Loyalty needs customer data but beware the European Commission

We take huge exception to companies that fail to look after our personal details. We are also concerned about the amount of information that is known about us and the lack of control we have over it.

Yet the whole customer loyalty business is built on the premise that, in return for rewards, we should be prepared to share our information.

Following a string of high-profile database attacks, authorities around the world have begun to introduce new legislation to tighten the rules.

The card payments industry itself was first to react, with the PCI SSC (Payment Card Industry Security Standards Council) Data Security Standard. This introduced stringent new practices governing the way those taking card payments store card and customer information.

With growing use of the internet and social media, it was felt more rules were needed to give consumers control over personal content. Regulators are also keen to put limits on the amount of data-sharing done for commercial reasons by internet companies including Google and Facebook.

Coming soon is a raft of new measures that will significantly impact any company with a database or a website that tracks customers

Many websites, such as Google, use their knowledge of our browsing behaviour to help advertisers to target their goods and services. Google notes where someone has been browsing and companies who advertise with Google are then allowed to display targeted ads.

Coming soon is a raft of new measures that will significantly impact any company with a database or a website that tracks customers.

In May, a European Union Privacy and Electronic Communications Directive will come into force. This has become known as the cookie law, because one consequence is that website owners will have to change the way they alert users to the fact that cookies are used. In future they will have to gain express consent.

A cookie is a mechanism for doing things like remembering log-in details and managing online shopping carts. They speed the loading of the site when the user revisits.

Until now, most websites include in their terms and conditions the fact that cookies are being used. In future, a website owner will have to be much more transparent.

There are concerns the rules are too tough. Nick Stringer, head of regulation at the Internet Advertising Bureau, says the directive will transform the way business is transacted and will go as far as to affect the internet’s basic functions.

“The new law affects every organisation doing business online, big or small, as it goes beyond advertising and potentially affects the basic architecture of the internet, which is powered by data,” he says.

While the cookie law will eventually tighten up internet behaviour, despite Google resistance, the European Commission didn’t believe this was enough. A number of organisations had been lobbying for the “right to be forgotten” and, with mounting public backing, the Commission was determined to enable this protection, especially, says Justice Commissioner Viviane Reding, so that EU citizens – particularly teenagers – could be in control of their online identities.

This has massive implications not just for Facebook, but for any company holding data in any form.

The Commission is so keen to drive these new rules through that it intends to introduce them not as a directive, which each country then has the option to introduce in its own way, but as legislation, which is binding on all member states in its published form. The rules are not expected to be ratified for at least two years, but it is important companies engage now to express their concerns.

Among the proposals is the requirement to notify the Data Commissioner within 24 hours of a data breach and to tell customers within a similar timeframe. If a company is found to be complicit in a data breach, it could lose 2 per cent of its annual turnover in fines.

Other changes to the 1995 data protection rules include:

  • People will have easier access to their own data and will find it easier to transfer it from one service provider to another;
  • Companies with 250 or more employees will have to appoint a data protection officer.

Search companies that track data on behalf of their clients will be required to make major changes to their business models. The law is expected to have a significant impact on anyone gathering data to perform customer analytics. It will even impact website owners in terms of what information they can gather regarding visitors to their own sites.

Christine Andrews, managing director of DQM Group, a data governance research company, says: “You have to gain explicit consent. At the moment that consent is implied. Firms will have to be very clear about every possible reason they have for keeping the data. If it is credit card transactional data, for example, you can’t then email people with offers on a holiday in India.”

According to lawyers, everything rests on how the term “consent” is interpreted. Once a few cases have been taken to court, then it will be clearer what companies are expected to do to keep their websites running within the law.

But the new rules are not expected to stop the “weasel words” of terms and conditions. Ms Andrews thinks it will make them worse. “Firms will become more weasely to get under the radar, so that people don’t opt out of everything. There will be all sorts of inventive phrases come into play,” she says.

Jeremy Henderson-Ross, legal director and general counsel (Europe, the Middle East and Africa) for Aimia, cautions that a particular issue will be how the rules will affect multi-national companies. “Perhaps the biggest threat for businesses like ours is the creation of an unbalanced worldwide data regulatory framework,” he says. “We must take into account the global nature of data. In the US, data privacy is also a prominent issue. The data debate cannot simply be confined to Europe or even to the US. It must work in all markets.”

TEST CASE

Can Google ignore the cookie law?

Google has signalled little enthusiasm for new data rules. According to Vic Gundotra, Google vice president: “If we do things that are evil, with one click you can leave Google.”

Which sounds fair enough, except that few of us would be prepared to live without this invaluable search tool.

The same goes for Apple or Microsoft or virtually anyone else we want to transact with. In order to do business, we have to agree to their terms and conditions. There is no choice.

Google’s new privacy policy of combining all your data across all Google products has lined them up in direct opposition to European policymakers – and this is going to turn into quite a fight.

European data protection agencies have heavily criticised Google, suggesting they are violating European Union privacy laws. Acting on behalf of fellow agencies, CNIL in France has sent Google 69 questions probing exactly how the company is going to use our data. Google’s answer is that if you don’t like it, you can leave.

Before you quit though, search for “divorcing Google” and follow the nightmarish journey of Tom Henderson, who decided to do just that. You may decide not to bother, and as usual, sigh and click the box.