Will the new legal guidelines for social media make things better? It’s up to you…

The Crown Prosecution Service (CPS) has issued new guidelines setting out the approach courts and police forces should take in cases involving social media. The new rules are described as ‘interim’ and will be accompanied by a three month public consultation period.

My worry is that while a lot of consulting may go on the rules won’t get stress tested – or stress tested enough – through prosecutions in that time. Lots of talk. Very little test driving. Personally, I wouldn’t buy a car built this way.

But if that’s the way it’s got to be it behooves all of us to get out there and kick the tyres on this one.

The Director of Public Prosecutions, Keir Starmer QC, is drawing a distinction between two types of ‘communication’:

  1. Credible threats of violence, targeted campaigns of harassment against individuals, or which breach court orders.
  2. Other communications which are ‘grossly offensive’.

Quoted in the CPS blog he states: “The first group will be prosecuted robustly whereas the second group will only be prosecuted if they cross a high threshold”.

Even then, this second group may escape the courts if the offensive communication is taken down swiftly, or blocked. That sounds fine in principle but it’s the nature of such remarks to go viral at hyper-speed, given the sharing tools that accompany social media. If I retract something swiftly but it has already been widely disseminated by others, how does that work? The Saville/McAlpine case speak to this very clearly.

What will ‘grossly offensive’ actually mean?

The emphasis seems to be on the protection of the individual. Again the question is how prosecutors might weight ‘grossly offensive’ and whether the cult of celebrity might have undue influence.

A schoolgirl trolled by a handful of individuals may be more deeply hurt than a top footballer who finds allegations of sexual indiscretion bandied about the Twitter streams of millions.

Celebrities, or other high ranking, high net worth individuals, also have more ways of protecting themselves and can, for example, fund redress through the civil courts.

The individual versus the organisation

The guidelines are not designed to prevent freedom of expression but even that opens up a can of worms.

Is the harassment of an individual somehow more heinous than the harassment of an organisation?

Can I say something offensive about a hamburger chain but not lay the same claim against an individual employee?

And would the level of offense be viewed differently if the employee was a humble burger flipper as opposed to a senior executive?

This is the kind of stuff that keeps me awake at nights. It’s the guidelines around ‘grossly offensive’ which are liable to require the most decoding. The police and the courts would need to be satisfied that the communication in question was more than:

  • offensive
  • shocking
  • disturbing
  • satirical
  • iconoclastic (this one alone is a veritable minefield)
  • rude
  • an expression of unpopular or unfashionable opinion
  • banter or humour, ‘even if distasteful to some or painful to those subjected to it’.

Starting today

The interim guidelines don’t change the law but do, in effect, lay a pre-formed interpretation upon it. I don’t doubt the smarts of the people who came up with this but I do worry that their direct experience of social media might be… limited.

The approach they set out takes effect from today, so let’s take a real interest in what happens and bring our own understanding of social media into play when it comes to what the final guidelines might look like.

If I have a concern about the consultation process itself it’s that there seems to be a desire to focus responses on the specific framing of the interim guidelines rather than encouraging broader observations on the challenges involved in ‘policing’ social media and our protection both from it and as part of it.

By that I mean looking at what’s required to both protect our rights to speak up as well as protect our rights not to be shouted down or maligned.

There’s a kind of catch all ‘further comments’ question at the end on the consultation document, but that’s as far as it goes.

But for goodness sake get involved – whether you’re an individual or an organisation.

We need our own Doomsday Clock

The Doomsday Clock is maintained by scientists as a visual representation of how close we’re come to nuclear Armageddon. It currently stands at five minutes to midnight and it swings a minute or two in either direction depending on what’s happening in the world.

Scientists pushed it one minute closer to midnight on January 10, 2012, reflecting their decreasing confidence in global leaders to get on with each other. It was last pushed away from midnight back in 2007. It’s worth reviewing the clock timeline where you have a few minutes. The impact is… sobering. Doomsday Clock Timeline

I’ve come to the conclusion that those involved in content and its delivery need their own Doomsday Clock.

It needs to be broader than just a Digital Doomsday timepiece and if I call it the Information Doomsday Clock, people will just tell me to take more water with it.

Maybe I should start by describing what my Doomsday vision (nightmare) looks like. See if it’s sobering enough for you…

It’s a few years in the future

Digital content has been locked down due to the impact of increasingly onerous legislation that runs to hundreds of pages and has titles such as the Universal Information Storage & Transmission Protection & Security Act.

