A set of new consumer protections are due to come into force on 01 April 2014.

New restrictions will apply to two types of crowdfunding – loan-based (lending to individuals or businesses in exchange for interest payment and capital repayment) and investment (equity) based (typically in companies in exchange for shares, debt securities or other “non-readily realisable assets”).

The new rules will not apply to reward or donation-based crowdfunding.

Loan-based Crowdfunding – what happens to the lender’s money if a platform fails?

The recent focus on consumer protection is a by-product of the drastic expansion of loan based crowdfunding (especially P2P lending). Last year approximately £480 million was lent- representing a jump of approximately 150% on the previous year.

The new rules introduce not only minimum capital standards but also a requirement for firms running loan-based crowdfunding platforms to have arrangements in place to enable loan repayments to continue to be collected in the event that the platform fails.  From 1 April 2014, loan-based crowdfunding platforms will be required to hold regulatory capital of at least £20,000. This will increase to £50,000 in April 2017.

The new requirements should provide comfort to lenders, as they will still be unable to claim through the Financial Services Compensation Scheme.

Investment (equity) based Crowdfunding and other similar activities

The rules aim to ensure that consumers have access to fair and accurate information and are equipped to make informed decision about investments.

What?

The new rules will affect direct offer financial promotions. For clarity’s sake- a direct offer is a promotion that contains an offer, or an invitation that specifies the manner of response, or includes a form, by which a response may be made.

If the promotion does not specify how to respond to it, then it is not caught by the new restrictions.

However, if the communication provides marketing information about a specified investment, then the restriction will apply and, as usual (unless an exception applies), one will also need to ensure the communication complies with the other relevant financial promotion rules.

A few tweaks may be required to direct offer financial promotion material whether in hard copy format or online and promoters may wish to consider removing downloadable forms – or make these accessible only to certain types of investors, as detailed below.

Who?

The new rules will place limitations on the types of investors to which equity based crowdfunding platforms may send direct financial promotions. Direct offer financial promotions can now only be targeted at professional clients and certain specific categories of retail clients whether sophisticated, high net worth investors, or retail clients who certify that they will not invest more than 10% of their net investible financial assets in unlisted equity and debt securities.

Is it appropriate?

In addition, crowdfunding platforms will need to consider an appropriateness test in cases where no  professional advice was provided. It is a requirement that all firms must check that clients have the knowledge and experience needed to understand the risks involved before being invited to respond to an offer. This new appropriateness test will be in line with the rules in the Conduct of Business Sourcebook (COB).

Firms operating equity-based crowdfunding platforms may also need to gather certain data on potential investors in order to undertake the appropriateness test.

Whilst the rules on direct offer financial promotions will come into force on 01 April 2014, the transitional arrangements provide that it will be acceptable for firms to continue to comply with the existing rules for another six months.

Hardly a day goes by without a new story about another cyber-attack, leaked or hacked passwords or log-ins.

The 7^th principle of the Data Protection Act 1998 mandates that

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Many of the leaks and hacks relate to information which falls squarely within the definition of “personal data”. The question is whether organisations are meeting their obligations under the 7^th principle. It is a “big ask” as hackers are resourceful and continuously seeking and finding ways to circumvent protocols and technology that was previously considered safe and secure.

One of the major problems in the battle against cybercrime is that there is no absolute universal security standard. Thus, hackers will always look for the weakest point in any security chain. Recently it was reported that thousands of Tesco.com usernames and passwords were gathered by hackers during cyber-attacks on third party websites and the hackers then tried to use the usernames and passwords to access Tesco.com.

Sometimes, leaks are inadvertent as evidenced by the recent accidental disclosure by Tesco of hundreds of customer email addresses whilst apologising for a pricing error. Instead of using the “bcc” field Tesco included all of the recipients’ email addresses in the ‘to’ field.

There are also data security questions relating to the transfer of data outside the EU to countries which aren’t as mindful of protection of personal data. This is reflected in the 8^th principle of the Data Protection Act 1998 which provides that

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

To address this concern, the US introduced the voluntary “Safe Harbor” scheme under which entities voluntarily commit to abide by principles similar to those enshrined in our Data Protection Act. However, in a recent ironic twist, a draft report by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee on US National Security, the European Commission was leaked and this draft has cast doubt on the reliability of Safe Harbor citing numerous deficiencies and loopholes. As the USA is probably the leading cloud hosting provider in the world, this highlights all sorts of issues for EU companies which directly or indirectly transfer or store data in the USA.

Data Controllers should bear in mind not only their legal responsibilities under the Data Protection Act regime but also that the Information Commissioner now bears teeth with the power to impose fines of up to £500,000 on those who fail to comply.

Simon Halberstam

Internet Service Providers could find themselves incurring substantial expense in protecting the copyright interests of others. Websites that exist beneath the radar of detection and infringe the copyright of others such as those that offer unlawful music downloads and streaming are likely escape scot free while ISPs are left to pick up the bill.

A recent opinion from Advocate General Cruz Villalon in the Austrian case of UPC Telekabel Wien GmbH (“UPC”) v Constantin Film Verleih GmbH und Wega Filmproduktionsgesellschaft GmbH (“Constantin”) has provided further guidance for those seeking blocking-order injunctions against bodies who infringe their copyright. The case was referred to the Advocate General by the Austrian Supreme Court and concerns the website “kino.to” which allows its users to download and stream films without the consent of the film copyright holder (in this case, Constantin). The operators of such illegal websites are typically very difficult, if not impossible to trace. Copyright holders are then forced to look elsewhere for a remedy and in this case they looked no further than the internet service provider, UPC.

Before finding its way to the Advocate General’s desk, the case had already been considered at first instance and then again in the Austrian Appeal Court. On both occasions an interim injunction was granted against UPC despite it having no direct legal relationship with ‘kino.to’. The injunctions were granted on the basis that UPC is an intermediary insofar as it allows its users to access kino.to which in turn infringes the copyright of Constantin.

Anyone who has ever tried to buy a house will know that location is everything. In London, house buyers will pay a premium for an average house in a sought-after postcode purely so they can utter those magic 3 words “NW3” or “SW3 at the end of their address. The internet is no different and with the recent launch of the gTLD program (Generic Top Level Domains), a whole raft of domain name suffixes has now become available, indeed Rich Merdinger cannily describes these domain names as “21st century real estate”.

“.com”, the most common of the domain name suffixes (or “strings” as they are also known) was launched in January 1985, with other commonly used strings following closely behind such as “.co.uk” and “.org”. The introduction of gTLDs signifies an end to the closed market of generic suffixes and opens up a whole universe of domain name permutations such as “.food”, “.games” and “.venture” to name but a few. The idea is that businesses may set themselves apart from their competitors or other companies with similar names by having a personalised or sector-specific domain name suffix.

The latest wave of new strings has also seen the introduction of geographical and internationalised domain names such as .london and .nyc which, it is hoped, will localise businesses and in turn strengthen the brand of the various cities. Suffixes using the Cyrillic, Chinese and Arabic alphabet are also being introduced.

