This communication is intended to update information Adobe previously provided in September 2011 on both the revised European Union ePrivacy Directive (“Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector”) and what Adobe has been doing to prepare both ourselves and our customers for the implementation of this Directive.
If you have specific questions on this topic, please contact your Account Manager.
What is the ePrivacy Directive?
In 2002, the European Union enacted the ePrivacy Directive. Among other things, this legislation required the 30 of European Economic Area (EEA) Member States to put in place a “notice” and “opt-out” regime for storing or accessing any information on a user’s “terminal equipment” such as a computer or smart phone. Under the Directive, users must be provided with “clear and comprehensive information” about, in particular, why cookies are used on the relevant website (the “notice” element). In addition, users must be offered the right to refuse the cookies (the “opt-out” element), although there was no direction as to how the opt-out should be provided.
On December 25, 2009, amendments to the ePrivacy Directive came into force and brought with them a vast array of changes. The amendments were to be transposed into the national law of each EU Member State by May 25, 2011 (although as of March 2012, more than 10 EU Member States have still not passed the relevant national legislation). One section of the amended ePrivacy Directive — Article 5(3), also known as the “Cookie Amendment” — requires consent to store or access information on a user’s device. However, narrow exceptions apply for information used solely for electronic transmission (such as an Internet Protocol, or IP, address) or as strictly necessary for a service expressly requested by the user.
What is a Directive?
Directives are EU-wide laws proposed by the European Commission and enacted jointly by the European Council and the Parliament. Directives are often followed by the other four countries (Switzerland, Norway, Liechtestein, and Iceland), which together with the EU form the European Economic Area (EEA). Directives only have binding legal effect when transposed into national law by the EU Member States. Transposition is mandatory, although Member States often miss the deadlines. Once transposed, the language is interpreted and enforced by the enforcement authorities of each Member State, i.e. the data protection authorities (“DPA” for short).
What is the exact language of the ePrivacy Directive?
The language of the amended ePrivacy Directive — which may or may not be transposed verbatim in the laws of the Member States — is as follows (emphasis added):
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
Recital 66 to the amended Directive expressly states that:
“where it is technically possible and effective… the users consent to processing may be expressed by using the appropriate settings of a browser or other application”
A recital is not binding on the Member States. Each Member State decides the weight to attribute to a recital.
What information is covered by the Directive?
Any information that is read from or written to a user’s device from across the Internet or a network is covered by the Directive. This is a very broad definition. Practically speaking, the concern the European legislators were focused on when drafting the Directive was the use of cookies to track users without their knowledge. It is likely (but not guaranteed) that most of the enforcement actions will be around the use of cookies (or local storage) for tracking users across sites for the purpose of creating user profiles to serve behaviorally targeted ads.
Each Member State will define its own enforcement approach. In the UK, for instance, the Information Commissioner’s Office (ICO) announced in May 2011 a one-year moratorium on enforcement to allow time for the market to adapt to the new requirements. Companies should use this time to reflect on how they intend to comply with the law. Once enforcement starts in earnest in May 2012, the ICO is likely to focus on evident breaches and follow complaints that are brought to their attention by consumer associations and disgruntled users.
What does consent mean?
The concept of consent under the terms of the amended Directive is one of the most heavily debated portions of this Directive. At its core, consent means “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” However, the Member States are interpreting this differently. If some Member States interpret the new Article 5(3) in isolation (that is ignoring Recital 66 mentioned above), they might implement the consent requirement as requiring explicit consent by the user. However, this interpretation is only one potential outcome from the change to the ePrivacy Directive. It is also possible that Recital 66 will prevail, provided that regulators become satisfied with browser options in the near future. However many Member States, including the UK and Ireland for example, state that the settings panel of currently available browsers is unlikely to be sufficient to obtain user consent (although future browser releases which allow more granular choice might be sufficient). Depending on the type of cookie and the way it is used, a website that relies only on browser settings to demonstrate consent might encounter problems with regulators.
Who will have to comply with the Directive?
Generally speaking, European website operators or other companies with a website domain registered in the EU that target users in EU Member States will have to comply. Website operators based outside of the EU, who may have no physical presence in a Member State but who target users in EU Member States, will also likely need to comply. However, jurisdictional issues associated with European laws are complex, and we encourage our EU customers to discuss the effect of the Directive and ensuing Member State legislation with their data privacy and legal advisors to determine, if and how their business will need to comply with the Directive.
How are the various countries transposing the Directive?
Approximately half of EU Member States have officially enacted their transpositions. While precise details vary, the need for some form of consent and enhanced notice is common across the national laws. The Interactive Advertsing Bureau (IAB) has gathered the national (transposition or the proposed) legal basis in one single document, which is available on the IAB website at http://www.iabeurope.eu/media/63211/eprivacy%20directive%20-%20transposition%20texts%20march%202012.pdf.