The prices of newspapers, magazines, books, pay per view (including on demand television), online news and resources have increased substantially.

This is because prices contain a corporate and public libel defamation insurance premium component designed to cover both the publisher and the consumer. (But as this has never been tested in the courts nobody’s sure if it will work or not.) This premium is referred to in the popular media as ‘the McAlpine tax’. Free to view and free to publish are almost unheard of for this reason. 70% of bloggers have ceased to blog.

As part of any job application process you have to list any online media you subscribe to including personal Twitter and Facebook feeds.

You have to sign a liability clause in your contract of employment indemnifying your employer against claims made against you as ‘publisher in person’ the new technical definition of anybody who uses media of any form to disseminate information of any type to known or unknown audiences, either directly or indirectly, personally or professionally, through intent or omission, with or without malice... The actual clause is much, much longer, obviously.

Accessing social media at work, or referring to employers or colleagues in posts, results in verbal and then written warnings being issued and can quickly lead to dismissal.

Most companies have ceased to use social media in a business context. Instead, nearly all marketing is handled via formal announcements published on LinkedIn Lite.

The storage capacity of computers and other hand-held devices is also limited by law and they have to be licensed.

When children are born they’re given a pre-set terabytage of cloud storage and a unique identification number which they keep all their lives.

The security encryption on cloud storage is significant but designated government authorities have the right to go in and review what you hold under the Virtual Criminal Activity & Anti Social Intent Pre-Offence Initiative Regulations.

I could go on but I’m feeling depressed now.

This is a joke, right?

The definition of a joke is something said or done to evoke laughter or amusement. Me? I’m just adjusting the hands on my new clock. It’s currently set at 3 minutes to midnight.

When scientists move the hands on the Doomsday Clock they’re hoping to scare the powers that be into getting to grips with the state of the world and make some changes. If the world explodes it won’t actually be because of a nuclear bomb but because President this and Prime Minister that failed to get round a table and sign up to some workable solutions.

I feel the same way about content (words, images, audio, print…). Forces are marshalling and what we don’t control, risk rate and mitigate these forces will prohibit or bind tightly in red tape.

What’s getting to me currently is that we’re addressing things in silos. Online over there. Offline over here. Governance in this jar. Content creation in that one. Financial compliance governed by this logic. Content compliance by that. In the meantime someone in IT is turning off your firewall so they can work on problems from their home computer (this one actually happened).

It’s not all bad. Yesterday I had a chance to peek inside one major news organisation and was blown away (possibly a bad choice of words, but you know what I mean), by how cutting edge their content governance is.

So here’s the thing. Let’s all start working on organisationally cohesive strategies that take in everything, including the user as publisher. For that I’ll take a good 10 minutes of the clock.



Why the Princess Kate pictures should scare business

Never mind the economy and the euro, the world has been gripped by the the fallout from pictures of the next Queen of England sunbathing topless and their publication, first in a French magazine and then in Ireland.

a cartoon of a person howling and a wrecking ball about to hit them, while the lab rat shouts: watch outBut set aside your moral outrage for a moment and your desire to see paparazzi (oh to heck with it, all journalists) roasted on a spit. Every action has an equal and opposite action. The impact of the topless shots has been huge.

What’s about to hit us at speed and coming in the opposite direction?

Notice how I suddenly snuck the the word ‘us’ in there?

I just want you to get down from your ivory tower or moral high ground and take a moment with me in a world where politicians jerk their knees in time with popular opinion and legislation around the world seems to be pumped out at unseemly speed simply to answer the question Joe Public likes to ask: “What does the government propose to do about it? That’s what I want to know.”


I’ve been watching the Leveson inquiry in the UK since its start. There is no doubt that what happened in the Milly Dowler case required thorough and impartial investigation and that the system of press self-policing was not working.

But the remit of Leveson is much much broader than the tragedy and its immediate implications. Over 100 days of hearing evidence and at a cost of £4 million. An angry population and a government that would like some big wins. This is a dangerous combination.

Now a beautiful young princess has been treated shoddily (by the press again) and the Royals have gone into bat in French courts. More publicity focused on… what exactly? The press? Or how they are allowed to handle information?

Press versus other use

And if in order to deal with the press (and remember, this a global issue) you alter access to and the punishment for inappropriate information use, how do you differentiate press use from other use?

I used to be a journalist many years ago, but I am considering the above question as both someone who advises on content and its governance and as business woman. Me. I’m troubled.