There are now almost 600 new suffixes available for which brands can apply. ICANN (Internet Corporation for Assigned Names and Numbers) has said that the new suffixes allow for easy identification of a brand’s website(s) and therefore a greater sense of security and trust in the online content for the user.

There is, of course, a process to go through when applying for a gTLD and ICANN has helpfully produced an Applicant Guidebook, although do be warned; it runs to some 338 pages. Applications will go through an initial evaluation and those which do not face any objections will be eligible to proceed to allocation with the new gTLDs delegated soon afterwards.

Scope for domain name disputes arising is considerable as brands that manage to secure the most popular and recognisable top level domains are likely to operate at a competitive advantage. Some brands with similar names may even have a claim to the same top level domain name which could result in lengthy pre-registration disputes. It is unclear how such disputes will be resolved; will the suffix be sold to the highest bidder or the business that can prove that its claim to the name is indubitably more genuine and justifiable than that of its competitor?

The application itself does not come cheap, as applicants such as the BBC (applying for “.bbc”) and the Guardian newspaper (applying for “.guardian”, “.guardianmedia” and “.theguardian”) have discovered. Paying $185,000 for the application alone with a further cost of $25,000 per annum to keep the name in the event of a successful application, it has been argued that those companies purchasing gTLDs are forming “an elite club” consisting only of those able to afford the security and status that comes with having a personalised domain name suffix. This is much the same as those looking to secure real estate in prime locations, the prestige of a desirable and recognisable address is likely to leave you significantly out of pocket.

Simon Halberstam

We have become a nation obsessed by cake. Cake is not, as we once thought, a treat reserved for birthdays and special occasions. You can barely order a cup of coffee without having your arm twisted into buying some form of patisserie.

Cupcake stores, tea houses and dare I say it ‘bakers’ are popping up on high streets everywhere and you only need to switch on the television to see Mary Berry and her grumpy sidekick talking about “soggy bottoms” and “even crumb texture”. Don’t let me get started on “buttery biscuit bases”!

After all of this it is likely that you will be suffering cake fatigue, (or it may just be the result of a horrible post-cake sugar comedown). Victoria Sponge? Boring. Lemon Drizzle? No thanks. You are looking for something innovative, new and exciting. It should be like a cake, but not a cake. Maybe more like a muffin and maybe just a little bit like a doughnut, hang on…what if we made a doughnut that was also a muffin?

It was probably a similar conversation that occurred in the Starbucks Baked Goods Product Development brainstorming session shortly before the conception of the ‘Duffin’. Half doughnut, half muffin, the birth of the Duffin was a happy time for all, not least for the factory suppliers to Starbucks (Rich Products) who skipped straight down to the Intellectual Property Office and registered “Duffin” as a trademark.

A glorious new cake-come-fried dough concoction had been created and everyone was patting Starbucks on the back for being so great and making our wildest cake fantasies a reality. Everyone except for Bea, owner of the boutique tea house “Bea’s of Bloomsbury”, who took to the social media platform Twitter to start #DuffinGate and make her feelings known about Starbucks’ latest creation. It turns out, that Starbucks was pretty late to the ‘doughnut masquerading as a muffin’ party. So late that it had totally missed the fact that Bea had been baking and selling Duffins for years, the recipe for which sat in her widely-sold ‘Tea with Bea’ recipe book published in 2011.

Bea is naturally concerned for the future of her Duffins. Will Starbucks assert its right to prevent her from selling them? Must she cease and desist from selling Duffins? Starbucks has responded by way of a public statement and said that it won’t stop Bea from selling her wares, however it seems that Bea is on the lookout for a trademark lawyer to help her fight Starbucks on this. Whether this is just “Duff talk” on Bea’s part or she actually plans to pursue Starbucks remains to be seen.

Registered trademarks can be challenged and if the opposition is successful, the  registration may be cancelled. Bea does, to some extent, have the common law on her side. Even without a registered trademark the owner of goodwill in an unregistered mark can sue for “passing off”.

Watch this space, it could get messy!

Simon Halberstam

For further information, contact Simon Halberstam, partner in our technology law department at simon.halberstam@smab.co.uk or by phone on 020 3206 2781

If you have young children of your own or nieces or nephews you have probably endured hours of Dora the Explorer, Peppa Pig, In the Night Garden (I could go on) and will have therefore also borne witness to the barrage of advertising for various children’s toys and games and the “hard-sell” techniques targeted at young viewers.

These adverts seem to have something of a hypnotic effect, whereafter a tense set of negotiations will follow between parent and child. On the one hand there is the child’s desire, no, need for that Scalextric/Furby/Barbie Goes Ice Skating Ice Rink and on the other, the frustrated parent’s sideways glance to the pile of long-forgotten toys which were “vital” to the child’s well-being only a few short months before.

Children are suggestible. It doesn’t take a PhD in Psychology to work that one out. Further, children are highly affected by emotive advertising and as such are labelled as “vulnerable consumers” to whom higher levels of protection should be afforded. It is this assessment of young consumers that lies at the heart of the OFT investigation and corresponding report (published on 26 September) in relation to children’s app and web-based games.

A number of concerns were raised during the investigation which started in April this year and examined closely 38 app and web-based games. The OFT uncovered 5 broad areas where it considers improvement is needed. This blog sets out the key problem areas.

First, and somewhat obviously, consumers must be in a position to make transactional decisions which are fully-informed and not as a result of misleading or incomplete information. This might apply to games which are initially free and then require the player to make a purchase to access additional levels or other items necessary to proceed. All prices should be made clear to the potential purchaser up front and in any event before signing up or downloading. All types of costs need to be set out including initial signing up costs, subsequent unavoidable costs (should the player wish to continue playing the game) and other optional costs such as purchasing additional content to enhance the experience.

Misleading advertising is also highlighted as a problem. In particular, the inclusion of screenshots depicting content which is not included in the game for free or as part of the initial sign up cost and which might mislead the consumer into thinking that it will be able to access that content for no additional fee. This is a typical ‘batteries not included’ scenario. Buying a Sylvanian Families animal figurine does not entitle you to the entire Sylvanian Families model village just because it was shown that way on the TV ad.  This sort of discrepancy will be patently clear to a consumer buying a toy or game from a shop, where it can see what it is buying, whereas a purchaser of an online game will not necessarily be aware that the content shown on-screen will not be available without further purchases being made. The OFT recommends that only free content or that which is available in exchange for the initial sign-up fee for the game should be displayed in such advertising.

Consumers should also be informed as to whether the game contains marketing, either the trader’s or that of a third party. Additionally, if data (personal or otherwise) is to be collected from the player, then the reasons why that data is being collected should be communicated clearly to the consumer. Guidance states that personal data supplied by the consumer should only be used (for example) to communicate with the consumer about the game itself and not for other purposes.

