Association of online publishers Helping media owners build better digital business

EU Privacy Directive – what’s on the slate for 2012

Evidon helps businesses and customers understand and control data online, and operates the Ghostery browser extension, as well as serving ‘ad choices’ notices on online ads across the US and across Europe. Evidon will be speaking at our online privacy event on 18 April - find out more and book your place here.

Colin O'Malley
By Colin O'Malley, Chief Strategy Officer, Evidon The ePrivacy Directive requires consent for all cookies and other tracking code except those required to fulfill a direct user request. The majority of tracking that occurs on websites, including ad targeting, ad optimisation, and even routine analytics, both 1st and 3rd party, would all require consent. This brings every advertisement and commercial website in the EU into scope.  The Directive did not immediately take effect across the European Union, as each member state is required to pass a law incorporating the same or very similar language in their legislature before the ePrivacy Directive is considered law in their jurisdiction. In May 2011, the UK became the first EU Member State to pass the amended directive. As of today, 10 countries have passed the law, including the UK, France, Ireland, Sweden and Finland So what’s on the slate for 2012: 1. Dutch Opt-In Law Potentially Passed on March 6th with huge implications: While the Directive includes no reference to ‘prior’ or ‘explicit’ consent, broad-based efforts to ensure a universal implied consent standard for Europe have not succeeded. This is the most important outstanding policy question, and the final outcome will have significant commercial ramifications for online companies.  The Article 29 Working Party, a consortium of the Data Protection Authorities (‘DPAs’) from all members states and two representatives of the Commission, have issued non-binding guidance stating that consent must be explicit and prior.  While the ICO and Irish regulators have stood by a more pragmatic approach, and accept that implied consent can work in certain situations, they will also be sensitive to positions elsewhere in Europe, especially if those positions become more entrenched in law or regulatory precedent.  Key milestones for final consent standard include:
  • The Dutch law, drafted to include a requirement for explicit consent, which passed the Lower House last year and comes to a vote in the Upper House on March 6th.  If passed, the EU’s first explicit consent standard would be codified in law and effective immediately.
  • The German law, which is circulating for review in the legislature, also requiring explicit consent.  Timing on the German law is unclear, possibly requiring the full year to come to a vote, but the standard being passed in one of the top online markets in the EU would have massive implications for global compliance strategies.
Given the uncertain state of the consent standard and the likelihood that one or both of the opt-in laws will pass, many companies are beginning to plan for different standards for each jurisdiction, or for a global standard that meets the most restrictive. 2. UK Enforcement Begins May 26th: The Information Commissioner’s Office (ICO) is the regulator responsible for enforcement in the UK.  The UK was the first significant online market to pass the Directive, and the ICO has since been the most active with specific guidance about how and when they will enforce, including a ‘Half Term Report on Cookie Compliance,’ combined with updated guidance on the changes companies should consider to come into compliance.  When the law was passed in May of 2011, the ICO gave industry a 12-month enforcement extension, but that extension expires on May 26th, 2012 – just a few months away – and its enforcement powers include fining authority of up to £500,000. The ICO’s path will be watched closely across the EU and has the potential to set precedent. 3. The Mad Rush to Comply: Global and Pan-European brands are right now working overtime to plan their compliance strategies in advance of UK enforcement.  Many are folding in requirements that they anticipate in the Dutch law. As a practical manner, these companies see the writing on the wall across Europe, and have no intention of introducing consent one country at a time.  Just as with icons, new consent methods for routine tracking activities will shortly begin appearing at scale on site and in ads in the UK market, operated or otherwise mandated, by companies with some of the largest budgets in the industry. These market-based developments mean that compliance with the Directive, using tools that right now seem radical, is going to be a commercial reality in very short order.  Once this happens, the expectations of both consumers and regulators will be forever changed.  Smart companies will research their compliance options now, so that when clients ask for support, they are ready.  And so that when legal requirements come, they already have solutions lined up. In the next in this series on the EU Directive, Evidon outlines some practical steps to help companies comply with the EU's ePrivacy Directive. Register interest in our EU Directive event here.

Join the AOP group on LinkedIn - open for all Members to join
Subscribe to AOP's e-newsletter.