Archive for the 'eCommerce' Category

e-update on the draft data protection regulation – what price harmonisation?

Published January 30, 2012 Data Protection , eCommerce , In the Media Comments

Following on from my blog on the implications of the new draft data protection regulation for outsourcing in the UK, and John’s blog on the remainder of the draft regulation, we’ve pulled together an e-update summarising the key issues.

In particular, we question whether the cost savings that organisations will gain through harmonised laws throughout the EU and a simplified approach to regulatory oversight will be outweighed by additional compliance costs in other areas.

You can read the e-update by following this link.

If you’d like to join our e-update mailing list to receive regular e-updates on outsourcing, IT and information law issues, please follow this link.

The draft data protection regulation – a summary of the key provisions

Published January 25, 2012 Data Protection , eCommerce , In the Media , web law Comments

European Union Justice Commissioner Viviane Reding has announced a proposal for a new General Data Protection Regulation for the protection of personal data in the European Union.

The proposals retain the general principles of data protection law, but also introduce some significant changes around:

  • Fines;
  • Consent;
  • Notification (including 24-hour notification of breaches);
  • New obligations on data processors;
  • Compulsory Data Protection Officers;
  • Data subject rights;
  • Collection of child data; and
  • The “one stop shop” approach

Firstly, as Martin noted in his earlier blog on the impact for organisations engaged in outsourcing, the regulation has direct effect. Once passed, it will not be subject to local implementation in each member state. This is intended to ensure that the laws are applied consistently across the EU.

Powers to fine
The official announcement follows last month’s leaked proposals which suggested that companies breaching data protection law might face fines of up to 5% of their annual turnovers. While this level of fine is not advanced by the official proposal, companies will still be subject to a fairly stringent sliding-scale of fines:

  • a maximum of 0.5% of annual turnover for failures such as not responding properly to requests by data subjects;
  • a maximum of 1% of annual turnover for failures such as leaving inaccurate data uncorrected, or failing to adopt internal policies to comply with the new Regulation; and
  • a maximum of 2% of annual turnover for the most serious violations, including “risky processing operations”, or failing to obtain data subject consent.

Consent
Another key change being proposed is that data controllers can no longer rely on implied consent. Instead, controllers will have to prove that they have been provided with “explicit” consent from the data subject, while consent may not be relied upon if there is a “clear imbalance between the data subject and the controller” (which will make it difficult for, for example, employers to rely on consent from employees, as grounds for processing).

As an alternative to obtaining explicit consent, “other legitimate interests” of a controller will provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.

Whilst this change is consistent with the opinions that have been issued by the Article 29 Working Party, this change will be particularly felt in the UK, where much of the UK Information Commissioner’s guidance has focussed on the concept of “implied consent”. For example, the Information Commissioner’s view on website privacy policies has generally been that the data controller does not need to flag up in flashing lights processing that is obvious. It will be interesting to see how guidance changes in this area.

Notification
Controllers will no longer have to notify data protection authorities that they are processing data -instead they will be asked to make available upon request evidence demonstrating their data protection policies and procedures, including “privacy by design and default” mechanisms, and privacy impact assessments.

Data breach notification
Controllers will also be expected to notify data protection authorities of data breaches within 24 hours. Where notification within 24 hours is not possible – and 24 hours looks like an onerous requirement – an explanation of the reasons for the delay should accompany the notification. Data processors, meanwhile, will be expected to “assist” controllers in cases of data breach or loss, and will be deemed joint controllers if they process personal data other than as instructed by the controller.

Data protection officers
All public sector bodies will be required to appoint a Data Protection Officer, as will private sector bodies with more than 250 staff (or whose core activities consist of processing operations).

The “right to be forgotten” and other new restrictions
Last month’s leaked document suggested that the new proposals would contain a controversial “right to be forgotten”, and many stakeholders were already pondering how such a right could possibly be guaranteed or enforced. The official proposals are less explicit regarding this right, proposing that a controller shall carry out erasure of data “without delay, except to the extent that the retention of the personal data is necessary” for a variety of grounds, including “public interest” and “compliance with a legal obligation”.

