Talking Olympic advertising

January 26, 2012 Leave a Comment

In a recent post, I discussed the laws prohibiting advertising activity round Olympic venues in the summer.

One of the affected venues is the Ricoh Arena in Coventry, which will be renamed the City of Coventry Stadium for use in Olympic football matches. Shane O’Connor from BBC Radio Coventry & Warwickshire interviewed me at 7.40 this morning to talk about the law behind these advertising restrictions. Here’s a recording of our conversation:

Filed under Regulatory Issues Tagged with , , , , ,

Data protection: out with the old, in with the new

January 25, 2012 Leave a Comment

The widely-trailed revision to EU data protection law has been unveiled today by the European Commission, who have proposed a “comprehensive reform” to EU data protection legislation.

The fundamental change is moving from national laws made under a harmonising directive, to a single regulation which will apply directly across Europe. While it’s going to take a little while to work through all the details – and the proposal still has to be discussed and ratified by EU member states and the European parliament – the key changes as summarised in the Commission’s press release are:

  • A single set of rules on data protection, valid across the EU.
  • Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.
  • Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.

In addition, there will be a new directive to “apply general data protection principles and rules for police and judicial cooperation in criminal matters”.

The “right to be forgotten” has been the most widely-publicised measure under consideration, and will certainly raise some tricky practical issues. However, I suspect that the biggest practical impact will come from the requirement for explicit consent, where consent is required. At present, certainly under UK data protection law, a lot of reliance is placed on implied consent; see, for example, the Information Commissioner’s guidance on the new cookies law, as discussed in a previous post. Explicit consent will greatly increase the practical burden on many businesses.

The new law, if adopted, will come into force two years after it is adopted, giving businesses and other organisations time to prepare for the new regime.

Filed under Data Protection Tagged with , , , , ,

Photographic copyright: higher but wider?

January 25, 2012 Leave a Comment

The IP Kat blog has an interesting discussion of copyright infringement of photographs.

To cut a long story short, the High Court was asked to judge on whether copyright in the following image (created by a Mr Fielder, with the copyright owned by Temple Island Collections):

was infringed by the following image (used by New English Teas on the packaging for one of their products):

The court decided that the answer was yes, since the creators of the second image has been aware of the existence of the first image, and were unable to show they hadn’t copied it.

The case highlights a couple of points of general application.

1. Copyright in photographs

The court confirmed that a photograph will only attract copyright if it is the photographer’s own “intellectual creation”, and the judge suggested three aspects which could make a photograph “original”:

  • “specialities of angle of shot, light and shade, exposure and effects achieved with filters, developing techniques and so on”;
  • “creation of the scene to be photographed”;
  • “being in the right place at the right time”.

In this case, the court had no difficulty finding that the first image was Mr Fielder’s own intellectual creation, by reason of its composition and the visual contrasts involved. However, this is a long way from the traditional English law approach in which (as one IP textbook puts it) “pointing the camera at a subject and pressing the shutter” was considered enough to gain copyright protection.

This suggests that many photographs over which copyright is asserted may in fact fall outside the scope of its protection – though elements such as “being in the right place at the right time” would still seem to cast the net quite widely.

2. Infringing copyright in photographs

Again the traditional approach has been that infringing copyright in a photograph involved actually reproducing that photograph (or a substantial part of it). There was nothing to stop you taking your own photograph which happened to incorporate the same features as another image. As the IP Kat observes, this does seem to extend the scope of protection for photographs to include “an idea, a lay-out or a scheme for such a photograph”.

For this reason, it may be that the losing party in this case will hop on the next bus (sorry…) to the Court of Appeal. In the meantime, though, this case highlights some interesting issues in what can be a very sensitive area for photographers: on the one hand confirming that the bar for copyright protection is higher than previously thought, but on the other suggesting that the scope of protection, if acquired at all, may be wider than previously thought.

Filed under Intellectual Property Rights Tagged with , , ,

Cookies: the rules become clearer

January 11, 2012 Leave a Comment

Businesses and other website operators looking for a belated new year’s resolution should take a look at the revised guidance on the use of cookies (PDF) issued by the Information Commissioner’s office just before Christmas and start thinking about how to comply.

Launching the guidance, the Information Commissioner said that businesses “must try harder” in preparing to comply with the new law, which came into force in May 2011 and will be fully enforced from the end of May 2012. More constructively, the revised guidance sets out some practical measures which websites can adopt to help ensure compliance with the new law.