Further, consumers should be informed whether an additional purchase is strictly necessary in order to progress in the game. In some instances an alternative will be available, such as waiting or “grinding” through a game. When such an alternative is available, this should be communicated to the consumer in an equally prominent manner to the paid option. Moreover, the OFT warns against commercial practices which are exploitative of young users.

The OFT saw messages in games where the consumer was made to feel inferior if it did not purchase further content or was led to believe it was letting down other players or even disappointing or mistreating the characters within a game by not making further purchases. Examples included ‘your Cat/dog/fish is hungry and sad’ and ‘purchase further content to feed him/cheer him up.’ These statements are clearly manipulative and should be avoided when dealing with inexperienced and naïve consumers.

However the OFT does not seek a blanket ban of commercial messages and in-app purchases within children’s games, it merely wants the commercial aspects to be separate and distinct from gameplay itself. For example, a compliant commercial message will simply give information about an upgrade or potential further purchase and provide a “click for more information” link or the options of “go to shop” or “cancel and wait”. A non-compliant game will contain a direct incitement displayed during and interwoven with gameplay, such as “Upgrade your account now”. Perhaps keeping gameplay and commercial messages separate in this way will prevent young players making snap decisions whilst in the throes of a game. Although, arguably, the only practical difference between the two examples given is an extra mouse-click or finger swipe.

Finally, the OFT highlights the problems with Continuous Payment Authority and app-based games. Many mobile devices contain default settings which, once a password has been entered, allow further purchases to be made for the next 20 minutes without re-entering a password each time. The OFT recommends that this should be an optional setting rather than a default setting. Better still, the consumer should have to re-enter its password every time an additional purchase is made so that informed consent is being given for each additional purchase.

In response to these issues the OFT has drafted a set of principles setting out how the existing consumer protection law framework should apply to app and web-based games and providing guidance to those within the industry. The ‘Principles’ encourage self-regulation, which seems sensible given the difficulty of enforcement and the fact that the law is likely to always be playing catch up with this innovative and fast-paced sector.

The OFT is currently inviting responses to its proposed principles.

You may also be interested in our earlier blog on Targeted advertising and Privacy.

Simon Halberstam

Augmented Reality (AR) is an enhanced version of reality achieved by superimposing computer generated graphics and sounds on the natural world. It should be distinguished from pure virtual reality, which is an entirely computer generated environment in which the user immerses itself. For example, AcrossAir enables users to locate the nearest restaurants, hotels and landmarks  by pointing their mobile cameras at the street. Google Glass goes a step further by replacing the need for a handheld mobile device with a super charged (Geordi La Forge – apologies to non-trekkies) visor. Courtesy of Google Glass you can overlay Google maps on the street you down which you are driving.

Companies and even cities are adopting this new technology. Bordeaux now provides visitors with a tablet fitted with AR software, GPS and a route map of the historic city centre. At points of interest, tourists can trigger the tablet which then superimposes virtual images over landmarks helping tourists to imagine what Bordeaux was like in the 18th Century. IKEA plans to introduce an AR feature into its next catalogue. This will enable customers to superimpose a virtual image of a product into their home, giving them a “real” time view of the product in the intended room.

Most tech savvy people out there will already be aware of QR codes which, from a marketing perspective, are often a ‘lighter’ and cheaper alternative to AR. QR codes are sophisticated barcodes, which instead of merely being used to identify a product and its price at the checkout, can store a lot more information. They can also trigger actions like launching a website when accessed via the right technology (such as the QR Reader app on a smartphone).

QR codes are fairly mainstream, already to be found in retail outlets and on buses and tubes, but AR is undoubtedly the future, especially following the general release of Google Glass. AR creates excitement for the user, going further than QR codes and without the need for a specific app.

However, there is a danger that AR blurs the frontier between the real and virtual world and this may be dangerous, particularly for children. Bullying and/or ‘trolling’ on social media sites may just be the tip of the iceberg.

Legal issues arising from the use of AR technology

As I mentioned in a previous blog (see “Malice through the looking glass”), AR is likely to cause an explosion in privacy litigation. It will be harder to control your online presence if information is being constantly uploaded by people wearing Google Glass or similar technology. Those wearing AR technology are likely to be able to easily, quickly and surreptitiously access a lot of your personal information, such as your Facebook profile, LinkedIn profile, and job description etc.. If the objections to facial recognition technology are overcome, this could become a major issue.

Another issue to consider in relation to AR is misleading advertising. A complaint was filed in the US against the owners of Doritos following their AR digital marketing campaign. It was felt by some that AR technology can disguise marketing campaigns as video games or other forms of entertainment, making it difficult for young people to recognise them as adverts. The dangers of misleading advertising have also been highlighted recently by the furore over undisclosed sponsorship of celebrity tweets, the subject of the recent Dispatches programme ‘Celebs, Brands and Fake Fans’.

If someone is injured as a result of using AR technology, will they be able to sue the manufacturer? It is not hard to see how this could happen while playing ‘SpecTrek’, a mobile app which, when launched, will make virtual ghosts appear in your real world surroundings and encourage you to capture them with a net by running towards them. Myriad other legal issues could arise in areas such as data protection rights, trade mark disputes, copyright and defamation.

AR will no doubt form part of our future and users will soon be making subtle hand motions, wearing ‘smart’ clothing and using voice commands to interact with the web. However, all this technology development requires appropriate regulation to ensure that there are democratically decided boundaries and that we remain firmly rooted in reality. As a child, I was astounded to read about a world in which adverts were superimposed onto living as well as inanimate objects and changed according to each user and its mood. The future has now arrived and the law had better not blink.

Simon Halberstam

As I mentioned in my blog ‘Targeted advertising and privacy’ last week, Do Not Track (DNT) is a system which sends out a line of code to third party websites indicating that they should disable their tracking of a user’s web browser activities.  DNT prevents the gathering of data which enables tailored behavioural advertising.  This system is currently voluntary meaning that a user generally has to opt in to DNT and then rely on a website to understand and respect the DNT signal its browser sends out.

When Microsoft released Windows 8, which includes Internet Explorer 10, last year, it was one of the first companies to set DNT as a default in its browser.  At the time, its Chief Privacy Officer, Brendon Lynch, explained that Microsoft made this decision “because we believe in putting people first. We believe that consumers should have more control over how information about their online behaviour is tracked, shared and used” and that “consumers should be empowered to make an informed choice”.

Now you will probably not be surprised to hear that I am firmly in the ‘keep my browsing activities private please’ and ‘let me make my own choice’ camps, so I tend to agree with Brendon Lynch.  I have, however, encountered some problems with my stance.

The most convincing argument against my ‘pro privacy and choice’ stance is that of free content.  The internet is replete with useful and free content.  This is usually financed by the sale of third party advertising on the relevant sites.  If we restrict the ability of websites to sell targeted advertising, we may end up with pay walls to access the content that is currently free.

