Online medicine sales – Law says register and display Logo!

HEADLINE: From July 1st, 2015 online medicine sales to the public must be registered with MHRA and display an EU common logo on every page of the website offering medicines for sale.

The basic message for online medicine sales is spelled out on the MHRA website, and states..

If you are based in the UK and offer medicines for sale to the public in the UK or in another European Economic Area (EEA) country via a website you must be registered with MHRA and be included in the MHRA’s list of UK registered online retail sellers.

You must display the EU common logo on the pages of the website that you use to offer the medicines and provide MHRA contact details and a link to the MHRA website.

If you’re a major drug retailer – you have this sorted right?? Mmm, had a quick look on Tesco’s online medicine sales and there was no sign of the required logo when I tried to buy some Ibuprofen. Illegal?

Not exactly; the MHRA is taking a pragmatic approach..

“While the legislation comes into force on 1 July 2015, MHRA is taking a pragmatic approach to implementing the logo and is supporting sellers as they work to meet the new legislative requirements. MHRA has 90 days to process applications to be on the register so there may be a period of time between MHRA receiving the application and the seller displaying the logo. We would not expect sellers to stop trading during that period, as long as they have submitted an application to MHRA”.

KEY MESSAGE: Submit your application ASAP if you are selling medicines on line. It’s free and the website you need is here.

Oh, and don’t think this doesn’t apply to you if you sell ‘borderline products’.

A medicinal product i.e. one requiring registration, is:

1. any substance or combination of substances presented as having properties of preventing or treating disease in human beings

2. any substance or combination of substances that may be used by or administered to human beings with a view to restoring, correcting or modifying a physiological function by exerting a pharmacological, immunological or metabolic action, or making a medical diagnosis.

That’s a description which could include cosmetics, food products, including, in particular, food supplements and herbal products.

Happy marketing compliance..

Regulator targets OBA and ‘sensitive’ data


Here’s another post to help digital marketers stay out of the cross-hairs.

Canada’s Privacy Regulator, The Office of the Privacy Commissioner of Canada (OPC), has released a report this month (June 2015) highlighting the problems of developing advertising targets based on web browsing activity i.e. On line Behavioural Advertising (OBA).

In particular, it highlights the use of sensitive personal data for the targeting of ads.

The report observed 34 examples of targeted ads based on sensitive topics being placed by three different organisations who were using an opt-out model of consent. Canada’s guidance on OBA specifies that an opt-out model is not acceptable where sensitive information is at issue, including sensitive information such as medical or health information.

What to do?

Are you selling or promoting products or services that;
• could lead to personal harm, financial or reputational damage, or embarrassment of an individual;
• could reveal deeply personal or intimate details of the lifestyle and personal choices of an individual?

The topics chosen for the Canadian research included depression cures, liposuction clinic, bankruptcy, HIV, dating, women’s shelter, CPAP, pregnancy test and divorce lawyer.

The report suggests that if  your product or service includes sensitive data, then the opt-out model of consent is NOT appropriate. You will need to obtain explicit consent (opt-in) if you want to store/access ‘cookie-based’ information to target or re-target ads to those browsers.

The Detail

Someone has to do some serious thinking here to work out who is breaching the law! Who is creating these segments, the demand side or the supply side? Who is placing/reading/accessing the sensitive data? Who is responsible for acquiring consent, the advertiser, the publisher or the ad network?

At present we have a (sort of ) functioning opt-out mechanism via youronlinechoices, NAI etc. But what about an opt-in mechanism? Doesn’t exist, certainly not one which acquires explicit consent! The 2009 IAB reself-regulatory principle suggests that the/a ‘Service provider’ is responsible for acquiring consent. We have moved on somewhat from here though, with Demand and Supply-side platforms proliferating; this is not going to be easy to resolve. Let’s see what the fallout is from the OPC report!

The Canadian OPC report can be accessed here
The IAB’s Guide on EU best practice can be found here

Segmentation, Personalisation and Privacy; immiscible ‘liquids’?

Dangerous regulatory currents

There are some dangerous regulatory currents swirling around Europe at the moment that the forward thinking digital marketer should be aware of.

They have in common something at the very heart of marketing; our unbridled desire to obtain intimate levels of personalisation. Personalisation which marketers believe will provide greater levels of engagement and propensity to purchase.

So what of these ‘currents’ which threaten to sweep us out to sea?

They are a combination of developing case law and changes destined for the new EU General Data Protection Regulation.

Vidal-Hall & Others v Google Inc [2015] EWHC is a landmark case concerning Google’s misuse of browser generated information (BGI), also known as the ‘Safari workaround’. In marketing speak, the development of web visitor segments without the unambiguous consent of the user.

It’s a complicated case, and dangerous to reduce to ‘one liners’ but here goes..

