T2O media interviews Jose Maria Dutilh, Managing Partner of LEQUID and Miss. Sor Arteaga, Partner Head of IT-Law Department.
Which are the most sensitive legal issues for companies with online presence?
Companies with online presence have to be very careful with the compliance of current regulations, especially those regarding data protection. In Le Quid we recommend that our clients make the responsibilities and duties of the Data Processor and the Data Controller clear in the contract, have mechanisms for the gathering and obtaining of express consent, to inform users of any cases of data transfer, and establish mechanisms for the exercising of ARCO rights. Also, companies with online presence, must meet the LSSICE (Law 34/2002 of 11th July for the Information Society and Electronic Commerce Services) in the sending of commercial communications, SMS or e-mailings, they must obtain the appropriate prior express consent by the user and display the word “publi” or “publicity” and in the case of promotional offers (discounts, prizes and gifts) promotional competitions or games, they must leave them clearly identified as well as the access conditions and, where appropriate, participation conditions so that they are easily accessible. Finally, we emphasize the compliance of trademark rights and intellectual and industrial property rights in general of the content available in Internet.
Which are the most important changes to the legal level for online marketing?
Certainly, from a legal point of view for digital marketing, the most innovative aspect was the change a few days ago from the LSSICE transposing Directive 2009/136/EC (e-Privacy Directive), regulating devices, storage and retrieval of data in terminal equipment of the recipients (“cookies”), essential in “behavioral advertising”. As well as changes in the recently published “Royal Decree-Law 13/2012″, 30th March, concerning the duty of companies in business communications not to conceal and/or hide the identity of the advertiser, nor incite the recipients to visit websites without identifying the communication as advertising and identifying the legal person that makes it. Also in commercial communications by e-mail, a valid email address is required where people can exercise the right not to receive commercial communications assuring that the sending of communications is forbidden if the address is not included. In addition, a mere notification of the users will to revoke his consent to continue receiving communication shall be enough. This also includes the duty of providing information in an accessible way to users on the above procedures.
Another relevant aspect are the sweepstakes and online games on social networks like Facebook, where besides the compliance of the rules laid down by the referred social network you must comply with regulations and formalities foreseen in the games regulations in force.
What lesser-known legal issues do you think should be highlighted??
From our experience at Le Quid, advising national and international clients for many years, we have observed that sometimes our clients, online service providers, are unaware of the mechanisms and suitable ways to obtain valid consent, they confuse the roles of the Data controller with those of the Data processor, and in their activities acquire or transfer data without being aware of it. Also, the need to comply with current legislation on online gaming is lesser known, as well as the need to regulate the actors’ obligations such as the community manager whose opinions play a decisive role in the company’s reputation of having mechanisms which allow a higher control in minor cases and to consult generic files of exclusion of commercial communications (Robinson lists) which is compulsory prior to conducting advertising or commercial research campaigns. These examples are some of the legal issues often forgotten by businessmen, and the failure to comply with the law can result in considerable fines from the Agency. The lack of knowledge about trademark law and the execution of unfair and illegal competitive practices by the advertisers such as links to competitor’s sites or sites where product imitation of these brands are offered. Small spelling mistakes which take advantage of errors made by users when typing in the brand name is another important aspect which may be considered.
We often speak about the Internet users’ rights, but, what are the rights of online advertisers?
The law seeks generally to protect the weakest party, in this case the internet user. However, the online advertiser has rights that sometimes they are unaware of such as intellectual and industrial property, protection and regulation of brands. Once the brand is registered, it is given an exclusive right to forbid use by a third party. The law in general allows the owner of the trademark to prohibit an advertiser from advertising products or services under denominations similar or identical to those of the registered trademark through use of a Keyword that is similar or identical to that used by the owner of the trademark. Online advertisers benefit from protection on their registered domains meaning that no other company or third party can use them. They are able to report companies that perform actions which constitute piracy or unfair competition acts, and if their rights are damaged, can take any legal action needed for the competitor to cease the anticompetitive and unfair practice. They can bring up civil and commercial actions for damages or even criminal responsibility for them.
At what point is the data protection issue?
The European Commission recently made a proposal to change the European legal framework on data protection with a new regulation on Data Protection which will undoubtedly represent the most significant change in the field and its next approval will lay the foundations for data protection regulation in the coming years. It emphasizes the duty of companies and people responsible for investment in data protection (with impact assessments for privacy and the establishment within the companies of a new figure called “the delegate of data protection”).
The implementation of the new regulation to non-European companies that offer their services and products in the EU; the unification of policies for those publicly responsible and private entities; the inclusion of new criteria in the definition of what is a violation of personal data, genetic data, biometric or health data, the regulation of the right to oblivion, the specific treatments for data of minors and the creation of the European Data Protection Council will be some of the aspects that the European Commission intend to include and will mark a milestone in the data protection regulation for the countries of the European Union.
We must add the immediate regulation of cloud computing, social networks in interest of protecting children and safeguarding the rights and personal data of users, behavioral marketing in the regulation of cookies and the right to oblivion, to allow individuals who desire and request to eliminate their personal data from the search engines and social networks to do so.
In practice, important initiatives such as the modification of Google or Facebook privacy policies or the audit of data protection that Facebook has had in Ireland are signs that this matter will be of high importance in the near future.
What are the basic recommendations for any company operating on the internet?