Potentially more interesting is a new right for data subjects not to be subject to a “measure based on profiling”, meaning that organisations will be potentially barred from profiling individuals based on automatic processing seeking to predict a person’s creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour. This may well impact upon Amazon’s religious beliefs patent (as blogged about by Martin last month).

It’s also worth noting that under the new proposals the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. This concept of a “child” and the parental consent requirements will almost certainly conflict with many organisations’ current practices.

The “one stop shop approach”
Finally, the draft proposes that controllers and data subjects will have a one stop shop in terms of regulators. If a data subject wishes to complain about processing by a data controller in another EU country, it will complain to its local regulator who will raise the issue with the regulator in the data controller’s home country.

Given that non-EU data controllers collecting data from EU data subjects will also be subject to the new regulation, this will surely increase the administrative burden on the various national regulators.

These are just some of the changes to the present European data protection regime which are being proposed. It’s worth remembering that these proposals will need to be approved by the European Union’s member states and ratified by the European Parliament before they can come into effect. Given the extent of the proposed changes, that process might take up to 2 years, if not longer.

Opinion piece on behavioural advertising and cookies

Published January 12, 2012 Data Protection , eCommerce , web law Comment

I have an opinion piece in this week’s edition of Computing magazine. The article is based on my blog a couple of months ago following my experience with the hotels.com and Guardian websites.

What do you think? Is transparency and information about behavioural advertising an issue? Did you know how it would work when you accepted the cookie, or do you not care? Add your opinion in the commments.

How does Amazon’s new religious beliefs patent equate with data protection laws?

Published December 28, 2011 Data Protection , eCommerce , web law Comment

According to online reports, internet retailer Amazon has just been granted a new US patent for a system aimed at “mining of user event data to identify users with common interests”. The system analyses user behaviour to profile users into different categories.

Amongst the things monitored are the purchasing of gifts and “the gift wrap used by such other users when purchasing gifts for this user, such as when the gift wrap evidences the user’s religion (in the case of Christmas or Hanukkah gift wrap, for example)”.

So if someone orders me a gift from Amazon, has it gift wrapped and sent to me at some point in December, Amazon will apparently assume that I am of Christian belief.

That’s quite a leap of faith (pun intended), given that a substantial proportion of people who give Christmas presents are likely to class themselves as aethiest or ambivalent in their religious beliefs.

The preamble to the patent states that:

A computer-implemented matching service matches users to other users, and/or to user communities, based at least in part on a computer analysis of event data reflective of user behaviors. The event data may, for example, evidence user affinities for particular items represented in an electronic catalog, such as book titles, music titles, movie titles, and/or other types of items that tend to reflect the traits of users. Event data reflective of other types of user actions, such as item-detail-page viewing events, browse node visits, search query submissions, and/or web browsing patterns may additionally or alternatively be considered. By taking such event data into consideration, the matching service reduces the burden on users to explicitly supply personal profile information, and reduces poor results caused by exaggerations and other inaccuracies in such profile information. [emphasis added]

What about data protection rules?
This raises some interesting data protection questions.

In the EU, religious beliefs are one of the categories of personal information that are classified as “sensitive personal data”, and therefore subject to a stronger set of rules. In particular, a data controller may only process sensitive personal data if it can satisfy one of the specific conditions set out in Schedule 3 of the Data Protection Act. The majority of these grounds relate to things like processing that is required by law, processing that is necessary to protect the vital interests of the data subject or processing for the administration of justice.

None of these are applicable to Amazon.

Which means the only condition it could rely upon is the “explicit consent” of the data subject.

It’s difficult to reconcile this need for explicit (not implied) consent with the last sentence of the preamble, which states that the system will “reduce the burden on users to explicitly supply personal profile information” – in other words, it will allow Amazon to guess the things that users don’t tell it.

European data proctection rules make it clear that Amazon cannot activate this system in respect of a user unnless he has expressly given his informed consent. So if a user decided that it would like Amazon to profile him based on his religious beliefs, would that user rather tick a box saying “would you like Amazon to guess which (if any) religious beliefs you hold?” or simply complete the details in his personal profile?

And how does this guessing system equate with the fourth data protection principle, which states that personal data shall be “accurate and, where necessary, kept up to date”? Will Amazon periodically ask you to confirm its assumptions to check that they are up to date?