I’m firmly convinced that the fallout from Kate, the final scope of the Leveson report and the the current concerns around both cyber theft and privacy could provoke poorly constructed laws and regulations that we will all feel the impact of.

Poor laws are cumbersome to stay on top of. They suck resources. They trip us up. We all handle, trade and store personal information – facts, figures, names, addresses, pictures… We’re not immune from what’s going on. The full impact just hasn’t hit us yet.

There’s something coming and even without my glasses on I can see I don’t like the look of it at all.


Cookie Law – how’s that going for you?

The Cookie Law changes came in effect on May 26, 2012 and doesn’t time fly when you’re having governance fun? As I review how the changes are being implemented I’m most struck by the breadth of interpretation by organisations.

Plus, see the 5 things you should be doing right now at the foot of this post.

The EU Regulations have been flexed for UK consumption (we’ve already been given an extra year to get ready) but from my perspective this just puts British companies on the back foot when it comes to enforcement.

Traditionally the law got its clout from precedent (testing it in the courts and coming up with case law that could be cited to both prosecute and defend).

But in this digital age regulations themselves are often subject to revised interpretation and evolving advice and are policed in such a way that only a few bits (eg the government’s High Court battle with ISPs over the Digital Economy Act) get as far as the courts.

Cookies – the breakdown

Okay, back to cookies. As small bits of code that sit on users computers, cookies are useful in helping us understand what users want by monitoring their computer interactivity with a website.

The aim  of the new regulations is to give users more control over what organisations can find out and the opportunity to decline or remove cookies from their machines. Fair enough. If somebody from Marks & Spencer started following me about the store with a clipboard and writing notes about where I went or how long I spent there I would take exception, particularly if they didn’t desist when asked.


From a governance perspective I’m looking for robust ways to demonstrate that ‘implied consent’ has been given by users. Organisations have to give users enough easy to understand and obvious to find information about cookies to make it reasonable to assume users have implied consent, because they continue to move around a website without taking any other action – such as removing cookies. Sorry, that was a bit of a mouthful.

According to the Information Commissioner’s Office (ICO), implied consent means your organisation needs to be satisfied (another woolly word) that your users understand that their actions will result in cookies being set and also:

  • in some circumstances, for example, where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Updating your privacy policy so that it is easy to understand and positioning links to it somewhere obvious to find is a step in the right direction.

I was involved in taking this approach on the Make it and Mend it website, pictured on the left. The Make it and Mend it Privacy and Cookie policy



Some organisations are more in your face about it. Such as the Financial Times pictured on the right.




And even though I’m not a limited company I’ve included advice about the approach I’ve personally taken in the In The Content Lab PRIACY/COOKIES on this site.

But how are you going to evidence how you decided (not assumed) the approach you took was the right one for you and your users? How are you monitoring effectiveness and aptness (alongside any changes in the interpretation of the underpinning regulation) on an ongoing basis.

Informed consent

If you’re going to understand implied consent it’s useful to understand informed consent. I like National Health Service definitions for this stuff. Implied consent is okay for some things and covers when someone doesn’t give written or express consent but does do something, for example, submits a completed questionnaire.

When it comes to more serious stuff you need informed consent, for example, giving someone full information about what a specific medical treatment involves, including the benefits and risks and then getting their consent in writing. Turning up for an appointment is not enough. I also looked at Canada’s anti-spam legislation (CASL) and the difference between Express (or Explicit) and Implied permission. Implied permission is what basically sits behind the current soft opt-in rule for email communication in the UK.

This left me with other questions. How ‘serious’ is the cookie issue? Is this fundamental to personal privacy even though the data isn’t personal as such? Is implied consent enough? How has my organisation satisfied itself on the implied consent question (or has it simply relied on the ICO or other bodies). How is my organisation demonstrating overall respect for user privacy in the way  it handles their data (identifiable or not)?

More unanswered questions

But there are more unanswered questions. For example, what about the real time auctioning of ad space? How can you tell users what cookies to expect in your privacy policy if the future ad space hasn’t been sold yet? Is it enough to tell users that this might be the case?

When legal firm Pannone looked at Cookie Law in early July it found a number of sites that were not compliant, including some global names and at least on UK government department. The full list is due to be published by The Drum on July 20, 2012. (An earlier KPMG survey was equally damning.)

And the picture is further complicated by the fact that some European countries are not complying – at all. In June it was revealed that the European Commission has filed a lawsuit against five EU nations about this.