The new law requires websites to obtain prior, informed consent from users before placing cookies on those users’ computers or mobile devices. As the new guidance puts it, before setting cookies you must:

  • tell people that the cookies are there,
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.

The only exception is where the cookie is “strictly necessary” for technical reasons. The guidance confirms that this is a narrow exception, and will not (for example) cover cookies used for analytics or to tailor a greeting when a user returns to a site.

As a start point for compliance, the ICO guidance recommends a three-step approach:

  1. Check what type of cookies you use and how you use them.
  2. Assess how privacy-intrusive your use of cookies is.
  3. Decide how to obtain consent from users.

The more privacy-intrusive your use of cookies is, the more you will need to do in order to inform users and get their consent.

Providing information

The ICO recommends that cookie information should not simply be hidden behind a link saying “Privacy policy”. Instead, links should either read “Privacy and cookies”, say, or there should be a separate link for information on cookies. The guidance gives several examples of how to make this information more prominent.

Inferring consent

One very helpful suggestion made by the ICO is that consent to placing could be inferred if a user continues to use a website after being told of the use of cookies. This would involve some kind of pop-up notification when the user first visits the site, with a confirmation that a cookie has been set if the user then continues on to another page without clicking the “refuse cookies” link.

I suspect that this approach will prove highly popular with websites, given it avoids the problem experienced by websites that require positive consent such as ticking a box before placing cookies. One analysis suggested that only around 5% of users of the ICO’s website (which follows this tick-box approach) were agreeing to cookies – a figure which would have been ruinous for many websites.

However, inferring consent does still require a clear message to be displayed to first-time visitors. It is not enough to rely on a general “Privacy and cookies”-type link.

Opportunities for consent

The ICO guidance also suggests that websites look out for opportunities to obtain positive consent from users. One opportunity comes where new registered users are asked to agree to its terms and conditions as part of the sign-up process – though existing registered users will need to be told about any change to the terms to allow for cookies.

Other opportunities may come where users set preferences or use new features for the first time: for example, a notice saying “We will use a cookie to remember this”, with a link to the cookies policy.

Analytics cookies

Analytics cookies – often for Google Analytics – are one of the most widespread types of cookie. The ICO’s position on analytics cookies is that they are not technically essential for websites, so consent will be required for them.

The ICO recognises that in some cases it is not practical to obtain consent before setting analytics cookies, as these are often set the moment a user first visits the site. However, in that case information on the use of cookies must be highlighted clearly on the site.

Having said all that, the ICO does drop a large hint that it does not regard analytics cookies as posing a serious risk to privacy. In the very last paragraph of the 27-page guidance document, they state that “it is highly unlikely that priority would be given to focusing on uses of cookies where there is a low level of intrusiveness” – which includes “first party cookies used only for analytical purposes”, provided clear information is given on the site.

Third party and advertising cookies

Third party cookies, especially those used for online advertising, are the most problematic from a privacy point of view. The ICO’s research suggests that even well-informed internet users are unaware of the distinction between first party and third party cookies – that is, cookies used by someone other than the website owner.

Information on the use of third party cookies will need to be clearly set out as part of informing users and obtaining consent. Both the website owner and the third party will want to ensure that their respective obligations are clear: if you run an advertising-supported website, you will want to ensure that the advertising provider is obliged to provide accurate and complete information on their use of cookies (so that you can put this in your own cookies information); conversely, the advertising provider will want to ensure that participating websites are compliant with the law, as otherwise this will put the advertising provider themselves in breach.

The guidance acknowledges, though, that third party cookies remain “one of the most challenging areas in which to achieve compliance”, given the higher privacy concerns over such cookies and their critical importance to online advertising.

Conclusion

It remains to be seen how the new law will operate in practice. Levels of compliance remain woefully low, so it is hard to discern any “best practice” emerging at present. However, the ICO’s guidance does at last suggest some practical ways in which websites can comply with the law without losing the benefits of using cookies.

Filed under Behavioural Advertising & Cookies Tagged with , , , , , ,

Olympic advertising ban: a pre-emptive ambush?

December 12, 2011 Leave a Comment

One of the key measures proposed to protect the interests of sponsors for the 2012 London Olympics and Paralympics is a prohibition on unauthorised advertising, including “ambush advertising”, around Olympic event sites.

The regulations imposing this advertising ban have now been implemented, as The London Olympic Games and Paralympic Games (Advertising and Trading) (England) Regulations 2011, and the LOCOG website has guidance on the regulations and how to comply with them. Crucially, this includes the maps of the “event zones” where advertising will be banned around the time of the Games.