Organisations such as Amazon often apply to patent new ideas without necessarily ever putting them into practical appplications. In Europe at least, I suspect that this may be one such idea.

Advertising rules for websites and social media – some top tips

Published December 21, 2011 Contract Law , eCommerce , web law Leave a Comment

This blog post was published earlier today as an e-update to our email subscribers. To receive e-updates from Brodies’ Technology, Information and Outsourcing Group please register your details or contact your usual TIO Group contact.

On 1 March the remit of the Adverting Standards Authority (ASA) was extended to include the claims companies make on non-paid for space online. This covers adverts for a company’s goods and services on its own website and on any social media sites within its control.

Since the ASA’s digital marketing remit was extended earlier this year the independent UK regulator has received a 40% increase in complaints.

The rules and criteria that are applicable to digital and online marketing are the same as those applicable to ‘traditional’ media, such as the obligation that the advert is not misleading, exaggerated or offensive. However, there are some particular things to look out for when advertising online, including via social media channels.

Here’s a quick list of do’s and don’ts to ensure that your company doesn’t have to explain itself to the ASA:

  • Don’t exaggerate savings by comparing an offer to the most expensive alternative.
  • Don’t say something is free if it isn’t. If the product is free, but postage is not, then say that upfront.
  • Don’t include unnecessary price breakdowns for a product or service unless the costs being detailed are optional. If they are not optional then it is pointless explaining what they are.
  • Don’t pick and choose customer reviews to appear on your website to make your company look good.
  • Do include any surcharges, such as booking fees, upfront.
  • Do make sure a discount is actually a discount. If the prices are the same before, during and after the promotion then it’s not really a promotion and is in breach of regulations.
  • Do ensure that you have robust evidence of quality and performance if you are going to make claims about your product.
  • Do state clearly that an offer may be extended at the company’s discretion if you think you may want to exercise this option.

For further information please contact me or get in touch with your usual Brodies contact.

Victoria Moore

Not so stealthy ‘astroturfing’ of new Nokia Lumia Smartphone

Published December 20, 2011 eCommerce , In the Media , web law Leave a Comment

You may have heard the recent outcry over favourable product reviews by Nokia and a Microsoft employees posted (anonymously, of course) about the new Nokia Lumia 600 Smartphone (which sits on Microsoft’s Mango OS) on a third party website.

These comments have been criticised for not being genuine reviews of the product but rather a marketing ploy to try to boost sales and customer opinion. This advertising ‘technique’ of masquerading as a genuine customer and making positive, inflated reviews about your own product (or, indeed, negative comments about a competitor’s product), coined astroturfing, is a risky strategy – not least because in many countries it is unlawful but also because if found out, it could be very damaging to your brand’s reputation.

The Nokia employee was found out because (in a not terribly covert manner) his ‘anonymous’ post was sent from an IP address that was owned by Nokia. This, of course, opens up a whole new can of worms because the Nokia IP address – and the employee’s email address – was released by the company that hosted the review website, presumably in breach of the site’s privacy policy.

The law in the UK
In the UK, advertising is broadly controlled and regulated by the Advertising Standards Agency (ASA). In March of this year the ASA remit was extended to include digital media which meant that restrictions were tightened around what companies could claim on their own website and other online media in their control, such as their Facebook or Twitter accounts.

In relation to product or service reviews, the ASA will address complaints made where websites are picking and choosing which reviews will appear on their website, so as to cast the company in a better light. Similarly, the ASA are currently investigating the transparency of the reviews that appear on the TripAdvisor website. TripAdvisor had stated that the reviews on its website were ‘trustworthy’ but in reality it is unlikely that TripAdvisor really knows whether the reviews are honest or not, so the endorsement has been taken off the site.

While the digital remit is a welcomed extension of the ASA’s powers, astroturfing – such as the Nokia Lumia incident, where one company posts fake review on another’s website – still falls through the cracks.

It won’t fall far though before being caught by the Consumer Protection from Unfair Trading Regulations 2008, which prohibits companies from falsely representing themselves as a consumer. The Regulations are enforced by the Office of Fair Trading (OFT) which can impose unlimited fines for a breach. On the face of it, the OFT has more bite than the ASA. However, the OFT may be less inclined to get involved in smaller, isolated cases – such as a couple of blog posts by employees where there doesn’t appear to be any evidence of a larger astroturfing strategy.