The Latvian position

At the other end of the scale Latvia has apparently implemented a draconian version of the Cookie Law where users have to approve every cookie. My personal jury is still out on where the various country interpretations of the Cookie Law leaves organisations who operate across European geographic boundaries. Is it different if you have offices or subsidiaries in those countries? Does it matter where your website is physically based, servers etc? I’m not convinced the current advice on this is considered enough. These are just some of the things that keep me awake at night.

So, why should you bother and how should you bother?

At a top level let’s not lose sight of the pecuniary implications for getting it wrong. Site owners can be fined up to £500,000 for non-compliance. The ICO has said that its preference is for sending out notices rather than fining organisations, so long as they are making efforts towards compliance. Two words here – audit trail. Ooh and another one – evidence.

For those of you quietly humming “Catch me if you can” beware. Increasingly individuals are using online tools to take organisations to task for non-compliance in all sorts of areas. You only have to read the Advertising Standards Authority’s weekly adjudications to realise that. And although the ICO’s cookie concerns reporting tool is breathtakingly awful,  there are still people out there who will and are using it.

Secondly, doing the right and legal thing underpins your brand. Why should I trust the integrity of your product or service if you’re willing to cut corners elsewhere?

When it comes to the ‘how’, the first question you need to answer is: What types of cookies are used on your site? If you don’t what the cookie load is how can you decide how best to inform your users about them? Cookies basically fall into 4 types:

  • Session cookies – that last for a browser session and might include things like shopping basket contents.
  • Persistent cookies – which allow things like member preferences to be stored over the longer term. They may also be used to target advertising.
  • 1st party cookies – set by the website displayed in the URL window (that’d be you then).
  • 3rd party cookies – set by a domain other than the one being visited by the user. This would include Google cookies for analytics.

Then there is the question of how you inform. Obvious placement of your cookie and privacy policy links, as mentioned before, is one relatively straightforward option to apply. A lot of sites are using pop ups and and I have issues around the intrusive nature of this interface. Is this helpful or just interruptive? Is my organisation’s implied consent coming at the expense of irritated customers?

I’m also concerned that if users constantly have their browsing interrupted by variously worded cookie pop ups they may seek easier solutions. One option is the Do Not Track feature increasingly being offered by browsers. According to a Mozilla (Firefox) survey of 10,000+ Firefox users in 140 countries, 49% believed their privacy was respected more when Do Not Track was enabled. The survey also found users’ trust increased for browsers, publishers and advertisers who supported Do Not Track.

There is some question as to whether Microsoft’s IE 10 will ship with the “Do Not Track” turned on, as in the original spec – or off, which may reflect external pressure (some might argue).

5 things you should be doing right now…

  1. What are you currently doing?
  2. If the answer is ‘Nothing’ – get your act together.
  3. What’s the feedback, so far, on your current approach? (Assuming you didn’t answer ‘Nothing’ to 2.)
    • Any changes to page views etc?
    • Have you asked users what they think of your approach? This could be as simple as a 4Q survey.
    • And for goodness do some competitor and comparator work.
  4. Based on your answers to 3. should you make changes to your approach now?
    • These changes might affect how you ask for permission, or what you currently use cookies for.
    • If you answer ‘No’ to 4. – what are are you waiting for, exactly? The digital world is constantly evolving. If you’re not evolving with it, you’re a dinosaur.
  5. How much do you value the information you get from tracking with cookies? Gathering the data for data gathering sake is not enough.





Why good organisations make bad digital decisions

Do people leave their digital brains at home when they go to work?

Okay, I can hear the muttering from here. All you digital experts telling me to get back in my box. Fair enough.

But my audience for this particular question isn’t content strategists and web content creators; or usability consultants, taxonomists, web designers and builders, social media gurus or other email experts from various disciplines.

It’s you Mr.Businessman, Mr.Organisational Head Honcho. It’s the c-suite and serried ranks of senior managers, budget holders and strategic decision makers. Pardon my temerity – but you need to be told.

What I’m thinking about at the moment is why there seems to be a disconnect, to me at least, between the digital confidence levels and decision making capabilities we exhibit as individuals and those we deploy collectively at the office. I’m thinking specifically about digital decisions – that new company website, that social media initiative, app idea, or new mobile campaign…

In our personal lives the vast majority of us embrace digital change. We transition from book to Kindle, desk top to tablet, and from a real to virtual shopping basket… confident in our abilities as consumers of digital content and purchasers of its technologies.

It’s less about smart phones and more about smart, highly adaptive people.