Additionally, some Member States, such as the UK, Ireland and France, have issued guidance. For details, see:
What is happening in the Member States that do not yet have an official transposition?
Most Member States that do not yet have an official transposition have draft legislation in process. We are monitoring the developments in these Member States and are working with other trade organizations to lobby for transpositions that will not unduly hurt businesses.
What has Adobe been doing from a policy perspective to deal with the Directive?
Adobe’s Public Policy team began monitoring and actively lobbying around the amendments to the ePrivacy Directive in 2007. We, along with many other companies in the industry, are speaking (and are continuing to speak) with policymakers at the European institutions and in the Member States to explain the implications of the Directive for our customers and to raise our concerns (e.g. an increased number of dialog boxes that will likely be ignored, less free content available on the Web, websites requiring users to log in to gain consent). We have also been stressing the importance of including the language in the Recital as part of the law in the Member States. In addition, we are working with industry associations across Europe to lobby for the inclusion of Recital 66 in any transposition of the Directive in the Member States. We are also actively participating in the W3C Tracking Protection (“Do Not Track”) Working Group, which will hopefully, at some stage in the future, deliver a mechanism which contributes to ePrivacy compliance. This is likely to be in the form of a protocol that allows websites and browsers to communicate and respond to users’ requests to opt out from certain cookies.
What is Adobe doing to address other privacy concerns in Europe?
European privacy law differs by Member State and the ePrivacy Directive will not be implemented or enforced in a vacuum without consideration of other privacy laws. For example, there is concern in some Member States that IP addresses may constitute personal data because they may relate to identifiable individuals. To address this and related data protection concerns, Adobe’s Web analytics solution, SiteCatalyst, obfuscates IP addresses by default before storage and provides an opt-out mechanism customers can offer their website visitors should such visitors elect not to be tracked. Other Adobe Digital Marketing Suite products, such as Adobe AudienceManager and technology acquired from Efficient Frontier, also provide a choice mechanism our customers can offer to their website visitors. [If this is news to you, please speak with your account representative for assistance on implementing it on your site.] AudienceManager and technology acquired from Efficient Frontier also recognize Do Not Track headers in browsers. We actively monitor other European laws that may affect our products and evaluate whether there are changes we can or need to make to our products to comply with these laws.
In January 2012, the EU published plans to update its 1995 Data Protection Directive, which covers all aspects of privacy (beyond simply the “cookies” aspect covered by the ePrivacy Directive). The proposals will trigger a great deal of discussion about issues including consent, but a final regulation is expected to take at least two years to negotiate and would take an additional two years to come into effect. Adobe is speaking with policymakers and working with our industry associations to try and shape a balanced outcome.
What are publishers doing in response to the Directive?
Not many companies have explicitly stated their plans, and there are few clear examples of new compliance approaches in the marketplace. However, from our conversations with various companies, it appears that the following are among the responses to the Directive that publishers are currently considering pending implementation:
Performing a cookie audit to identify all the cookies on their site
Including notice in a prominent location on their home page regarding their use of cookies with a link to controls
Making references to browser settings more prominent
Forcing users to log in to the site or service and get consent on log-in or on account creation
Offering premium content to those users who grant consent and minimal content to those that do not
Reviewing their practices and evaluating (and minimizing where possible) the types of cookies they are using
For now, it appears that many companies are in a holding pattern, waiting to see how the Directive will be adopted and enforced by the Member States. The diverse nature of the potential responses we’re seeing in the market now reflects the uncertainty over how the Directive will be implemented and enforced. However, most companies we have spoken with are, at a minimum, analyzing the use of cookies on their sites.
What is Adobe’s advice to its customers in Europe?
There are several things our European Web analytics customers can do to prepare for the ePrivacy Directive. Please note that following these recommendations will not guarantee compliance. Until more information is available from all of the Member States on how they will interpret this Directive, the advice below should be considered as good first steps.
First, each customer should seek advice from their own counsel. Every business, and its associated website and data collection practices, is different. Thus, every business is implicated by the Directive in a different way.
Make sure your privacy policy is up to date, conspicuous, and transparent. Your policy should accurately and simply describe how you use your customers’ data as well as the data practices on your website, including your use of Web analytics software and your advertising practices. Your policy should also include references to browser settings.
Make sure your privacy policy includes a link to the page or mechanism for providing users with a choice regarding the Web analytics services or advertising practices on your website. Ideally, the link to the choice mechanism should also be included somewhere more obvious on your website, in addition to being referenced in your privacy policy.
The more notice and control you give to your users about your practices on your website, the better—including providing an easy-to-find link to your cookie practices, which should be explained in an easy-to-understand manner on a separate page.