Remember though, that even if astroturfing doesn’t result in any formal fine or sanction it could still cause serious reputational issues for your brand. Nokia and Microsoft have learnt this the hard way.

Leigh Kirktpatrick

ICO publishes updated guidance on cookies compliance

Published December 13, 2011 Data Protection , eCommerce , web law Comment

The Information Commissioner’s Office has today published updated guidance on how organisations should comply with the new rules on cookies that came into force earlier this year.

As regular Techblog readers will remember, the new rules came into force without any clear guidance on how organisations should technically comply with them – even the ICO itself appeared to be unclear as to what was required. In recognition of this, the ICO announced a year long grace period for achieving compliance.

What does the updated guidance say?
The updated guidance builds on previous guidance issued by the ICO by giving a number of examples of how compliance can be achieved. Which of these is appropriate will depend upon what the cookie is used for (and the ICO generally leaves it to the organisation to work this out).

There are a couple of points to highlight:

  • Consent needs to be informed – users need to understand the potential consequences of allowing each specific cookie to be used
  • There is still no browser based solution to getting consent.
  • Implied consent is unlikely to be sufficient – implied consent must be based on a “definite shared understanding of what is going to happen.” The ICO’s view is that consumers do not yet have this level of awareness, but that may change over time as consumter awareness increases.
  • Wherever possible cookies should be delayed until users have had a chance to understand how they are used – they should not be set as soon as the user visits the site.
  • There are no exceptions for analytical cookies – the ICO’s view is that analytical cookies do not fall into the “strictly necessary” category.
  • However, cookies for online shopping baskets and those that are necessary to ensure security (for example, on online banking websites) are likely to fall within the exception.
  • If cookies are used on more than one website (for example, for third party behavioural advertising purposes), then in order for consent to be valid it has to be “absolutely clear” which websites the cookies will be used on, what they are used for, and exactly what the user is agreeing to.
  • You can copy what the ICO does on its website, but the ICO is giving no guarantees that this approach complies with the law.

This last point is particularly disappointing. The worked examples in the new guidance will be welcomed by organisations grappling with how best to comply with the new rules (in the absence of an acceptable browser-based solution), but the reluctance of the ICO to stand behind its own approach, gives organisations little comfort that the suggested approaches in the guidance will be compliant.

Enforcement
The ICO makes clear that the lack of clarity over how the law is supposed to apply will not be accepted as an excuse for non-compliance, and that it is not acceptable for organisations to simply sit back and wait for a browser-based solution.

We’re now six months in to the 12 month transitional period for compliance, after which the ICO will start investigating complaints. The ICO states that organisations now need to be able to show that they have carried out initial assessments over cookie use, and that “sensible, measured action to move to compliance” is being undertaken.

Embedding accessible design skills in the next generation of web developers

Published November 28, 2011 Disability discrimination , eCommerce , Geek Stuff , web law Comments

Last Monday I was in Dundee, speaking to final students at the University of Dundee’s School of Computing.

The School of Computing takes quite a holistic view of teaching computing, and one of the modules covers the “real world”. The School asks external experts to come in and talk to the students about things like identity theft and security standards (such as PCI-DSS), and other laws and regulations that may impact upon what they do when they get out into the working world.

The area that I talk to students about each November is disability discrimination laws and accessible design for websites and mobile apps, an area I’ve been involved with for a number of years (my honours dissertation was on this). This particular talk dovetails with the School’s technical expertise in relation to accessible and usable design.

Rather than bore the students with a dry lecture on The Law, I try to show them how it is relevant to the future careers, and why having a good understanding of the relevant laws will make them more employable, and give their future employers a competitive advantage.