The ban will apply for different periods for each event zone, as listed in Schedule 2 to the regulations, with the longest ban being around the Olympic Park itself: from 23 July to 13 August (for the Olympic Games), and then from 28 August to 9 September (for the Paralympic Games).

Anyone wishing to display advertisements within event zones during the relevant period (including existing traders) will need prior authorisation from LOCOG.

The types of “advertising activity” banned under the regulations are very broad, ranging from conventional billboards and signs to leaflet distributions and even the wearing of “advertising attire”.The thoroughness of the regulations is perhaps best shown by their express application of the ban to:

(i) an advertisement to be displayed on an animal, or

(ii) an apparatus by which an advertisement is displayed to be carried or held by an animal.

The mind boggles.

There is an exemption for people (though not for animals!) wearing clothes which carry advertisements, provided this isn’t part of an ambush marketing campaign, and also for “not-for-profit bodies”.

The regulations have been attacked by both advertisers and campaigners as “draconian” and an assault on freedom of expression. LOCOG, however, argues that the rules will “not only help protect the investment of sponsors”, but are also intended to ensure “a welcoming environment for spectators”.

Filed under Regulatory Issues Tagged with , , , ,

Battle of the business models

November 17, 2011 Leave a Comment

Wired magazine has a fascinating interview with Jeff Bezos, CEO of Amazon, to coincide with the first shipping of the Kindle Fire, Amazon’s rival to the iPad.

What the interview highlights is the way the internet (at least in the English-speaking world) is increasingly concentrating into four “ecosystems” – Google, Apple, Facebook and Amazon – with each of these having a distinctive business model:

  • Apple’s model is hardware-centric. The content it sells through iTunes and the App Store is a means to an end, the end being to sell its highly profitable, premium-priced devices such as the iPhone, iPad and Mac. Its lower-priced devices such as Apple TV and the iPod Touch serve the same end, operating (as I can testify from personal experience!) as a “gateway drug” to the more expensive models by ensuring people buy into the ecosystem.
  • Amazon’s model is content-centric. This is the polar opposite to Apple: Amazon makes money from selling content, and it therefore keeps its device prices at rock-bottom in order to draw people into its content ecosystem. In his interview with Wired, Bezos doesn’t rule out literally giving away the Kindle in future.
  • Google’s model is data-centric. Its mission statement is “to organize the world’s information and make it universally accessible and useful” – not least to make it useful to its advertisers. Hence Google generally gives away its products for free, whether that’s services like Gmail and Picasa for consumers, or the Android operating system for mobile phone developers and networks. The products are aimed at encouraging people to put more and more of their information into Google’s servers.
  • Facebook’s model is social-centric (sorry!). Like Google, its aim is to collect as much data as possible about people so that it can then sell advertising. However, it comes at this at a different angle from Google, building out from people’s social relationships – highly valuable information that is donated to it by its 800m users.

It remains to be seen which of these models will win out or how they will coexist. However, a couple of questions come out of this.

First, you’ll notice that the above list makes no mention of Twitter. Twitter may be a hugely popular service, but it’s a long way from constituting an ecosystem or dominant business model to compete with Apple, Amazon, Google and Facebook. It’s something that people use, not somewhere that people live.

Second, what does this mean for smaller companies seeking to make money online? Increasingly the routes to do so lie through one or more of those ecosystems: through developing apps for Apple, Android or Facebook, through ensuring a strong presence on Google, through having content available through Amazon. This provides people with a lot of opportunities – just see how the App Store can make software available to tens of millions of potential customers – but also reflects something of a reduction in the “free for all” that has driven innovation online to date.

Something of that concern for a reduction in freewheeling innovation can be seen in Bezos’ criticism of the software and business method patents that helped Amazon in the past, but which he now clearly sees as more of a threat:

For many years, I have thought that software patents should either be eliminated or dramatically shortened. It’s impossible to measure the toll they’ve had on the software industry, but on balance, it has been negative.

Whatever your view on software patents, they are certainly playing a central role in the concentration of internet business into a small number of ecosystems, between which fierce battles rage in patent courts around the world. Again, it remains to be seen what effect this will have on innovation for smaller companies.

Filed under Web Tagged with , , , , , ,

ICO gives businesses a year to comply with new cookies law

May 26, 2011 Leave a Comment

As an update to my post on the new cookies law, the ICO has now published guidance on their approach to enforcement of the new law (PDF). The guidance itself can be found here (PDF).