At Le Quid we recommend our clients who express their desire to operate online, to ensure the fulfillment of legality in all actions and activities carried out.
The regulation of cookies should be taken into account too. In relation to activities concerning advertising on search engines, it must be ensured that these activities or actions do not violate the intellectual property or trademark law and do not constitute unfair competition practices.
When working with social networks, you must ensure at all times that all the expressions and comments to users are respectful. Also, in the case of commercial communications, you must have clear information and obtain prior consent. In general, we recommend reviewing the process within the organization to ensure that they are effective. From our experience we can say that the first thing a company operating on the Internet should do is a review and audit of their processes to detect to what extent they can be improved and adapt them to the LOPD, LSSICE, consumption or intellectual property. It is vital to hire an expert to do this. In our firm, we have observed that some companies have asked for our advice after they have been penalized. Of course, we are able to defend them but it is advisable to prevent and avoid unnecessary fines. The knowledge of law and good legal advice and support from the beginning makes the difference between companies and helps them to act correctly and avoid future penalization.
What about social networks?
Social networks, with an exponential growth are the means to reach thousands of users quickly and at very low cost. It is therefore very useful in the e-commerce and online marketing fields. Nevertheless, we must alarm about the huge amount of data available about us, our friends, customs and even our location, IP address, browser type, websites we have visited and so on. This allows them to easily understand tastes, preferences and the profile of the user, whose data can be easily transferred to third parties, and even worse, may be obtained from security breaches, as has happened in recent years. This has allowed changes to the privacy policies of social networks like Facebook with greater penetration, which we believe are still inadequate in terms of the guarantee and protection of data protection rights and privacy. However, there are good examples such as Sonic and LinkedIn who are closer to fulfilling the essential principles in the configuration of data protection law at European level such as the consent, information, purpose, data quality, fulfillment of security levels and allowing the exercise of rights of access, rectification, cancellation and opposition.
Definitively, it is possible that in the not too distant future with the normative changes like the protection of information, the increasing demand and the need from users of major protection and security, social networks will be forced to change their privacy policies and to implement better security, especially if they want to stay in the market. Their next opponents like “Altly” (alternative to open-source Facebook), whose main focus is on security and data protection, point out that users should know exactly who can see what information from the network and the control of information “should be in our hands and its practice should be extremely simple.” Beyond any subjective assessment, social networks will have to adapt to the idea that many users do not want to share their private life and in the future there will be more regulation and intervention by regulatory authorities, especially with the regulation of minor details, the right to oblivion and new online games on social networks.
What is the future for cookies; key allies of online marketing?
The “Royal Decree-Law 13/2012″, 30 March, was recently published and transposes directives on internal markets in electricity, gas and electronic communications by adopting measures for the economic imbalance correction between costs and electricity and gas revenues. ”
The above mentioned Decree specifies in its Article 4 the modification of the Law 34/2002 concerning the Information Society and Electronic Commerce Services (LSSICE) regulating the cookies referred to in article 4.3. It gives a new draft to the article 22.2 of the LSSICE, highlighting a new aspect: “the need for consent”, as well as the information foreseen in the LSSICE.
From the point of view of the European regulator the message is clear, prior consent is a basic requirement. The working group of Art. 29 has made it clear on several occasions where the privacy topic will have to be considered by the companies.
The above mentioned regulation means an important milestone in behavioral advertising. It will be necessary on the part of the advertisers to provide some mechanism such as a tick box where the user authorizes the installation of cookies on their devices, whose application in practice will be very difficult and whose implementation will take time.
Finally, it should be noted that the competent body for the possible infractions for the breaches of the new regulation is the Spanish Agency for Data Protection, and will have to establish examples of valid mechanisms for the compliance of the new legal framework. In other countries like the UK generous terms have been granted to those responsible to adapt their websites.
In any case, it will be necessary to pay attention to the Agency’s reaction against the new regulation of the cookies. We also recommend modifying the privacy policies to fit the new regulations and taking all necessary measures to avoid any penalty.
Likewise, it must be noted that the rule regulates “storage devices and data recovery of information in the terminal equipment of the addresses”, and not just the cookies that are a speciality within the type.
Internet is global … in what measure is legislation local?
Internet is global, but it is very difficult to have global laws that apply equally to everyone even if that is the trend especially in the EU countries, unlike in some of the Common-law countries (especially the United States) where the regulation is local and much more flexible than in the EU countries.
In general, the regulation of rules related to Internet in the EU is more uniform. The tendency is that they will be charged to lenders of services in our territories even though they are established in countries outside of the EU.
Therefore we are inclined to think that the above mentioned local laws will slowly have to start to give in and make changes if they want their companies to have the same competitive advantage as the rest.
If we want a unique digital market to grow, the unification of the regulation is necessary and in Europe we are making big advances into this. Local legislations will have to yield and change. The search engines must come to terms with the fact that the Internet is not a territory without law.
What are your forecasts for the future: in which areas there will be more changes?
A lot of changes will take place in this sector in the following months. In terms of data protection, the new European regulation will play a decisive role and will directly influence online marketing.
These upcoming trends will be taking place in this dynamic and constantly evolving field, where no doubt, information, prevention and good legal advice will make the difference between the companies.
Suscríbete a LeQuid de la Cuestión
La publicación de LeQuid sobre el mundo del Derecho en los negocios.