For more information please contact James Tumbridge and Robert Peake.
We need DIGITAL REFORM TO HELP NON-PROFITS
There is an issue with direct marketing that flows from interpretation of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) – it precludes unsolicited direct marketing communication by a digital means like email or text – and it disproportionally harms not for profit entities.
Commercial entities have an exception, we often argue it should apply to non-profits, but generally the Regulator disagrees with the premise. The exception means someone sending a marketing communication does not need the prior consent where you obtained the contact details in the course of a sale or negotiations for the sale of a product or services. This leads to a focus on the commercial selling part, and sadly little focus on the meaning of ‘marketing.’ This exception to the general consent requirement is often called the soft opt in – a term that does not exist in the law.
This issue then is that a non-profit organisation who do not have a commercial focus, get told they cannot rely on this exemption. The Information Commissioner has said that promotional communications sent by such non-profits do not constitute marketing (and the Information Tribunal upheld this approach in 2006, when the Scottish National Party used a pre-recorded message that was robo-called to people from Sean Connery across Scotland).
PECR is an EU law that the UK can depart from and the interpretation of marketing could be helpfully clarified in regards to e-communications. The last UK Government was going to address this in the Data Protection and Digital Information Bill, but the election meant it never became law. The proposal to address this issue was to clarify the meaning of direct marketing so it was clear that use of a recipient’s address solely for the purpose of furthering a charitable, political or other non-commercial objective of the sender was permitted. There is the potential for this to be brought into law by the new Government, and we are watching to see if this is an adopted proposal.
ICO threatens to fine software supplier following health data breach
In August, the UK ICO has issued a preliminary fine to an IT company following a large breach of NHS patient data. The ransomware attack in 2022 resulted in the exfiltration of personal data belonging to over 80k patients, including names, phone numbers and medical records, as well as instructions for accessing the homes of 890 patients who were receiving medical care at home.
The cyber attack exploited the systems of NHS software service provider Advanced Computer Software Group (‘ACS’), gaining access via an ACS customer account for which two factor authentication was not enabled. The attack caused widespread disruption to patient care, with NHS doctors having to resort to paper based note taking and files whilst systems were recovered.
The ICO announced a provisional fine of £6m against ACS for failing to implement appropriate measures to protect personal data. ACS will have the opportunity to make representations seeking to challenge the finding and/or reduce the level of fine to be imposed.
The incident recalls the £20m fine issued against British Airways in 2020, following a data breach which also resulted from lacklustre data security practices.
Third party cookies live to see another day after Google U-turn
The online advertising ecosystem relies heavily on cookies dropped on users’ web browsers, data from which powers the real-time bidding (RTB) process that governs the placement of ads on webpages as they load. The use of cookies is governed principally in the UK by the Privacy and Electronic Communications Regulations (PECR), which applies to the storing of data on a user’s device, or accessing data already stored on a device; the key requirement being that a user’s consent is required before cookies (or analogous technologies such as a pixels) are deployed, save where they are technically strictly necessary (e.g. for a webpage to display properly).
The requirement for consent under the PECR has been met with the ubiquitous ‘cookie pop-ups’ that we face whenever navigating to a webpage. The RTB process allows advertisers to serve tailored advertising to users, based on data gathered from cookies, which may be combined with additional data; these may be cookies placed by the website visited (first party) or another service (third party). The latter form of cookie has typically been the most contentious, as users were not aware (and did not expect) that a service unconnected with the website they were visiting would be ‘tracking’ their online activities in such a way.
In 2020, Google announced its intention to phase out third party cookies for its Chrome browser. Google’s plan was to replace reliance on third party cookies with a less privacy invasive mechanism known as its Privacy Sandbox, which was intended to allow for similar functionality and service of personalised ads, without processing users’ personal data. Google’s announcement was met with very vocal resistance from the online ad industry, and the target date for the change was postponed to the end of 2024.
Toward the end of July 2024, Google announced that the planned ‘deprecation’ of third party cookies in its Chrome browser was being suspended. In its announcement, Google noted the role of feedback from ‘a wide variety of stakeholders’ including regulators; naming explicitly the UK’s Competition and Markets Authority (CMA), and ICO. As the ICO had appeared broadly supportive of the privacy enhancing approach of the Privacy Sandbox over third party cookies, it would appear that the CMA was likely to be the regulator whose view was persuasive. Google is by far the dominant web browser provider for UK users, and it was forcefully noted by opponents of the plan to abandon third party cookies that moving to the Privacy Sandbox approach would further entrench Google’s dominant position.
Google is also facing heightened competition pressure in the US, with a Colorado court finding in early August 2024 that Google’s longstanding agreement with Apple under which Google search was the default for Apple device users was in fact monopolistic, and therefore illegal.