EU e-Privacy: Can Cookies be bad for health?
For quite a long time, the majority of people have used websites blissfully unaware of the level to which their online habits could be used to develop a profile by advertisers, companies and governments; information which might be the basis of targeting with customised messages or observation.
No pun intended, but ‘Target’ (a discount store chain) recently made waves in the media when it became clear that their ability to mine customer information from multiple channels had helped them to identify that a father’s daughter was pregnant before he himself knew about it.
While this instance was not necessarily about online shopping, the concept of gleaning customer relationship management data is familiar – even more so when using website technology. This may not particularly bother someone who is using Amazon to buy some books, however when it comes to health information, many people consider this to be one of the most important, personal and sensitive areas of our lives. Individuals will often choose carefully how and when they reveal detail about conditions or illnesses that they may be experiencing. The idea that a company might send an email to congratulate you on your pregnancy – even potentially before you yourself became aware of it – is either disturbing, or exciting, depending on your attitude to technology and privacy.
So with that in mind, let’s now take a closer look at ‘Cookies’ and the importance of understanding their use in relation to health information websites in Europe.
What is a ‘cookie’ and why does it matter?
I suppose a good question to start with is: Do you really know what a ‘cookie’ is and how it works?
Cookies are arguably indispensable in the operation of most modern websites. They may for instance be necessary to store personal preference information or potentially to track behavioural activity so as to build a comprehensive customer profile. From a website operation point of view, they are a fantastic solution for providing a user-friendly customer experience.
Over the past few years the variety of functions that cookies can perform has become an aspect of online data storage in general that European legislators felt needed attention, culminating in amendments to Directive 2002/58/EC. These amendments require website owners to be very clear about if and how data is being stored, even if it may be in a cookie. Here is the key extract from Article (5)3 (underline and highlight added for emphasis):
“Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”
Cookies and multi-channel marketing
Pharmaceutical companies are, like most digitally-enabled information providers, increasingly looking to integrate touch-points and measurement across multiple channels and campaigns. One way of achieving this is through the use of tracking cookies. It is not always an easy thing to do in practice, yet even when successful in an approach for implementation, a brand can then still face new hurdles around a person’s individual privacy preference.
Cookies in a local country implementation
As with all European Directives, member states consider the adaptation for their own legislation.
Using the United Kingdom as an example, amendments to Article (5)3 are further clarified in the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. In particular, the impact for online communication is seen here:
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment—
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
So in this implementation of legislation, it is a requirement that no storage of information takes place without the person’s express consent – unless it is a technical transmission need, or has been specifically requested by the user. This is important; if a person requests information or a service that can only be achieved through the storing of personal information, then they have given implicit consent. Additionally, it can be argued from (3A) that if they have amended settings in their browser to accept or reject cookies, they have also given implicit consent.
That said; you will in every case want to speak with your own legal and medical colleagues to be sure that you have carefully understood the implications and definitions in respect to a particular initiative. It will largely depend on the sensitivity of the information that is being stored. The key insight is that as a Brand Manager or Project Owner it is your responsibility to ensure that the right questions are being asked of your creative agency or website developer on this matter.
The requirements and penalties of non-compliance
If we continue with the example of the United Kingdom, the officially amended legislation came into effect from the 26th May 2011. However, businesses and organisations were given a 12 month grace period to update privacy policies and technical functionality.
It is now one year later, and from the 26th May 2012, the UK law is in force and has penalties should a company be found in breach. The maximum penalty is £500,000 per instance – which could well be costly if the proverbial ‘house is not in order’. Now is the time, if you haven’t already, to take stock of existing and planned digital assets to ensure they remain compliant. Given the care that the pharmaceutical industry takes in developing appropriate initiatives, for the most part the so-called ‘cookie-law’ may have little impact at all!
Next steps for compliance
- If your organisation does not already have one, commission an audit and develop a ‘living’ digital asset inventory (DAI) of all online or digital properties which have been sponsored, funded, or are managed by your company. This is the best way to keep account of what is online, whether it is compliant, and has the added benefit of enabling very quick identification of say ‘all facebook pages’ or ‘all Twitter accounts’ should a 3rd party technology change mean that you need to amend the functional or legal aspects of your digital assets.
- Review all privacy policies and functional specifications together with your external agencies or internal technology experts, and of course your legal team, to ensure that you have addressed the amendments as implemented in your member state, based on how intrusive the usage is.
- If you would like assistance in the area of implementing measurement and conversion tracking across multiple channels, talk to one of our strategic consultant team.
More information and references:
- DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0047:EN:PDF
- The EU Cookie Law: A guide to compliance
- How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/
- The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011