But while our consumer selves are constantly evolving and making confident decisions, our business selves appear far less confident when it comes to making digital choices. The result is organisations can make poor, or slow-paced decisions in what is a fast-paced and constantly changing digital world.

Yet the same people who are out in the high street buying mobile phones, downloading apps and arranging their social lives using Facebook are sitting behind desks in offices where millions can be spent poorly.

How come, if…

  • 79% of the UK population use the internet – 20% more than 5 years ago
  • 67% of the population use a social networking site daily – 37% more than 4 years ago
  • 44% use a smart phone – 14% more than 1 year ago


  • 21% of online projects fail to meet stakeholder requirements
  • 25% of online projects fail or are severely curtailed due to poor planning
  • 30% of online projects are delivered late or over budget

How come?

What doesn’t seem to be the cause is the way collective decision making operates per se. After all, organisations have sophisticated, well-established processes for corporate decision making – from the board room down through (or up through) line management.

In ‘ye old days’, one argument might have been that people were often promoted beyond their competencies: to get them out of the way, or because promotion was their due; having worked through X number of roles and Y number of years. So called ‘Buggins’ turn’. This has become less and less likely as organisations become sharper and more demanding and the environments within which they operate become more competitive. With the exception of the odd highly placed banker, few businesses can afford to employ Buggins these days.

But there is some question that while business experience may admirably equip someone to take on more and more senior roles, they won’t necessarily have or even care about digital experience. We’ve previously discussed the fact that online engagement is not a boardroom or director level topic in The dawn of digital governance and Content is king – sort of.

So the skillsets that equip us to choose this smartphone or Like that viral campaign don’t get to shine in a business setting. Of course there will be digitally savvy marketeers and excellent creative agencies – but they work for the big bucks decision makers. And what they say and who they say it to may be motivated (or modified) by career advancement or career survival. There seems to be inhibition when it comes to talking about digital decisions in a rigorous, strategic and top level way. Sod the governance. Just get that new website up. Certainly sir.

So, what do we do about it?

To deal with this bit I started to think of other examples when organisations have changed in order to allow a new form of excellence to shine through. The one I had just finished reading about (thanks Amanda) was the PepsiCo academy approach to building skills within its global finance workforce.

The result was the PepsiCo Finance University, an academy-based learning model. Instead of traditional enterprise learning for the finance function, with the emphasis on division-specific, on-the-job experience and individualized coaching, the university packages scalable, online offerings organised into “colleges”.

The case study is highlight in an Accenture article – High Performance. Delivered. The article states: “One of the most distinguishing features of the university is its focus on applying course learning to real business issues. Groups come together, in person or virtually, to talk about problems facing the business and they work to solve local business challenges.”

I also tried to think of organisations that practiced some form of digital inclusion.

When it came to digital good practice (and by ‘good’ I mean ‘good enough to prove the point I wanted to make’) the one that actually came to mind was the UK government  and a project that is, on the face of it, demonstrating the complete opposite of the point I want to make.

There the digital team wield a power that the rest of us can only wonder at. In part this seems to reflect the celebrity and ‘pull’ of the government’s Digital Champion, Martha Lane Fox.

But the team work to clearly articulated and communicated principles and have the ability to override head honchos and subject matter experts as required in order to deliver simple, well thought out, user-centre digital content. Take a look at their beta site

But the more I thought about it the more I decided that the stronger the core digital team the more likely you are to create an environment that encourages strong digital opinions throughout an organisation. If you want to argue with a strong digital team you need to speak with confidence and from experience. The PepsiCo example is also about creating the right environment.

Another example I’ve come across recently involves schools and the question of mobile use by pupils. While banning phones from the classroom may seem  like the solution, some of the brightest educational establishments have been looking about ‘above the desk’ policies. Bringing the phone and its functionality into the lesson,  to enable internet search for example.

Another factor?

Another factor may be the nature of personal skill development. If we train as an accountant it is a business self decision. We go into the work place equipped with a skill we are expected and determined to use. But when our personal self learns a skill it’s less likely to be shown off in the workplace. Okay, there are few opportunities to use your golf swing in the office, but your digital skillsets and understanding? That’s a different matter.

Back in 1785 a Frenchman called Condorcet come up with his “jury theorem” that groups were more likely to be right than wrong and the bigger the group the more likely to be right it was. This theorem is consistently proven to be correct. But there is a qualification where members of a group are denied enough right information. The group is more likely to be wrong than right and that wrongness increases as the size of the group increases. It makes you think doesn’t it?