Carefully review your use of cookies (and the site tags/beacons/JavaScript and other means of calling third-party servers from your website, which result in the dropping of cookies on consumers’ computers) to make sure that your use is in line with your privacy policy and your statements on your cookies page.
If you require users to log in to your site, include a link to your cookie and analytics practices in a conspicuous place when users create an account, and ask your users to agree to your practices.
Closely monitor the development of the implementations of the ePrivacy Directive. As mentioned above, only about half of the Member States have adopted implementation legislation as of the writing of this document.
European Union ePrivacy Directive – Latest Update
(Last Updated: May 10, 2012)
Dear Adobe Customer,
This communication is intended to update information Adobe previously provided in September 2011 on both the revised European Union ePrivacy Directive (“Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector”) and what Adobe has been doing to prepare both ourselves and our customers for the implementation of this Directive.
If you have specific questions on this topic, please contact your Account Manager.
What is the ePrivacy Directive?
In 2002, the European Union enacted the ePrivacy Directive. Among other things, this legislation required the 30 of European Economic Area (EEA) Member States to put in place a “notice” and “opt-out” regime for storing or accessing any information on a user’s “terminal equipment” such as a computer or smart phone. Under the Directive, users must be provided with “clear and comprehensive information” about, in particular, why cookies are used on the relevant website (the “notice” element). In addition, users must be offered the right to refuse the cookies (the “opt-out” element), although there was no direction as to how the opt-out should be provided.
On December 25, 2009, amendments to the ePrivacy Directive came into force and brought with them a vast array of changes. The amendments were to be transposed into the national law of each EU Member State by May 25, 2011 (although as of March 2012, more than 10 EU Member States have still not passed the relevant national legislation). One section of the amended ePrivacy Directive — Article 5(3), also known as the “Cookie Amendment” — requires consent to store or access information on a user’s device. However, narrow exceptions apply for information used solely for electronic transmission (such as an Internet Protocol, or IP, address) or as strictly necessary for a service expressly requested by the user.
What is a Directive?
Directives are EU-wide laws proposed by the European Commission and enacted jointly by the European Council and the Parliament. Directives are often followed by the other four countries (Switzerland, Norway, Liechtestein, and Iceland), which together with the EU form the European Economic Area (EEA). Directives only have binding legal effect when transposed into national law by the EU Member States. Transposition is mandatory, although Member States often miss the deadlines. Once transposed, the language is interpreted and enforced by the enforcement authorities of each Member State, i.e. the data protection authorities (“DPA” for short).
What is the exact language of the ePrivacy Directive?
The language of the amended ePrivacy Directive — which may or may not be transposed verbatim in the laws of the Member States — is as follows (emphasis added):
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
Recital 66 to the amended Directive expressly states that:
“where it is technically possible and effective… the users consent to processing may be expressed by using the appropriate settings of a browser or other application”
A recital is not binding on the Member States. Each Member State decides the weight to attribute to a recital.
What information is covered by the Directive?
Any information that is read from or written to a user’s device from across the Internet or a network is covered by the Directive. This is a very broad definition. Practically speaking, the concern the European legislators were focused on when drafting the Directive was the use of cookies to track users without their knowledge. It is likely (but not guaranteed) that most of the enforcement actions will be around the use of cookies (or local storage) for tracking users across sites for the purpose of creating user profiles to serve behaviorally targeted ads.
Each Member State will define its own enforcement approach. In the UK, for instance, the Information Commissioner’s Office (ICO) announced in May 2011 a one-year moratorium on enforcement to allow time for the market to adapt to the new requirements. Companies should use this time to reflect on how they intend to comply with the law. Once enforcement starts in earnest in May 2012, the ICO is likely to focus on evident breaches and follow complaints that are brought to their attention by consumer associations and disgruntled users.
What does consent mean?
The concept of consent under the terms of the amended Directive is one of the most heavily debated portions of this Directive. At its core, consent means “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” However, the Member States are interpreting this differently. If some Member States interpret the new Article 5(3) in isolation (that is ignoring Recital 66 mentioned above), they might implement the consent requirement as requiring explicit consent by the user. However, this interpretation is only one potential outcome from the change to the ePrivacy Directive. It is also possible that Recital 66 will prevail, provided that regulators become satisfied with browser options in the near future. However many Member States, including the UK and Ireland for example, state that the settings panel of currently available browsers is unlikely to be sufficient to obtain user consent (although future browser releases which allow more granular choice might be sufficient). Depending on the type of cookie and the way it is used, a website that relies only on browser settings to demonstrate consent might encounter problems with regulators.
Who will have to comply with the Directive?