The key point is that the ICO is giving businesses a year to comply with the new law. Full compliance will only be expected from May 2012. However, this doesn’t mean that organisations can sit on their hands in the meantime. As the ICO guidance puts it:

The Commissioner does not though condone organisations taking no action in the period up to May 2012. Organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the Commissioner that particular organisations are not making adequate compliant by May 2012 he may issue them with a warning as to the future use of his enforcement powers.

If the ICO receive complaints about non-compliant cookies during this period, they will ask website owners to explain what steps they are taking to ensure compliance by May 2012.

There is still a great deal of confusion in the marketplace about what the new law means in practice and how businesses can comply. Some are suggesting that websites offering aggregated opt-outs to multiple standard cookies will be enough to comply with the law. However, the law is clear: it is not enough to offer an opt-out, however well publicised and coordinated. Users must give prior informed consent before cookies can be used by a particular website.

Hopefully over the next few months it will become clearer what approaches are seen as most effective in practice. The ICO has implemented a header on its website asking people to consent to cookies, but even they acknowledge this cumbersome and intrusive approach is not going to be appropriate for most other organisations.

Of more practical use for most businesses is the ICO’s example, in its own privacy policy, of how to set out information about what cookies are used. The table used by the ICO strikes me as a very clear and user-friendly way of informing website users about what cookies are being used and for what purpose.

Filed under Behavioural Advertising & Cookies Tagged with , ,

Death of the domain name?

May 25, 2011 Leave a Comment

Interesting article on plans for forthcoming releases of the Google Chrome and Mozilla Firefox browsers to “deemphasise” the address bar, so that the URL of the page you’re viewing is not visible in normal browsing.

As the report puts it:

Google’s motivation to reduce your dependence on the URL bar is clear, since the company would rather that you think of using the web the same way you use your iPhone or Android device.

As Google sees it, the Web isn’t a collection of sites such as nytimes.com, mail.google.com or Facebook.com. Instead these are all software applications called The New York Times, Gmail, and Facebook that happen to live online instead of on the desktop.

From an online safety point of view, this has pros and cons. Critics will argue that hiding the URL will make life easier for scammers to direct people to phony sites. Against that, the linked report suggests that removing human error (typing the wrong address) will reduce some opportunities for scam sites.

I remember suggesting at an event some years ago that search would ultimately displace URLs/domain names as the main means by which people navigated the web. It’s taken longer than I thought, but it does now seem to be happening: I’ve noticed a number of offline advertisements in recent months (such as billboards and magazine ads) that invite people to search for a keyword rather than giving the advertiser’s website address.

Add to that this new trend to treat websites as apps, and it may well be that the URL is on its way towards becoming a purely technical feature working in the background.

Filed under Web Tagged with , , , ,

Cookies: the new regime

May 19, 2011 Leave a Comment

Back in March, I discussed the proposed changes to the law on cookies, to require prior, informed consent before most cookies are placed on users’ computers.

The new regulations have now been published by the UK government. Regulation 6 of the snappily-titled Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amends the previous rules so that most cookies will now only be permitted if the website user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • has given his or her consent.

In addition, however, the revised regulation also states that:

…consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

What does all this mean in practice? To help businesses understand what is required of them, the Information Commissioner’s Office has produced a guidance note on the new regulations (PDF). While this leaves a number of questions still unanswered (as we’ll see below), it does clarify a number of points that had been debated since the new law was first proposed last year.

1. Is your cookie “strictly necessary”?

The revised regulations retain the existing exceptions for cookies:

  • whose “sole purpose” is “carrying out the transmission of a communication over an electronic communications network”; or
  • which are “strictly necessary for the provision of an information society service requested by the subscriber or user”.

The second of these is the more important for most websites. It has been suggested that this could be interpreted quite widely, to include analytics cookies that track how people use the site: which pages they visit, how long they remain on the site, which search terms brought them there in the first place, and so on. The argument is that this enables sites to allocate resources as necessary to provide their services.

However, the guidance argues that the exception needs to be interpreted narrowly, and the cookie must relate to services “explicitly requested” by the user – not just the general functioning of the site. So a cookie to enable a shopping basket and checkout system to work would be fine. However:

The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

2. Can browser settings be used?

The reference to a website user “who amends or sets controls on [their] internet browser” has been read by some as allowing existing browser controls on cookies to be used to obtain consent. However, the ICO’s view is that:

most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.