There are a number of key messages that I try to get across:

  • if a website or app is not designed properly, it may be inaccessible to users with disabilities;
  • operators of websites and providers of mobile apps have, in their capacity as service providers educators, and employers, legal obligations not to discriminate on the grounds of disability;
  • failure to do this may lead to that organisation being sued and, perhaps more importantly for a big organisation, suffer damage to its reputation;
  • web and software designers will be responsible for designing and delivering those websites/apps;
  • even if you are working for an independent design company, that company will have contractual liability to the client, and if a site is poorly designed the client may have the right to sue;
  • public sector organisations have a legal obligation to ensure that their ITTs set out requirements in relation to accessibility – if the designer doesn’t have the skills, then it may not get the work;
  • therefore understanding accessible and usable design and the legal obligations applying to your employer/clients will give you a competitive edge – whether in the job market or in winning business.

If we are doing things right, then hopefully accessible and usable design will become second nature to the web and app designers of tomorrow.

If you are involved in commissioning a new website, or a mobile app, then I recommend that you read BS 8878, a new(ish) British standard on commissioning accessible websites. It’s not a technical document, but instead a process that organisations can follow to assist with appointing a designer with appropriate accessibility expertise, and to help ensure the final output is accessible to users with disabilities.

Creating a successful online business

Published November 8, 2011 eCommerce , web law Leave a Comment

Last month I attended a Glasgow Chamber of Commerce “Glasgow Talks” presentation by the former managing director of amazon.com in the UK, Glaswegian Brian McBride. I’ve finally found time to look at the notes I made.

Brian reflected on his career in business, and offered thoughts on leadership.

During the Q & A following Brian’s fascinating talk, debate amongst attendees inevitably turned  to the decline of the High Street, and how to create a successful online business.

Some great tips emerged:

  • Don’t be scared of playing with pricing to attract customers, even if it means offering a loss leader.
  • Make available as wide a selection as possible, at as competitive a price as possible.
  • Your website has to be transactional, and ideally should support transactions made via mobile devices.
  • “Classic” kind of products may yield great sales/higher margins than you think.
  • Your website has to be search engine optimised. If your site isn’t on the first page of a Google search result for the name of your business, or one of your principal products – then you’re in trouble.
  • If you haven’t yet read The Long Tail by Chris Anderson – then read it.
  • Don’t forget your legal obligations, not least the E-Commerce Regulations.

PS a short video about the event is here. It’s worth watching, if only to check out the really hunky guy who appears around 2:27.

ASA ruling on misleading price information on a website

Published October 21, 2011 Contract Law , eCommerce , web law Leave a Comment

The Advertising Standards Agency (ASA) has upheld a complaint against Warwick Castle on the way it displays pricing information on its website. This decision highlights the general move towards transparency of pricing following the Office of Fair Trading’s recent investigation into payment card surcharges in the airline industry.

In this case, the Warwick Castle website stated that visitor prices were “from £10 excluding VAT, plus VAT of £2.00, total £12.00”. This in itself, isn’t terribly clear, however, on purchasing the tickets customers were then faced with an additional £1 or £2 payment fee, depending on the payment method used for purchase.

The complaint was referred to the ASA for adjudication on the following grounds:

  • That the prices initially quoted did not include the mandatory card fee; and
  • That the website provided VAT exclusive prices.

On the first point, the ASA found that Warwick Castle had clearly breached the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (the “CAP Code”). The ASA also found the pricing information clearly misleading and stated that the initial prices should have included the payment surcharge as there was no option but for customers to pay this if they wanted to buy a ticket to the attraction.

On the second point, despite the fact that Warwick Castle put forward a slightly bizarre explanation for displaying the VAT exclusive pricing (that this was part of a campaign to seek a review of VAT charges applicable to tourist attractions) the ASA found that this practice was also in breach of the CAP Code. Under Rule 3.18 of the Code VAT exclusive pricing may only be given if all or most consumers pay no VAT or can recover VAT. As this was not the case here, Warwick Castle were in breach.

The key thing to take away from this is to ensure that if you are displaying prices on a website, that these prices are straightforward, transparent and represent the total amount that the consumer will pay. In addition, it is useful to note that displaying too much information (such as unnecessary breakdowns) is just as likely to find you in front of the ASA board as if you display too little pricing information upfront.

(but actually written by new TIO Group assistant Leigh Kirkpatrick – who will become a full Techblogger soon).

Next Page »

Twitter: @BrodiesTechBlog feed

 

February 2012
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
272829  
Follow

Get every new post delivered to your Inbox.

Join 135 other followers