Generally speaking, European website operators or other companies with a website domain registered in the EU that target users in EU Member States will have to comply. Website operators based outside of the EU, who may have no physical presence in a Member State but who target users in EU Member States, will also likely need to comply. However, jurisdictional issues associated with European laws are complex, and we encourage our EU customers to discuss the effect of the Directive and ensuing Member State legislation with their data privacy and legal advisors to determine, if and how their business will need to comply with the Directive.
How are the various countries transposing the Directive?
Approximately half of EU Member States have officially enacted their transpositions. While precise details vary, the need for some form of consent and enhanced notice is common across the national laws. The Interactive Advertsing Bureau (IAB) has gathered the national (transposition or the proposed) legal basis in one single document, which is available on the IAB website at http://www.iabeurope.eu/media/63211/eprivacy%20directive%20-%20transposition%20texts%20march%202012.pdf.
Additionally, some Member States, such as the UK, Ireland and France, have issued guidance. For details, see:
http://www.cnil.fr/en-savoir-plus/fiches-pratiques/fiche/article/ce-que-le-paquet-telecom-change-pour-les-cookies/
http://www.cnil.fr/la-cnil/actualite/article/article/publicite-ciblee-sur-internet-vers-un-consentement-prealable-de-linternaute/
What is happening in the Member States that do not yet have an official transposition?
Most Member States that do not yet have an official transposition have draft legislation in process. We are monitoring the developments in these Member States and are working with other trade organizations to lobby for transpositions that will not unduly hurt businesses.
What has Adobe been doing from a policy perspective to deal with the Directive?
Adobe’s Public Policy team began monitoring and actively lobbying around the amendments to the ePrivacy Directive in 2007. We, along with many other companies in the industry, are speaking (and are continuing to speak) with policymakers at the European institutions and in the Member States to explain the implications of the Directive for our customers and to raise our concerns (e.g. an increased number of dialog boxes that will likely be ignored, less free content available on the Web, websites requiring users to log in to gain consent). We have also been stressing the importance of including the language in the Recital as part of the law in the Member States. In addition, we are working with industry associations across Europe to lobby for the inclusion of Recital 66 in any transposition of the Directive in the Member States. We are also actively participating in the W3C Tracking Protection (“Do Not Track”) Working Group, which will hopefully, at some stage in the future, deliver a mechanism which contributes to ePrivacy compliance. This is likely to be in the form of a protocol that allows websites and browsers to communicate and respond to users’ requests to opt out from certain cookies.
What is Adobe doing to address other privacy concerns in Europe?
European privacy law differs by Member State and the ePrivacy Directive will not be implemented or enforced in a vacuum without consideration of other privacy laws. For example, there is concern in some Member States that IP addresses may constitute personal data because they may relate to identifiable individuals. To address this and related data protection concerns, Adobe’s Web analytics solution, SiteCatalyst, obfuscates IP addresses by default before storage and provides an opt-out mechanism customers can offer their website visitors should such visitors elect not to be tracked. Other Adobe Digital Marketing Suite products, such as Adobe AudienceManager and technology acquired from Efficient Frontier, also provide a choice mechanism our customers can offer to their website visitors. [If this is news to you, please speak with your account representative for assistance on implementing it on your site.] AudienceManager and technology acquired from Efficient Frontier also recognize Do Not Track headers in browsers. We actively monitor other European laws that may affect our products and evaluate whether there are changes we can or need to make to our products to comply with these laws.
In January 2012, the EU published plans to update its 1995 Data Protection Directive, which covers all aspects of privacy (beyond simply the “cookies” aspect covered by the ePrivacy Directive). The proposals will trigger a great deal of discussion about issues including consent, but a final regulation is expected to take at least two years to negotiate and would take an additional two years to come into effect. Adobe is speaking with policymakers and working with our industry associations to try and shape a balanced outcome.
What are publishers doing in response to the Directive?
Not many companies have explicitly stated their plans, and there are few clear examples of new compliance approaches in the marketplace. However, from our conversations with various companies, it appears that the following are among the responses to the Directive that publishers are currently considering pending implementation:
For now, it appears that many companies are in a holding pattern, waiting to see how the Directive will be adopted and enforced by the Member States. The diverse nature of the potential responses we’re seeing in the market now reflects the uncertainty over how the Directive will be implemented and enforced. However, most companies we have spoken with are, at a minimum, analyzing the use of cookies on their sites.
There has also been some informative press coverage on compliance with the ePrivacy Directive. One such example can be found at http://econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance.
What is Adobe’s advice to its customers in Europe?
There are several things our European Web analytics customers can do to prepare for the ePrivacy Directive. Please note that following these recommendations will not guarantee compliance. Until more information is available from all of the Member States on how they will interpret this Directive, the advice below should be considered as good first steps.
MeMe Jacobs Rasmussen
Chief Privacy Officer, Vice President and Associate General Counsel