In addition, people may be accessing using mobile devices that do not enable them to exercise even the crude levels of control (“cookies ON” / “cookies OFF”) found in current desktop browsers.

In the longer term, more sophisticated browser settings may be developed that enable websites to obtain consent in this way. However, for now it has to be assumed that some other means of obtaining consent is necessary.

3. How can we obtain consent?

The ICO’s guidance is not prescriptive, and discusses a number of ways in which websites can obtain consent.

One option is to use pop-ups as a means of informing users about your use of cookies and to obtain their consent, but the ICO recognises that this is “potentially frustrating” for users. Other means include:

  • Terms and conditions: sites that obtain users’ agreement to their terms and conditions (e.g. upon registering with the site or making a purchase) have a golden opportunity to obtain users’ consent. However, existing users should be made aware of the changes and asked to give their consent to the new terms.
  • Settings-led consent: where a cookie is necessary in order to enable a particular website feature, then users can be told at the point they enable that feature that a cookie will be used for this purpose.
  • Highlighted text: the website’s header or footer could include text that is highlighted when the site wishes to place a cookie, so that users can then agree to this.
  • Third-party cookies: these are widely used by advertising networks, and unfortunately the ICO guidance does little more than acknowledge that this “may be the most challenging area in which to achieve compliance with the new rules”. Clearly, though, finding techniques for describing the use of third-party cookies in such a way that users are inclined to agree to them will become something of an art form in the near future.

4. So what do I need to do?

While the new legislation comes into force on 26 May 2011, the ICO recognises that there will need to be a “phased approach” to enforcement, to give websites time to comply. The ICO’s key expectation at this stage is that organisations are at least giving serious thought to how to comply.

In particular, the guidance advises website owners to:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

“The key point”, they add, “is that you cannot ignore these rules.”

Over the next few months I will revisit this issue to see how websites are going about achieving compliance in practice, and what technical measures are being developed to facilitate this.

Filed under Behavioural Advertising & Cookies Tagged with ,

How distinctive is the App Store?

March 23, 2011 Leave a Comment

Amazon has launched an “Appstore” selling applications for the Android mobile phone operating system. In response, Apple is suing Amazon in the US claiming that Amazon’s Appstore will “confuse and mislead customers” due to the similarity in name with Apple’s own App Store.

Apple has not yet been able to register App Store as a trademark in the US (and its application to do so is being opposed by Microsoft). However, APP STORE is registered as a European Community trade mark, effective from 21 July 2008. If Amazon were to launch their Appstore in the EU – and currently there is no information on if and when this will happen – then Apple would presumably want to bring trade mark infringement proceedings against Amazon.

To be honest, I’m amazed that Apple were able to register APP STORE as a trade mark. A mark must be distinctive in order to be capable of registration as a Community (or for that matter EU national) trade mark. In the words of the Community Trade Mark Regulation, it must be “capable of distinguishing the goods or services of one undertaking from those of other undertakings”. In particular a mark cannot be registered if it:

consist[s] exclusively of signs or indications which may serve, in trade, to designate the kind, quality, quantity, intended purpose, value, geographical origin or the time of production of the goods or of rendering of the service, or other characteristics of the goods or service.

To register APP STORE for the sale of computer software applications (that is, “apps”) is, to my mind, on a level with registering SHOE SHOP for the sale of footwear. No doubt Amazon’s defence to a claim would consist (in part) of a vigorous assertion that the mark should be revoked.

Against that, it is sometimes argued (though not, as far as I’m aware, by Apple itself) that Apple invented the word “app” in relation to software. There are two responses to this:

  1. Who invented the word isn’t relevant to whether it’s a valid trade mark. Even if Apple invented the word “app” for software, it is still widely used (even by Apple!) in a generic sense.
  2. It’s not true that Apple invented the word anyway: it’s not hard to find examples from before 2008 of the word “app” being used for software, particularly in the free/open source software world.

I do need to add a lawyerly disclaimer here. I am emphatically not arguing that readers of this blog post should rush out and start using the name “App Store”, confident in the knowledge that Apple’s trade mark registration is invalid. Apple could still run other arguments (such as a “passing off” claim), and would argue with equal vigour that their trade mark should stand (for example, on grounds of “acquired distinctiveness”). If you want to take on the world’s second largest company on an issue like this, be my guest – but take legal advice first…

Filed under Intellectual Property Rights Tagged with , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 352 other followers