There is also the argument that by setting DNT as a default, you are depriving the consumer from making an informed choice as to whether it is happy to receive targeted advertising based on its previous browsing habits.

Another issue with DNT is that it is voluntary, so only respected by certain organisations whilst ignored by others.  The extent to which it is respected by organisations also differs.  Until DNT is recognised worldwide and there is uniform response to it, it is unclear to what extent it keeps your online activities private.

The debate surrounding DNT can be likened to the current debate surrounding online pornography in the UK.  David Cameron announced this week that most households in the UK will have pornography blocked by their internet provider unless they actively choose to receive it.  This is what the Government has decided to do to protect children from indecent content, an objective I think most people would support.  Pornography, like advertising, however, has its place.  The question is, should you have to opt in or opt out? And would both of these be issues if education were better and we, as users, understood exactly what information is collected about us and how to adjust our settings and better control our privacy and content?

Despite being a lawyer, I don’t like to see legislation used in place of education and sensible, technical solutions.  I am not sure we need DNT legislation.  Education around online privacy and blocking content would surmount many of the privacy issues we encounter and give everyone an informed choice.

From a legal standpoint, you need to bear these issues in mind when writing or updating your privacy policy.

Simon Halberstam

‘Tailored advertising’ or ‘retargeting’ allows businesses to target advertising at people who visited their site but didn’t buy anything.  These type of ads are becoming more and more common, as Tory MP Gavin Barwell discovered the hard way when he sarcastically tweeted “I know Labour are short of cash but having an invitation to “date Arab girls” at top of your press release?”. Facebook and Google already offer tailored advertising and Twitter announced this month that it will soon be trialling ‘promoted tweets’. These are ads displaying content from brands and businesses in which a user has already shown interest. 

Businesses can tailor advertising by installing tracking software on their websites which uses cookies to record generally anonymous details of site visitors such as estimates of their age, sex, income and interests. A cookie is a small text file implanted by an online provider on the hard disks of visitors which collects information about the user. This then allows the online provider (through a retargeting vendor) to display adverts to those same potential customers when they visit other sites. The aim of the game is to convert initial interest into sales.

Twitter plans to use even more sophisticated technology. Instead of just doing the above, it will allow advertisers to upload a list of customers and potential customers on to the Twitter advert platform and then target ads at people who are both on the advertiser’s target list and also Twitter users. As Kevin Weil (Twitter’s Senior Director of Product, Revenue) put it in his blog “Users won’t see more ads on Twitter, but they may see better ones”.

The issues here are both privacy and anonymised online tracking. Do users want their online habits tracked? Do they even know what information about them is being collected?

The US already has a non-profit organization led by the top advertising and marketing trade associations, the Digital Advertising Alliance (DAA), which enables internet users to opt out of this sort of advertising through the DAA’s Self-Regulatory Program for Online Behavioural Advertising. By filling out the DAA’s opt out page, users can opt out from receiving interest-based advertising from the scheme’s participating companies. The Senate Commerce Committee is also currently considering universal “Do Not Track” legislation that could have far-reaching implications for interest-based advertising.

In the UK, the use of cookies is only allowed if the user has given his or her consent and has been provided with clear information about the purposes for which the information collected is stored and accessed.

While the use of cookies in the UK is governed by Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, it is the Committees of Advertising Practice (CAP) who write and maintain the UK Advertising Codes, which are administered by the Advertising Standards Authority (ASA). The ASA announced new rules for online behavioural advertising earlier this year. The main requirement of the new rules is that internet users are offered the choice to opt out from being targeted via online behavioural advertising.

The reality is, however, that if you do not accept a website’s cookies, the website’s functionality will often decrease. This is a disincentive to opting out. There is also widespread ignorance among internet users about the amount and type of information collected about them online. Many are unaware of organisations like the DAA in the US or just automatically click ‘ok’ to the cookie opt-in when they visit a new website in the UK.

While national debate on this subject has a long way to go, money talks and targeted advertising can improve an advertiser’s return substantially as ads are targeted at users who are already inclined to buy. For Twitter, Facebook or Google, a targeted ad on which more users click means more advertising revenue.

What to take from this blog?

Consider privacy and legality before amending or updating your organisation’s advertising strategy. Learn from Google’s mistakes, as Twitter appears to have done. The UK’s Information Commissioner’s Office informed Google on 4 July 2013 that it must amend its privacy policy to avoid potential enforcement action. Twitter, on the other hand, has been praised by campaign groups for protecting privacy. Twitter has promised to give users “simple and meaningful privacy options” when it introduces promoted tweets by allowing users to uncheck a box in their account settings. This will prevent Twitter from tailoring ads by matching a user’s account information with information provided by Twitter’s ad partners.

The range of apps for mobile devices is astounding. I doubt that there is anyone reading this that does not have at least a few apps on their smartphone whether Runkeeper, Facebook, Instagram, Snapchat or even the latest find love app (swipe to left if it’s a no or to the right if it’s a yes).

In fact, according to the EU’s Data Protection Working Party, more than 1,600 apps are added to app stores daily and an average smartphone user is reported to have downloaded 37 apps in 2012 (alas, I am below average, shame!).

Something we do not necessarily think about when downloading and using an app is the amount of data it collects about us. Mobile apps can collect personal information such as location, contacts, credit card details, phone and messaging logs, browsing history, email, social media contacts, the identity of the phone and end user, photos, etc. Fortunately for app users, and unfortunately for ‘data controllers’ (see below), legislation governs the collection and use of personal data in the UK.

The collection and use of personal data in the UK is governed by the Data Protection Act 1998 (DPA) and overseen by the Information Commissioner. The DPA implements the EU’s Data Protection Directive (Directive 95/45/EC), which applies to all 28 Member States.

In short, Data Protection legislation requires the data controller (the person who determines the purposes for which and the manner in which any personal data is processed) to collect and use personal data in accordance with eight principles. The eight principles require personal information to be:

1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate
5. not kept longer than necessary
6. processed in accordance with the data subject’s rights
7. held securely
8. not transferred to countries outside the European Union without adequate protection

In practice, almost any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) is potentially caught by this legislation.

The recent EU Data Protection Working Party’s opinion focussed on apps on smart devices and identified a number of data protection risks, notably:

• Lack of transparency. The end user of an app is often unaware of what information an app is collecting about them and for what purposes.
• Lack of free and informed consent. Consent, if it is requested at all, is often limited to accepting the app’s terms and conditions. There is often no privacy policy and end users rarely have specifically to consent to sharing their personal information.
• Trend towards data maximisation and disregard for the principle that data should be collected and processed for limited purposes. Whether it is out of ignorance or intentionally, many app developers collect data from smart devices which is unrelated to the app itself and is then distributed to third parties.
• Poor security measures. App developers who suffer personal data breaches can leak a lot of personal information into the public domain. End users are often unaware of these breaches.

The Working Party makes the point that many app developers are small start-ups unaware of their data protection obligations and that data protection breaches can create “significant risks to the private life and reputation of users of smart devices”.

