of external websites.

Top 5 Stories

    Feature

    Comment: New EU e-Privacy Legislation – Why You Should Act Now

    10 November 2011
    George Thompson, KPMG

    George Thompson of KPMG IT Advisory explains why companies should act now in response to new e-privacy legislation, and the organizational and technical steps to consider

    Advertising models have changed dramatically in recent years, moving away from traditional methods such as direct mail toward highly targeted online approaches. This has led to an increase in tracking online consumer behavior to improve the effectiveness of advertising and marketing spend. In return, consumers should benefit from a more relevant online experience.

    Tracking online shopping and browsing habits is big business. It also necessitates the collection of large amounts of personal data, which has led to increasing levels of scrutiny and now regulation. In May 2011, the UK implemented an EU Directive on the use of cookies to track consumers online.

    It sounds dramatic, but the EU has regarded storing information in cookies without prior consent a violation of human rights. The only exception is if what you are doing is “strictly necessary” for a service requested by the user. In all other cases consent is needed to collect, store and process this information, even when it is sent back to other servers – for example, in advertising tracking applications.

    Digital inclusion is a priority for the UK government. National access to the internet is seen as vital to future economic success and competitiveness. As a result, people need to be adequately protected from any abuse of their data.

    The e-Privacy Directive has considerable implications for any organization looking to use cookies online. As such, the Information Commissioner has given companies until May 2012 to comply with the regulations. Yet, there remains an air of mystery around what this really means for UK PLC.

    The Information Commissioner is taking a “light touch” approach to enforcement. By no means does this give companies a license to rest on their laurels. On the contrary, they should use this time to identify and implement the organizational and technical changes needed to comply with the regulations. They need to be ready when the Information Commissioner comes knocking.

    In order to achieve this, they must keep track of any announcements from the Information Commissioner's Office (ICO) such as the recent amalgamation of its guidance. They must also review their processes and prioritize any remedial actions. Following are some steps to consider.

    Compiling an Inventory

    Companies need to understand their risk exposure. This will determine the likely level of action required, and show good faith to the ICO that it is taking the new law seriously. While this may sound like a weak argument for investment, the ICO is likely only to investigate cases of negligence or bad faith and might yet come under pressure from the EU to take a stricter line.

    This can be done by compiling an inventory of all of the cookies across the company's websites. The cookies are then classified so those that are marketing and advertising can be segregated from strictly necessary ones. This is also a good opportunity to retire any dormant websites and ensure that all others are adequately patched and maintained.

    Identifying Consent

    There are various mechanisms available for gaining permission to use cookies. However, they do not all comply with the new law.

    Organizations need to identify the methods they use to gain and record consent for all cookies and determine where their practices fall short. This will enable them to build a remediation strategy based on different levels of priority.

    Gaining Explicit Consent

    Companies now need to build mechanisms that give users a choice about whether or not to allow cookies on their first and future visits to a website. This implies that it is not sufficient to rely on the small print in a website’s terms and conditions, read by only the most diligent users.

    For many organizations, this is made more complex by the use of third-party web service providers. Organizations must take reasonable steps to ensure that the third parties comply with the e-Privacy Directive. They must also keep track of new browser features and developments in web server software.

    Gaining Company-wide Support

    Companies may have until May 2012 to comply, but this is a short timeframe to achieve everything that is required to get their houses in order. An effective way to accelerate this is by gaining company-wide support for e-privacy objectives. An IT-led approach is less likely to succeed than one that is also sponsored by the legal department and risk managers, for example.

    This cross-departmental involvement may raise a few eyebrows from budget holders, but businesses have always been required to gain consent from consumers to use their information. It was only a matter of time before this was extended to the web.

    Act Now

    The implications of failing to comply could be severely disruptive, potentially damaging trust and reputation. not to mention financial loss. It follows that a frontrunner is likely to gain significant marketing advantage.

    Now more than ever, it pays to be ready for regulation. Companies’ actions today will continue to count for years to come.

    George Thompson’s security experience covers the spectrum of security, including corporate security policy and governance, IT security policy, procedures and standards, security process and technology, application security, security architecture development and deployment. He has management experience of a number of security businesses, including consulting, application development and has acted as interim CISO for clients. He has over 30 years of experience in the IT, security & networking industries and has been a director at KPMG since 2004. George is married with two children and is a keen competitive sailor.

    This article is featured in:
    Compliance and Policy  • Internet and Network Security

     

    Comments

    @minabird says:

    23 November 2011
    A clear exposition of the issue.
    There has been too much focus on audits and not enough on technology to comply. We have developed an off-the-shelf solution for any web site publisher to rapidly comply. It features an opt-in button and optional reminder banner, and manages visitors' cookie choices. We also offer a free detailed cookie audit and customisation service where required. See http://CookieQ.com

    TheCookieCrunch says:

    16 November 2011
    This is a very measured and informative article. For anyone who is interested in compiling their own inventory of cookies, and who is looking for a solution to become compliant with the new law, take a look at: http://www.cookielaw.org

    Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

    Comment on this article

    You must be registered and logged in to leave a comment about this article.

    Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012