Track someone’s behaviour online and you can serve up ads which are (more) relevant to them;

Do it anyway, even if they don’t want you to;

Cause that person distress as a result of the ads that are served e.g. by virtue of someone else seeing the ads served and deducing something personal/private about you;

Allow a legal claim for financial compensation for the damage caused by the distress alone (no other damage required);

With me so far? Now add in the requirement in the new General Data Protection Regulation which says..

.. every natural person shall have the right to object to profiling … The data subject shall be informed about the right to object to profiling in a highly visible manner.

[Italy, by the way, already has this enshrined in new guidance issued by the Italian data protection authorities.]

Is your segmentation/personalisation strategy starting to look a little risky?

Finally, whipping the rip-tide up a little further, add in the controversial element of Class or Group action lawsuits.

Articles in the new General Data Protection Regulation could pave the way for class action privacy suits; legal firm Olswang has already begun a UK Group action against Google for all apple safari users who think they may have been distressed! Some 10 million of them in the UK.

No, I don’t believe personalisation is dead, far from it, but I do know that the regulatory framework is growing sizeable canine teeth and businesses will be looking to rein-in digital marketers within a governance, risk and compliance model.

Like to learn more about what to do? – I will be joining a great panel of speakers on this subject at a half day masterclass for Sagittarius Marketing at the fabulous Magic Circle in London on June 24th.

Details on how to join us are here..

NOW! is not the time to worry about overseas competition

I’m busy, what’s happened?

UK Supreme court ruling re-affirms that for a claim of passing-off to succeed actual goodwill must be established within the territory and this goodwill necessarily involves the presence of customers in the UK.

If an overseas business pursues you for a claim of passing-off, they must have UK customers, otherwise they will be very unlikely to succeed.

So What?

Marketers and creative teams looking to develop brands in the UK, can take comfort from this ruling if they are concerned that a similar named overseas business may complain about the similarity of brands, marks etc.

A bit more detail

The Supreme Court Judgement was given on 13th May, 2015 and concerns the confusingly named Starbucks (HK) Limited (no relation to the coffee people) and British Sky Broadcasting Group PLC.

Starbucks have 1.2 million customers in Hong Kong for their Internet TV business Now. BSkyB started up a similar UK business, also called Now.

Starbucks complained and pursued a claim of passing-off in the English court. They lost. They appealed. They lost. They appealed. They lost!

Sky is free to continue to call its service ‘NOW TV’ in the UK.

The Nitty gritty

Here’s a link to an excellent review from Herbert Smith Freehills LLP which includes more detail on the legislation including a note to watch out for the provision of S.56 of the Trade Marks Act 1994

Here’s a link to the Supreme Court Judgement

Law ‘ratchets up’ compliance for Privacy by Design

What’s happening?

In the US (New Jersey), legislators are passing laws to restrict access to vehicle ‘black box’ data. The laws set out out who legally has access to the data and the penalties for (allowing) data tampering.

Why is this important?

It’s a clear message that regulators (US and elsewhere) are looking long and hard at the increasing frequency with which technology stores personal data and information about consumers and their habits.

If you are a developer or designer of these data capture technologies, you have to be thinking about the data they collect, the technology you have developed and whether it complies with the regulations in the jurisdictions you intend to operate.

Across the EU, the new GDPR will require Privacy by Design – you should be preparing now!

For the detail people!

The New Jersey legislation can be found here, and sections 2 (a) and 3 spell out some important anonymisation/pseudonymisation requirements which will no doubt challenge the designers.

2014 EU Guidance on anonymisation can be found here

New OFCOM rules, major impact on UK marketers

Heads up for the time-poor

Rules for 08, 09 and 118 services are changing under the banner “UK Calling”

From July 1st 2015 marketing must ‘prominently display’ the cost of the call broken down into its two constituent parts 1. the service charge and 2. the access charge

If you advertise chargeable service/help line telephone number(s) you must act by July 1st!

and the detail?

Following lengthy consultation, going back years, OFCOM have finally set a date for new rules on call cost transparency.

From July 1st, the cost to the consumer of calling a service number (starting 084, 087, 09 or 118) will be made up of two clear parts:

1. An access charge. This goes to the caller’s telephone company, charged as pence per minute.

2. A service charge. This is the remainder; it includes any revenue going to the service provider (that is you, the party being called), as well as revenue going to the ‘terminating call provider’ (or TCP: the company that provides the number to you).

Marketers must ensure that your service charge is clearly displayed wherever you advertise or promote that number. The service charge should be prominent and in close proximity to the number itself. The recommended form of wording is:

Calls cost xp [or xp per minute] plus your phone company’s access charge.”

Where can I get more information?

The OFCCOM dedicated UK Calling website at has a dedicated ‘Business’ section which tells you how to set out the required information.