The Working Party recommends that app developers ensure that their apps ask for consent before they start to retrieve information from a smart device, that they respect the principle of data minimisation and that they be aware that consent does not legitimise excessive data processing. It suggests providing an easily accessible privacy policy and proactively informing users about the type of data collected and any data breaches. It also suggests that app developers develop tools to enable users to customise their preferences and retention periods in relation to their personal data and to enable tighter collaboration between the players in the smart device app field to ensure full and integrated compliance with data protection law.

The full opinion can be found on the European Commission’s website: ‘Data Protection, Opinions and recomendations‘.

Beware!

App developers, OS and device manufacturers and app stores– ignore this guidance at your peril! It is not binding but it is persuasive and likely to be noted if you are investigated by the Information Commissioner’s Office (ICO) or any other European national data protection authority. Breaches of data protection laws can result in criminal as well as civil liability in the UK, and of course, bad publicity. In the worst case scenario, you could be prosecuted personally under certain sections of the DPA resulting in an unlimited fine or face a monetary penalty of up to £500,000 for a serious breach.

Further to our recent blog (see Bitcoin – legal tender of the future or fad?), Forbes reported yesterday via contributor Jon Matonis, who sits on the Board of Directors of the Bitcoin Foundation in California, that California’s Department of Financial Institutions (DFI) issued a cease and desist letter to the Bitcoin Foundation. The Foundation is accused of engaging in money transmission without obtaining a licence or proper authorisation to do so under the California Financial Code and is warned to desist in doing so. Violating the California Financial Code can lead to criminal prosecution resulting in a fine and/or imprisonment as well as civil fines.

The DFI is California’s equivalent of the Financial Conduct Authority (FCA) and regulates the operations of state-licensed financial institutions, including banks, credit unions, savings associations, business and industrial development corporations, money transmitters, etc. It is important to note that the Foundation, through Jon Matonis, denies the ‘charge’.

It is possible that other cease and desist letters to Bitcoin related entities in California will follow.

We have already highlighted some of the major legal issues relating to Bitcoin in our previous blog however it would be unfortunate if these were effectively to spell the end of a disruptive, radical and very exciting digital alternative to traditional means of payment. This is especially so when, according to the Guardian, Britain has just got its first Bitcoin accepting pub in East London!

Simon Halberstam

If you are an avid Question Time watcher, you will have seen the recent debate on the resurrection of the Communications Data Bill, aka the Snooper’s Charter. The debate follows the recent murder of Lee Rigby in Woolwich and the bombings in Boston, both linked to terrorism.

What is being tabled?

The Home Secretary Theresa May first presented the Draft Communications Data Bill to Parliament in June last year citing its purpose as “to protect the public and bring offenders to justice by ensuring that communications data is available to the police and security and intelligence agencies in future as it has been in the past”. The Joint Committee of the House of Lords and House of Commons concluded in December 2012 that although there was a case for legislation to provide law enforcement authorities with further access to communications data, the Bill was too sweeping, went further than it need or should and encroached upon privacy.

The Bill was then dropped from this year’s Queens Speech due to opposition from the Liberal Democrats. Nick Clegg went as far as saying that he did not think it was something the British public would support and that he did not think it was workable or proportionate.

The legislation raised its head again following the murder of Lee Rigby as many argue that his death could have been prevented if the authorities had had access to communications data from the email, social media and internet use of the men who have been charged with his murder.

Current powers

The legislation in the UK which regulates the collection and retention of communications data is found in the Regulation of Investigatory Powers Act 2000 (RIPA), the Data Retention (EC Directive) Regulations 2009 and the Anti-Terrorism Crime and Security Act 2001 (ACTSA).

Broadly speaking, RIPA allows certain UK public authorities (including, amongst others, police forces, the intelligence and security services, the Serious Organised Crime Agency, local authorities, HMRC) to request communications data from a Communication Service Provider (CSP) for a permitted purpose.

Communications data includes:

• Traffic data. That is, data identifying the location of the device to or from which the communication is sent and the equipment and the network through which it is transmitted.
• Usage data. This covers date and time related data.
• Subscriber data. This is data held by the service provider about the person to whom it provides a service.

A CSP is an operator who provides a postal or telecommunications service and extends to those providing such services where the system for doing so is wholly or partly in the United Kingdom.

There are currently nine permitted purposes including “in the interests of national security” and “for the purpose of preventing of detecting crime or of preventing disorder”.

The Data Retention (EC Directive) Regulations 2009 requires public communications providers to retain the communications data relating to fixed network telephony, mobile telephony and internet access, internet e-mail or internet telephony for a period of 12 months from the date of the communication in question for every user whose data is generated or processed in the United Kingdom.

The above legislation does not allow the retention or use of the content of any communications.

New proposed powers

The Communications Data Bill introduces wide definitions for ‘communications data’, ‘telecommunications operator’, ‘telecommunication service’ and ‘telecommunication system’ and would, in essence, impose new and substantial obligations on telecommunications operators (which would include CSP’s and information society service providers) requiring them to store internet browsing data and social media contacts, amongst other data, for each internet user. For the first time, telecommunications operators will be required to generate data which they would otherwise not have generated because there was no commercial need to do so and to retain it for 12 months.

The Government states that due to technological advances, approximately 25% of communications data required by investigators is currently unavailable and that without intervention this will increase to 35% within two years. The Government’s hope is that the Bill will address that and will make available three main types of data that it is currently unable to access under existing legislation. These are: (i) subscriber data relating to IP addresses (i.e. who is using an IP address at any given point); (ii) data identifying which services or websites are used on the internet (i.e. the web address up to the first); (iii) data from CSP’s based overseas who provide webmail and social networks to users in the United Kingdom. There are other types of data they cannot access but they have not made this public in the interests of national security.

Pros and Cons

As a lawyer, I cannot resist briefly noting the arguments on both sides.

The arguments for this new legislation are as follows:

1. The Government is just extending current legislation to keep up with social media and other technological advances.
2. It is necessary for national security and if you have nothing to hide, you have nothing to worry about.
3. CSP’s can collect (although reluctantly) this data and should work with the Government to protect the public.

The arguments against are:

1. CSP’s will be collecting this data about everyone, not just criminals. This is an infringement of our privacy.
2. UK public authorities already have the ability to access a lot of information using the current legislation, they are just not utilising it to its full extent or efficiently.
3. The need to store this extra data will potentially require CSP’s to re-structure their systems and will require substantial human, financial and technical resources. Since they are to be allowed to recoup some of their expenditure from the public purse, this could be very expensive for the public.
4. The legislation could be abused.
5. The new legislation is not workable in practice.

I will leave it to you to decide where you stand.

How this affects you?

Although on first look you would think that this legislation will just apply to internet service providers and telephone companies, the current definitions of ‘communications data’, ‘telecommunications operator’, ‘telecommunication system’ and ‘telecommunications service’ in the Communication Data Bill are so broad that the legislation, in its current format, could be used catch almost any company that operates most of its business over the internet.

