What actions do email marketers need to take?
The new cookie law is not really only about cookies; the law does not even mention cookies by name. Instead, its focus is improving consumer privacy and consumer awareness of how their information is used online.
15th May 2012 update: Since Tim wrote this post, the DMA have created new email marketing privacy guidance for email marketers with the IAB. Tim says the guidance is essentially the same as his interpretation of the law in this post. The DMA also have a downloadable guide for Email and cookie legislation.
The key change is in clause 6, which is headed Confidentiality of communications, of The Privacy and Electronic Communications Regulations (or its friendly name PECR).
Eight words were removed from sub-clause 1 so it now reads:
"6. —(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met".
and sub-clause 2b was changed to:
"(b) has given his or her consent"
Essentially changing from what was opt-out to now opt-in.
The ICO guidance is that cookies and gif or web beacons used in email for open tracking technically fall under clause 6 as they 'store information on the terminal equipment of a subscriber', ie a file is stored on the users computer (or other device used to access the internet).
However, the ICO does not consider strictly necessary cookies to be within the regulation, that is that consent is needed for these. A strict pure technical interpretation of the regulation would imply even strictly necessary cookies do need consent.
To understand what is expected of business by the ICO, we need to step back from technical definition and consider the intent of the regulation. The ICO's message has been consistent and one of the need to be open and transparent.
The ICO is doing the difficult job of balancing business needs and the law, basing their position on the intent of the regulation, to protect privacy and to promote openness and transparency.
Whilst analytics cookies are not considered strictly necessary it does not mean strict opt-in is necessary either, from the interview with ICO representative Dave Evans on the Econsultancy blog he said:
The law does allow us some leeway, and if a company’s revenue would drop if it went for a strict opt-in, then we could look at different ways of educating users and gaining consent. Just because analytics cookies are caught by this law doesn’t mean a strict opt-in is necessary. It could, in some cases, be seen as an essential part of the relationship.
With this context I'll now focus on email marketing, as open tracking has been little covered, yet under technical interpretation of the regulation could be considered caught.
The purpose of open tracking is key
As with cookies, the question is one of what is the use and purpose of open tracking. To paraphrase the ICO's statement on not all cookies being equal, not all open tracking is equal.
If open tracking is reported upon in aggregate across all customers in a campaign and not used beyond reporting then I can't see anyway this can come under PECR. For the most part targeting and campaign optimisation is based on click or post click activity so open tracking is not an issue. It is just a reporting metric; which does raise the question why bother even reporting it, that however is outside the scope of this article.
Take a different theoretical case. Say a travel company spot that someone opens emails related to family holidays and sell that insight to a company for targeting of child investment products. This would bring open tracking within the regulation as the privacy of the individual becomes concerned. I use this to illustrate the point, as I don't think anyone in the industry does anything even close to this with open tracking!
As with analytics cookies not necessarily needing strict opt-in, a consideration for open tracking is whether an email subscriber would likely expect and understand that a company would monitor their email engagement. Consumers are used to loyalty cards and the likes of Tesco working hard to understand each customer individually. Would email subscribers be surprised to know that companies work to get emails delivered, check that they did get delivered and monitor success by checking if emails are read? And that if an email is not read it might be re-sent to ensure it has reached the inbox? I think not.
Email is permission based anyway
We work hard to avoid cluttering up your inbox by using technology to understand what we should send you, read how here.
Thus for new subscribers regardless of whether you consider open tracking to be in or out of the regulation, best practice is to provide openness and transparency. Tell the customer what you are doing and you will be compliant now and future proofed against any possible further strengthening of regulation.
What of your current subscriber base?
What you do with your current subscriber base rests on the two questions; to what purpose you put open tracking and would your subscribers reasonably expect that you are doing some tracking?
As already discussed above it is not unreasonable to take the view that subscribers already understand that you measure the success of emails and use information about how recipients engage with the content to seek to improve relevance. Additionally as your current subscribers signed up and did not opt-out of open tracking or cookies then if this was reasonably communicated and you are just reporting on opens there should be no issue in continuing as normal.
Returning again to the need for openness and transparency the need here is to promote awareness in your current subscriber based of tracking use. This could be by adding information to your pre-header to sign post this, much like the opt-in statement given above. Keep this in your pre-header until such time as it is reasonable to assume that all subscribers who read your emails have seen this information. Then it is acceptable to move this information to your email footer.
What could happen to me/us?
Whilst the ICO has the power to impose fines up to to £500K this is under extreme circumstances.
The ICO document 'Enforcing the revised Privacy and Electronic Communications Regulations (PECR)' lays out this is limited to circumstances where:
- there has been a serious contravention of PECR; and
- the contravention was of a kind likely to cause substantial
damage or substantial distress; and
- the contravention was deliberate or the person responsible
knew or ought to have known that a contravention would
occur and failed to take reasonable steps to prevent it.
The ICO has definition of the key terms damage and distress. Here are their examples.
- Damage. Following a security breach by a data controller financial data is lost and an
individual becomes the victim of identity fraud.
- Distress. Following a security breach by a data controller medical details are stolen and an
individual suffers worry and anxiety that his sensitive personal data will be made
public even if his concerns do not materialise.
I find it hard to envisage a circumstance in the many email marketing campaigns that I know of in which substantial damage or distress could be caused by open tracking.
Prescriptive or principle based
The difficulty of the situation is in my view in part because the regulation is prescriptive about technology rather than principle based as in the case of the Data Protection Act.
Given the speed of change in technology a principle based approach would make more sense. However, we are where we are.
Only if you are not open, transparent and proactive in educating your customers about how you market, collect and use data of a private and personal nature will you be likely to have your collar felt by the ICO and that will only be if there are been substantial complaints to the ICO against your activity. If you have worked to promote openness and transparency you will be in a much better position with the ICO, than if you have simply ignored this issue.
I have spent many days over most of the last year debating and discussing this issue with industry peers and with close attention to what has been discussed and said in various forums by the ICO. I don't think the ICO has an easy job and to be honest I'm glad not to be in their shoes.
In short, my guidance is to focus on obeying the spirit and intent of the regulation. Consider also future proofing your position by going beyond the current regulation. There are new data protection laws in discussion and the general direction is clear, openness and transparency.
Dave Evans from the ICO said in this interview
"We don’t know what compliance will look like in a year’s time
There are lots of gaps here, and we want people to fill them with good practice. We can then point to examples of this and everyone will have a greater understanding of what is required"
Until the ICO has examples that can be pointed to, this is what I believe is good practice in email marketing
- Signpost at time of signup that tracking technology is used. Use simple clear language that can be understood by consumers.
- Include this too for soft opt-in where signup is part of a purchase process.
- Include a block of information in your Welcome campaign email about privacy and tracking.
- Educate your current subscribers about tracking through use of a pre-header message, until such time as it reasonable to believe the majority of subscribers have seen this and then move it to the footer.
Related cookie information