OFCOM 2014 press release here

OFCOM’s 265 page 2012 report, not for the faint-hearted here 

Welsh Police £160k Data Breach – ‘no brainer’

What Happened

This week the ICO has fined the Welsh Police for losing a video recording which formed part of the evidence in a sexual abuse case. Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer. South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.


Five minutes on a ‘well known search engine’,  and I was able to find a FIPS 140-2  256-bit AES DVD encryption solution being sold for $2.75 per disk. Even if you did the usual (annoying) £/$ conversion, £2.75 per disk doesn’t seem a great deal considering the £160k fine and the potential costs involved in legal cases being dropped because of lost data.

Doing the ‘math’ SW police could have purchased 29,000 disks for the cost of the fine. Depending on compression ratios, there’s about 2 hours of video per disk, which equates to 58,000 hours, 2,417 days or just over 6 and a half years of interview!

The Law says ..

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.


‘No brainer’.

Class action lawsuit for online behavioural advertising practices!

Shock Headline!

Telecoms Company sued for $750 million for invasion of privacy for
Online Behavioural AdvertisiHello I Am Suing You words on a name tag sticker informing thatng

Reality Check

It’s true. It’s a Canadian lawsuit. Nothing has been decided or ruled upon yet.

It is complex and it’s not just about OBA, cookies and advertising.


As with the recent Vidal-Hall Vs Google case, there’s clearly a growing sentiment that “enough is enough”, you can’t make vast sums of money trading personal data when you never asked permission in the first case.

If you missed the Vidal-Hall summary, read about it here. In essence it paved the way for individuals to claim damages for the misuse of their personal information, even when there was no financial loss suffered. Rummaging around in my PC, setting and reading cookies, and creating a profile of me for marketing purposes, was considered misuse of personal data. And I can sue you!

This Canadian case is very similar, and is another WAKE UP CALL for marketers that you are going to have to ask people nicely if you want to ‘stalk’ them on line.

Woman at her computer, shocked about what is on the screenWhy did Bell get into trouble?

They created profiles under an advertising program for each customer with detailed personal information including internet usage, gender, age, credit status, and payment habits. This information was then compiled and sold to third-party advertisers for use in marketing campaigns.

So what do digital marketers have to do?

Curb your desire for ever greater granularity. Document your Privacy by Design methodology. Get consent.  The Canadians call it EXPRESS consent, the Europeans EXPLICIT consent. It’s the same thing. A positive, signifying action from someone who has a genuine choice to take part or not, and who is fully informed as to the consequences of their actions.

In the UK we are currently relying on implied consent to carry out this sort of activity, as endorsed by the UK ICO, I suspect this will come under the spotlight in the next 12 months.

For the ‘detail’ people..

Here are links to the full reports etc.

Results of Commissioner Initiated Investigation into Bell’s Relevant Ads Program

Canadian Government policy position on online behavioural advertising

Vidal Hall Vs Google Court of Appeal ruling

Information Commissioner cookie guidance

Congratulations, you’ve won a prize!

That is if you knew that May 1st was the date that the amended CAP Sales Promotion Rules came in to force!

..and no I haven’t got any prizes, and yes that is a breach of the Rule :).

The important bits:

  • The rule changing is, the already quite long, Rule 8 of the CAP Code which deals with Sales Promotions
  • The changes are to ensure the CAP Code is in line with the legal interpretation of the EU Directive on Unfair Commercial Practices including the UK Consumer Protection from Unfair Trading Regulations 2008
  • A prominent feature of the changes is that OMISSION of key information is likely to be a breach of the code. So no forgetting to tell the entrants about the limited availability/stocks!

There is an interesting Data Protection double jeopardy I am seeking clarification on, namely the requirement to both i) publish the names and county of residence of major prize winners and ii) seek their consent to do so, on entry.

No consent, No entry? I’ll let you know as soon as CAP come back to me.

So which Rule did I break in the title?; yep 8.19

All the details can be found in here in the Revised Rule


‘Big Data, Privacy and Consent’

Presentation given on March 4th at the Kent Business School, Canterbury, UK

A presentation to help businesses ‘think forward’ and recognise that they will be judged by a new set of privacy standards; standards where individuals understand and foresee the truly intrusive nature of our consumer surveillance.

Balancing the ‘Give-Get’ equation, ensuring marketers use of Personally Identifiable Information (PII) is both beneficial and consensual is set to become an enormous challenge.  As the Internet of Things (IoT) takes off and our lives become observed in meter-by-meter, second-by-second detail, businesses who wish to profit from this data-fest step on-board a runaway ‘gravy train’.

New legislation in the EU and the US is trying to put the brakes on, but the behemoth social media services and the IoT has the accelerator ‘floored’.

What will you do to position your business as an ethical, legal and symbiotic partner of your customers?

Presentation slides are available here KBS Big Data final