If you are an internet based company or are setting up an internet based company, therefore, this legislation could have a serious impact on the way you run your business and on your business overheads. If the Bill is passed in its current format it could enable the Home Office to require any internet based company to put systems in place to collect all data on its customers, store it for twelve months and make it accessible to a UK public body if required.

It becomes clear why the biggest five internet companies in the world have, according to the Guardian, written to Theresa May outlining their distaste for this new legislation. It will be interesting to see whether the news this week that the US National Security Agency is secretly collecting electronic data on all Verizon’s (one of the largest phone companies in the US) customers on an “ongoing daily basis” adds fuel to the fire.

One thing is clear, this is not going away so we suggest you monitor this debate carefully if your business is internet-based.

Simon Halberstam

For many years, I have been advising both developers and procurers on software development agreements. During that time, there have been many phases and trends. In simple terms these can be broken down into two categories, Waterfall which is linear and sequential and a wide range of iterative methodologies, notably Rapid Application Development and various manifestations of Agile, such as  Dynamic Systems Development Method (DSDM), Crystal Clear, Extreme Programming (XP) and of course Scrum.

There are many differences between the Waterfall and iterative Agile methodologies. To determine which is more appropriate one has to balance and evaluate a panoply of often conflicting drivers. Some of the key issues are set out below.

Flexibility

Unlike with the waterfall fixed specification model, there is real flexibility in the agile scenario. Whilst there is an agreed Product Backlog setting out the expectations of what is to be delivered in the project as a whole, there is typically no absolute commitment to the delivery of a fixed set of functionality.  The parties agree on what is anticipated from each Sprint by way of an agreed Sprint Backlog but there are unlikely to be any meaningful sanctions if these are not achieved.

Whilst this may let an inefficient developer off the hook, it is more likely to recognise and reflect the dynamics of a typical development project where it may be difficult at the outset to define the ultimate goal and in which perspectives and requirements change during the course of the project.

Certainty

Some customers would argue that they need certainty as to what will be delivered and at what price before they commit to a particular developer and that agile development methodologies don’t give them that. However, that apparent disadvantage may be substantially outweighed by the ability easily to “can” a development project either because the customer’s situation has changed or the developer is not meeting expectations.

Horses for Courses

In some projects, the requirements are more uncertain and fluid whilst in others they will be easy to define at the outset. In the former case, an agile approach, probably based on scrum will reflect the reality of the situation whereas in the latter, there is a strong case to be made for a waterfall approach.

 Terminology

Although this might sound disingenuous and irrelevant, some people of a more traditional leaning well versed in the conventional terminology of waterfall and the associated conceptual rigidity find the agile lexicon both unfamiliar and off-putting. With terms such as “potentially shippable product increment”, “done done”, “burndown chart” and “scrum master” this is not altogether surprising.

Collaboration

Whereas it is typical for each party in a waterfall software development project to appoint a representative and for them to liaise as appropriate, there is nothing like the same level of interaction as occurs in the agile firmament in which there are often daily meetings or “scrums” between the parties. The key players are usually the “Product Owner”, the “Scrum Master” and the “Development Team”. The Product Owner represents the interests of the customer and communicates its vision and objectives. The Scrum Master’s role is to oversee and co-ordinate the whole project and ensure that the parties are working co-operatively through the scrum process methodology. The Scrum Master is nearly always a member of the developer’s team but symptomatically of the fluidity and flexibility of Agile, may sometimes be a member of the customer’s team. One would think that the term “Development Team” connotes the developers themselves but it is possible that the team also comprises customer representatives although this could cause difficulties.

Duration

Whilst projects adopting the waterfall methodology may have an associated timetable stretching well into the future, in some cases 24 months or more, Agile sprints usually last 1-2 weeks and the entire project may end with any “Sprint Review Meeting” which looks back to determine and demonstrate which “Stories” (i.e. outline descriptions of elements of functionality) have been completed during the Sprint. One can see from this marked difference that the customer might feel reassured by the lack of long term commitment in a context where there is scope for both relationship deterioration and change of plan. However, if the escape hatch is for both parties then the customer may be concerned about being left in the lurch when it considers the project to be incomplete.

Payment Terms

Whereas in the waterfall scenario, payment of the whole or a major percentage of the project fee may well be due only at the end of the project after successful acceptance testing, in the Agile world, the agreement may provide for payment to be made at the end of each Sprint. Obviously if a sizeable proportion of the whole or the entire project price is only due on acceptance this will focus the mind of the developer and give the customer a strong commercial position.  Indeed, in many Agile contracts payment is connected either loosely or not at all to the achievement of particular milestones and the financial basis is more akin to a “time and materials” scenario.

 For information on our model Agile contract template, please see  https://www.weblaw.co.uk/it-contract-templates/agile-software-development-contract/

Simon Halberstam

Bitcoin (BTC) is the world’s newest currency, pushing the Euro out of that coveted spot.  It is not your traditional currency however; it is a digital, decentralised currency based on open source.  Put simply, it is international and not controlled by any central bank.  Virtual currencies have existed for some time, e.g. Linden Dollars, but are traditionally controlled by the organisation behind them such as Second Life, and have been limited to a particular virtual environment.  Enter Bitcoin, a truly revolutionary and potentially universally acceptable virtual form of payment.

There are three main ways to get your hands on Bitcoins – you buy them in exchange for ‘real’ money, you accept them as payment for goods and/or services or you mine them.  The first two methods are self-explanatory. Mining involves solving extremely complex algorithms to unlock a “new” block of Bitcoin.  The easiest way to get your head around this is by thinking of it as an oxymoronic, skill based lottery in which there are regular draws, in which the ticket holders are whizz kids behind high spec computers and in which the prize is a certain amount of virtual cash.

“Bitconians” cite its benefits as the absence of bank charges, middlemen, Forex conversions and territorial frontiers.  Fans feel it will help ease online commerce across borders and eventually replace credit cards.

Other notable advantages exist.  As Bitcoin will be limited in supply, there is no risk of quantitative easing devaluing your digital cash.  Nor is there the risk of your bank committing daylight robbery by taking a percentage of your savings, as we saw threatened in Cyprus earlier this year.  Bitcoin could indeed strengthen international trade, as there are no currency barriers and transactions can be arranged and processed very quickly.

I am not convinced.  I am, however, a bit like the current UK Government, prepared to do a U-turn so please feel free to comment at the bottom of this blog and change my mind.  For now though, there are a variety of reasons I am not a fan.

