• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Hiding in plain sight - the browser 'do not track' header

​While the compliance and tentative enforcement of ‘the cookie law’ continues, change is also continuing in a related online privacy issue: the web browser ‘Do Not Track’ settings.

On the face of it, Do Not Track (‘DNT’) is a simple concept. It is a proposed web standard by which a user sets a flag (or header) that their web browser sends to websites when the browser requests data. This flag has three settings - DNT:1 (a wish to not be tracked); DNT:0 (consent to be tracked); and a third ‘null’ setting (the absence of either DNT:1 or DNT:0). On its face, this just represents a technical setting which can be used to express a user’s wish, with no inherent legal (and some would argue, moral) requirement to be respected or adhered to.

Confused? You Should be

The new European privacy regulation at regulation 6(3A) specifically sets out that a user amending or setting a control on the internet browser is able to constitute consent. The DNT flag therefore seems like an ideal candidate for showing the consent required to store data on user’s computers under the Privacy Regulations. For years the advertising industry has argued that a user is perfectly able to opt of cookies out by turning them off in their browser, and that the user’s decision not to do this constitutes implied consent for any website to place cookies on their computer. This opinion has however been squarely rejected by a central body of European privacy regulators – the Article 29 Working Party –– who produce non-binding opinions on such matters. In their view, websites can only assume that a browser accepting cookies represents informed consent if there is a sufficient proportion of internet users with the technical knowledge of how cookies work and what they are used for. In the opinion of the European working party, this was not the case as of Dec 2011. In May 2012, the that consent might be inferred from a series of actions that in isolation do not constitute a direct expression of a user’s thoughts, but went on to say that most browsers (as of May) were not sophisticated enough to assume that browser settings signify consent.

From this jumble, we can however take away that European regulatory clarity for browser based consent to cookies and tracking requires an opt-in browser setting indicating user consent to be tracked. Applying this to the draft DNT standard, a web browser indicating DNT:1 could indicated user consent as long as DNT:1 is not the default setting. DNT:1 is however likely to be the default setting in the final specifications. To understand why, we need to review the history of the DNT standard.

A camel is a horse designed by committee

DNT began as an American initiative at the US Federal Trade Commission in response to US consumer advocacy groups. From 2007, the interested parties (the FTC, web browser authors, consumer rights groups and advertising networks) began discussing the proposed header, with advertising networks agreeing involvement only on the condition that DNT:1 was not activated by default. Consumer rights groups compromised - an opt-in DNT:1 header is preferable to no header - and so the DNT drafting committee moved forwards on the basis of DNT:1 being opt-in. The default would be DNT:0, and the advertising networks would revoke their support if the DNT:1 ever became default.

The years rolled on, data breaches occurred, and European privacy requirements became more stringent and prevalent. Privacy hawks and consumer rights groups continued to hope that DNT:1 might become the default header. The idea of a ‘default’ DNT header is subtle however. There are the DNT committee specifications, and there is the actual header which browser authors implement by default  For years, most browser authors have viewed standards compliance as a ‘wish list’, rather than a requirement. When push comes to shove, each browser author can create its browser as it chooses, whether in compliance with ‘standards’ or not.

In June this year Microsoft did exactly this. It announced that it would enable DNT:1 as the default setting in the upcoming Internet Explorer 10. This of course created a strong backlash. Advertising networks claimed this would be a non-standard implementation and so would not reflect user choice, so should (and would) be ignored. Industry cynics claimed this was a way for MS to embarrass Google, as Google would have to respect such a flag (impacting on its behavioural advertising business), or ignore it (with associated regulatory and reputational consequences).

The Emperor’s Clothes

In my view the most interesting reaction came from a member of the DNT committee who proposed a ‘patch’ to the Apache web server (the most commonly used web server) to ignore any such DNT:1 headers which come from Internet Explorer 10. Just this week, Yahoo took a similar approach indicating that it would not respect IE10 DNT headers. This is where the collaborative nature of DNT is revealed. Without any legal teeth, DNT:1 is merely a polite request for legitimate websites not to track you. The only compulsion for a website to respect it is a moral one, which will only be taken if the website feels that the header genuinely reflects user wishes. Of course, unscrupulous, incompetent, and predatory websites will track users regardless of the DNT header, meaning that the DNT header gives the illusion of protection, but in fact reduces it.

Further complications arise the more one considers what ‘tracking’ actually is. There are many reasonable interpretations as to what user DNT:1 might allow, or prohibit – detail far beyond the scope of this article. While European regulators may have a view on this, it is unlikely to align with the FTC’s view, and will not align with the view of the advertising networks (some of which feel it will mean ‘stop showing targeted adverts’, rather than ‘stop collecting data’). Each legislative body might give a different meaning to each DNT header in their territory – and so we still have jurisdictional confusion for an international problem.

This leaves proponents of a default DNT:1 stuck between a rock and a hard place. A voluntary standard that asks too much will be ignored, and therefore be inconsequential. ‘Non-standard’ browsers are being ignored. The current lack of a standard means true consent is difficult to express. Pushing forwards too hard might result in no progress at all.

Agreeing to disagree

All parties involved in the current DNT debate seems to agree that DNT should reflect user intent, and there is a moral obligation for websites to respect that user intent. Advertising networks however tend to argue that onus is on the user to express a wish for privacy over personalisation. Consumer rights groups and European regulators argue that the onus is on the user to express a wish for personalisation over privacy. Those with a preference for generalisation might also say that the advertising networks reflect a generally American pro-commerce view, whereas the consumer rights groups reflect a generally European pro-data-subject view.

Part of this difference is self-interest, part of it is cultural. Part of it however relates to how a DNT header would be used today. In Europe, there is a clear legislative framework for DNT to slot into – it could be used (with the right default setting) to indicate consent for placing cookies and tracking users as is required under certain European community laws. In America, there is no such legislative framework to lend DNT weight. An American member of the DNT specification committee has explained that “many people are simply not willing to engage in a process of ‘let's define what regulators should enforce’ in the absence of context”. This might explain why DNT:0 as default is a condition of advertising network support, and also the prevailing view in America.

The current situation

At the time of writing, all major browsers now have a DNT header included in their latest version. Only IE10 implements DNT:1 as the default header however this is being pointedly ignored by various web services. The DNT specification for that header is still however being drafted and debated, with over 100 issues remaining, and a timetabled recommendation for April 2013. The DNT header will continue to morph over the coming months. With some hope, the DNT header will align with legislation so it can be used as a reliable indicator of user wishes. The extent to which the DNT specification might meet legislation, or legislation might meet the DNT specifications remains to be seen. If the former, alignment of technology and European law is a real possibility for 2013. If the latter, we could be in for a wait. Hope springs eternal.

 

For more information please contact Richard Folsom