The lack of central bank or Government control has advantages but is also one of Bitcoin’s greatest weaknesses.  After decades of trying, we finally have a relatively robust system in place to prevent fraud and money laundering in the western world. In the UK, the Money Laundering Regulations 2007, the Proceeds of Crime Act 2002 and Terrorism Act 2000 place an obligation on businesses to maintain appropriate policies and procedures to prevent them from being used for money laundering by criminals or terrorists.  Bitcoin circumvents these safeguards in one fell swoop as you can generate a different ‘address’ for each Bitcoin transaction you make and thereby remain anonymous.  It is no wonder that the currency has some negative connotations when it is the currency of choice of the online black market Tor-operated website Silk Road, described as the Amazon of illegal drugs.

The fact that political barriers (often in place for very good reasons) can be circumnavigated by Bitcoin does not necessarily inspire public confidence either.  It is well known that Bitcoin donations flooded in to Wikileaks even after financial blockades were put in place following the publication of confidential US diplomatic cables by the website.  I am all for freedom of speech but what happens when Bitcoin is used to fund terrorist organisations or countries subject to trade sanctions?

As the currency is not backed by a central bank, there is no guarantor if your Bitcoin wallet is hacked.  If your online bank account is hacked, your bank will generally compensate you for your loss.  If your online Bitcoin wallet is hacked, or indeed you accidentally delete your wallet, you are up the creek.

The value of Bitcoin is also very volatile.  At the time of writing, one BTC1 is worth US$129.49 or £85.27 on Mt. Gox, which describes itself as the world’s most established Bitcoin exchange.  The value rocketed during the Cyprus saga earlier this year but dropped to circa BTC1 = US$76 when Mt. Gox suffered a cyber-attack in April.  I am not suggesting that established currencies do not fluctuate, but not to this degree.

Arguably, Bitcoin enthusiasts themselves are eroding trust in the currency by building and using high spec computers designed to mine Bitcoin making it almost impossible for anyone else to do so.  This seems intrinsically unfair.

The practical reality is that although you can buy many things using Bitcoin via the internet, you cannot use it in your local supermarket or pub.  Unless and until Bitcoin is widely accepted both online and offline, it will not mount a serious challenge to traditional currencies or threaten safe havens such as gold.

For now, I am going to be a cynic and suggest that Bitcoin is more fad than future.  This is after all, something that started out as an ‘I owe you’ between hackers, and was not envisaged as a global currency. Having said that, I may be completely wrong.  This week it was reported that people in the UK are relying more and more on electronic payment methods such as contactless cards, leaving cash in the past.  Arpanet was intended to be an internal military network and turned into the internet. Bitcoin may be the next global revolution.

Simon Halberstam

“Google Explorers” are, as you read this, walking around modelling and testing Google’s Glass having paid circa $1500 for the privilege.  Glass comprises frameless glasses with a tiny computer screen fitted just above the user’s right eye which projects emails, maps, texts, takes pictures and films at a voice command.  You may think this sounds a little Minority Report-esque, but these glasses are due to go on sale next year.

Putting the sci-fi film excitement aside, the objections to this latest technology are clear.  You would not want people wearing them in a casino or cinema, for example, for fear of card counting or piracy.

More interesting is the concern surrounding privacy.  It will be even harder to control your online presence if information is being constantly uploaded by people wearing this technology.

But, what is privacy?  Surprisingly privacy in the UK was only explicitly enshrined in law in 2000 with the introduction of the Human Rights Act 1998 (HRA) which requires UK courts to act in a way that is compatible with the European Convention on Human Rights (the Convention).  Article 8 of the Convention provides that everyone has the right to respect for his private and family life and Article 10 provides that everyone has the right to freedom of expression.  This right to privacy is then balanced against the public interest.

Google is no stranger to questions surrounding privacy.  Earlier this year, it agreed to pay a £4.6m fine for collecting people’s personal data from personal Wi-Fi networks without authorisation when setting up Street View.  Six European data protection agencies, including the UK, are also rumoured to be contemplating legal action over Google’s privacy policy.  They are seeking to ensure, amongst other things, that Google does not store too much data about users.

There is no doubt, however, that the proliferation of Glass is certainly going to lead to further intrusion into people’s lives and erosion of their privacy.

In light of this and the global reach of such technology, we have reached a point where we desperately need global regulation of privacy issues whether by law or an enforceable code of conduct.  However, it is very difficult to envisage any such international harmonisation or accord in the near future given the massive disparities between different countries’ and societies’ approach to issues of privacy and personal freedom.

Another major concern relates to security.  Rumour has it that Glass will not be password protected and this begs the question as to how easy it will be for a hacker to hack your Glass and access your passwords, work and domestic details.

A more personal concern is whether having constant access to information will lead to a slow brain death.  If we are wearing Glass and could just ask Google for the answer, will we stop thinking and rely more and more on instant data and answers?  This may sound silly but we have all heard about those people who drive the wrong way up one way streets or end up in the middle of nowhere because they blindly follow their satnavs.

There is no doubt that Glass is here to stay but once Glass and augmented reality technology become features of daily life, I expect an explosion of moral debate and privacy litigation.

Simon Halberstam

Crowdsourcing is, as its name suggests, outsourcing work to a crowd. Crowdsourcing is not to be confused with crowdfunding, which is raising capital from a crowd.

The most famous example of crowdsourcing is Wikipedia which, unless you have been living in a cave, you will have heard of.  Wikipedia relies on the public populating the online encyclopaedia and has proven incredibly effective.  In the world of work, the possibilities are endless.  Crowdsourcing is often used by graphic designers although Walmart (owners of Asda), is reportedly considering encouraging store customers to deliver goods to those who have ordered online who live on their route home in exchange for a discount on their food shop, instead of outsourcing delivery to a single third party such as Ocado.

The advantages of crowdsourcing are the level of choice and the talent and the creativity to which it gives you access. It can also be a lot faster and lead to higher quality work as people are competing against each other (as humans, we all want to win after all).  The disadvantages include the amount of responses through which you may have to wade and the potential legal pitfalls of the process, as discussed below.  A word of caution, make sure your work spec is crystal clear before you attempt to crowdsource as it can be incredibly frustrating for all those involved in the process if it is not.

The main legal pitfall in crowdsourcing relates to the ownership of the intellectual property (IP) rights in the sourced work.  How do you know that all the work product proffered is original and not stolen from a third party?  This is important because if you end up sourcing a product, some of the IP rights in which belong to a third party that has not consented to their use, you may end up facing an injunction and/or a  claim for damages.  Fines and prison sentences are also on the agenda.  You will need to include appropriate warranties and indemnities in your contracts with the contributors. However, in reality, these may not provide you with effective protection if a disgruntled third party IP Rights owner decides to take action against you.

Beware the ides of open source.  Generally speaking, open source is the friend of developers, cutting development effort and time but the enemy of those who commission the work as they will end up with parts of their product being subject to open source governing licences many of which contain adverse provisions regarding IP rights ownership which may affect not just those parts of the development which incorporate open source code.

Even if there are no third party ownership issues, you need to ensure that your contract with your contributors assign the relevant IP rights to you.  This is  because when working with contractors, it will be the contractor who owns the IP rights unless the contract provides to the contrary.  This can be further complicated if the contributors are not based in the UK and foreign legal provisions come into play.

There is also the danger that a disgruntled, unsuccessful crowdsourcing entrant brings a claim for copyright infringement against a company who ran a crowdsourcing exercise claiming that the company is using his or her response without permission.  This may be because the winning entry was similar (there was a job spec after all) or because the company has developed a similar idea independently.

So, how do you protect yourself as a business? Well first of all, if you like a response and want to use it, buy it and the IP rights that go with it.  Once you have done that, you should be able to use it freely.  But, in any event, beware the open source and third  party demons mentioned above.

Also, you should maintain a clear record of your own development process so as to be able to fend of any claims of copyright infringement.  You also need to ensure that the staff involved in the crowdsourcing exercise all understand the legal issues surrounding it.  They should understand the consequences of misusing crowdsourced designs and ideas and all the IP Rights issues which crowdsourcing entails.

So, in summary, use crowdsourcing (is it not after all, capitalism at its best?) but make sure you understand the IP issues involved before you do so.  Now you’d expect me to say this but do get appropriate legal advice!

Roberta Draper

You would be forgiven for feeling pretty gloomy about the state of the UK economy and your potential investment opportunities following the Chancellor’s Budget last week. The news that the growth forecast for 2013 has been halved to 0.6% and the fact that the Bank of England’s interest rate is still at an historic low of 0.5%, is not encouraging. There is a silver lining to this big dark cloud however; crowdfunding. (Please follow the link for What is crowdfunding?) Perhaps due to the state of the economy, more and more crowdfunding platforms are appearing and people are starting to take note.

The FSA have this year approved the second crowdfunding platform – Crowdcube – meaning that investors using this platform will now be able to claim compensation from the Financial Services Compensation Scheme and access the Financial Ombudsman Service. Until this year, only Seedrs was approved by the FSA, but this does not facilitate direct investment in small businesses and instead holds shares on your behalf as a nominee. Crowdcube, however, does describe itself as giving “the UK’s entrepreneurs and business pioneers a new way to raise business finance by tapping into a ‘crowd’ of like-minded individuals willing to invest smaller amounts of cash in exchange for rewards and a stake in their business” and allowing you to become a direct shareholder.

If you are not sure it is for you, fear not, there are crowdfunding platforms out there for all tastes. If you are worried about future student debt and keen to encourage future entrepreneurs, take a look at Pave or Upstart. These are crowdfunding websites where investors can fund recent graduates and young professionals whom they think will become successful in the future in exchange for a portion of their future earnings. If you are feeling philanthropic and do not expect a return for your money see Spacehive, a funding platform for neighbourhood improvement projects, or Kiva, a not for profit organisation which enables loans from $25 for projects across the world with the aim of alleviating poverty. If you are keen to invest in a creative project in exchange for a reward such as a first edition of the product, see Kickstarter. If you are looking for a commercial investment, you have many options including the aforementioned Seedrs and Crowdcube.

Whether you always wanted to be a Dragon or are a proponent of David Cameron’s Big Society, crowdfunding is worth a look.

As a lawyer, however, I must finish with a note of caution. Before investing through these websites, do your due diligence. Ensure that the following questions are answered – does the platform operate an ‘all or nothing’ or ‘keep it all’ scheme? What exactly are you gaining in exchange for your investment? Will you be a shareholder and if so, what type of shares will you hold? Have you considered how long it will take to make a return on your money? Are you comfortable with the risk? What happens if the website or start-up/individual you have invested in goes bust or does not pay up? In short, treat these investments like any other commercial investment and seek advice when appropriate.

Some view these platforms as public markets without any of the controls that come with a listing on the stock exchange. I do not necessarily agree but am hopeful that more of these investment platforms receive FSA approval, as currently investors in a crowdfund have little or no protection if the business or project fails, and become realistic investment mechanisms for normal (if there is such a thing) people.

*In April 2013 the Financial Services Authority (FSA) was replaced by two new regulatory bodies, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).

Roberta Draper

New rules have been introduced setting higher standards of transparency and choice for consumers around Online Behavioural Advertising (OBA). These rules are derived from the European Online Advertising Industry Framework for self-regulation and are administered by the Advertising Standards Authority (ASA) and Committee of Advertising Practice (CAP). The rules specifically target third party cookies because a publishers’ own cookies are already addressed by existing law.

What is Online Behavioural Advertising?

Online Behavioural Advertising is the process of tracking consumers’ online behaviour in order to deliver individually targeted advertising.

What is a third party?

The rules define a third party as “an organisation that engages in OBA (i.e. collects and uses web viewing behaviour data for the purposes of OBA) via websites other than those that it or an entity with which it is under common control owns or operates”.

The Key Rules

1. Third parties must provide “clear and comprehensive notice” about OBA activity on their own websites as well as on any advert published by the third party to other sites.
2. Third parties must obtain “explicit consent” before using technology that collects all, or substantial amounts of data on web activity for the purpose of targeted advertising.
3. Third parties must provide an opt-out on any OBA data collection for consumers not wishing to receive targeted advertising.
4. Advertisers must cooperate with the ASA, CAP or the Information Commissioner’s Office to identify any offending third party.
5. Third parties must not specifically target OBA at children aged 12 or under.
6. Any data gleaned from consumer web activity must be held using appropriate security measures.

Exclusions

The following activities are exempt from the new rules:

1. Tracking by a publisher across its own website domains.
2. Tracking performance and effectiveness of ad campaigns.
3. Contextual advertising whereby the text on a website is scanned and targeted advertising applied to that site.
4. Web analytics – analysing web traffic and page views.
5. The use of OBA in interactive media, online video streaming or mobile phones.

However, the ‘CAP help note’ on OBA indicates that comparable rules will soon be applied to mobile devices.

Implementation

Third parties will need to give notice that they are tracking site visits, giving consumers the choice to allow the targeted adverts and tracking, or not. It is believed that most third parties will offer a link through to an EU industry wide “opt out” option on the screen to allow consumers to reject OBA tracking.

Sanctions

For the most part it is likely the majority of OBA rule breaches will be dealt with by remedial action. Where further action is required, although the ASA cannot impose financial sanctions it can instigate investigations which can be expensive, time consuming and potentially humiliating if adverse findings are published in the press.

It is likely most breaches will still be dealt with by ‘naming and shaming’, however the CAP compliance team also have 2 new sanctions:

1. Revocation of the EU self-regulation Framework’s trading seal of approval signifying best practice; and
2. Revocation of the licence to use the EU link offering the obligatory OBA opt-out

Questions remain over the extent to which CAP will use its new powers and what impact they will have on offending companies.

The new rules regulating OBAs significantly extend ASA’s enforcement remit beyond regulating the substance of advertisements into regulating the technology used to collect and analyze data, and deliver targeted adverts. This is a completely new field for the ASA and how it applies and enforces its new found powers will set far reaching precedents.

Simon Halberstam