(Last Updated: May 10, 2012)

Dear Adobe Customer,

This com­mu­ni­ca­tion is intended to update infor­ma­tion Adobe pre­vi­ously pro­vided in Sep­tem­ber 2011 on both the revised Euro­pean Union ePri­vacy Direc­tive (“Direc­tive 2002/58/EC of the Euro­pean Par­lia­ment and of the Coun­cil of 12 July 2002 con­cern­ing the pro­cess­ing of per­sonal data and the pro­tec­tion of pri­vacy in the elec­tronic com­mu­ni­ca­tions sec­tor”) and what Adobe has been doing to pre­pare both our­selves and our cus­tomers for the imple­men­ta­tion of this Directive.

If you have spe­cific ques­tions on this topic, please con­tact your Account Manager.

What is the ePri­vacy Directive?

In 2002, the Euro­pean Union enacted the ePri­vacy Direc­tive.  Among other things, this leg­is­la­tion required the 30 of Euro­pean Eco­nomic Area (EEA) Mem­ber States to put in place a “notice” and “opt-out” regime for stor­ing or access­ing any infor­ma­tion on a user’s “ter­mi­nal equip­ment” such as a com­puter or smart phone.  Under the Direc­tive, users must be pro­vided with “clear and com­pre­hen­sive infor­ma­tion” about, in par­tic­u­lar, why cook­ies are used on the rel­e­vant web­site (the “notice” ele­ment).  In addi­tion, users must be offered the right to refuse the cook­ies (the “opt-out” ele­ment), although there was no direc­tion as to how the opt-out should be provided.

On Decem­ber 25, 2009, amend­ments to the ePri­vacy Direc­tive came into force and brought with them a vast array of changes.  The amend­ments were to be trans­posed into the national law of each EU Mem­ber State by May 25, 2011 (although as of March 2012, more than 10 EU Mem­ber States have still not passed the rel­e­vant national leg­is­la­tion).  One sec­tion of the amended ePri­vacy Direc­tive — Arti­cle 5(3), also known as the “Cookie Amend­ment” — requires con­sent to store or access infor­ma­tion on a user’s device.  How­ever, nar­row excep­tions apply for infor­ma­tion used solely for elec­tronic trans­mis­sion (such as an Inter­net Pro­to­col, or IP, address) or as strictly nec­es­sary for a ser­vice expressly requested by the user.

What is a Directive?

Direc­tives are EU-wide laws pro­posed by the Euro­pean Com­mis­sion and enacted jointly by the Euro­pean Coun­cil and the Parliament. Directives are often fol­lowed by the other four coun­tries (Switzer­land, Nor­way, Liecht­estein, and Ice­land), which together with the EU form the Euro­pean Eco­nomic Area (EEA). Direc­tives only have bind­ing legal effect when trans­posed into national law by the EU Mem­ber States.  Trans­po­si­tion is manda­tory, although Mem­ber States often miss the dead­lines.  Once trans­posed, the lan­guage is inter­preted and enforced by the enforce­ment author­i­ties of each Mem­ber State, i.e. the data pro­tec­tion author­i­ties (“DPA” for short).

What is the exact lan­guage of the ePri­vacy Directive?

The lan­guage of the amended ePri­vacy Direc­tive — which may or may not be trans­posed ver­ba­tim in the laws of the Mem­ber States — is as fol­lows (empha­sis added):

Mem­ber States shall ensure that the stor­ing of infor­ma­tion, or the gain­ing of access to infor­ma­tion already stored, in the ter­mi­nal equip­ment of a sub­scriber or user is only allowed on con­di­tion that the sub­scriber or user con­cerned has given his or her con­sent, hav­ing been pro­vided with clear and com­pre­hen­sive infor­ma­tion, in accor­dance with Direc­tive 95/46/EC, inter alia, about the pur­poses of the pro­cess­ing.  This shall not pre­vent any tech­ni­cal stor­age or access for the sole pur­pose of car­ry­ing out the trans­mis­sion of a com­mu­ni­ca­tion over an elec­tronic com­mu­ni­ca­tions net­work, or as strictly nec­es­sary in order for the provider of an infor­ma­tion soci­ety ser­vice explic­itly requested by the sub­scriber or user to pro­vide the ser­vice.

Recital 66 to the amended Direc­tive expressly states that:

where it is tech­ni­cally pos­si­ble and effec­tive… the users con­sent to pro­cess­ing may be expressed by using the appro­pri­ate set­tings of a browser or other application”

A recital is not bind­ing on the Mem­ber States.  Each Mem­ber State decides the weight to attribute to a recital.

What infor­ma­tion is cov­ered by the Directive?

Any infor­ma­tion that is read from or writ­ten to a user’s device from across the Inter­net or a net­work is cov­ered by the Direc­tive.  This is a very broad def­i­n­i­tion.  Prac­ti­cally speak­ing, the con­cern the Euro­pean leg­is­la­tors were focused on when draft­ing the Direc­tive was the use of cook­ies to track users with­out their knowl­edge.  It is likely (but not guar­an­teed) that most of the enforce­ment actions will be around the use of cook­ies (or local stor­age) for track­ing users across sites for the pur­pose of cre­at­ing user pro­files to serve behav­iorally tar­geted ads.

Each Mem­ber State will define its own enforce­ment approach. In the UK, for instance, the Infor­ma­tion Commissioner’s Office (ICO) announced in May 2011 a one-year mora­to­rium on enforce­ment to allow time for the mar­ket to adapt to the new require­ments. Com­pa­nies should use this time to reflect on how they intend to com­ply with the law. Once enforce­ment starts in earnest in May 2012, the ICO is likely to focus on evi­dent breaches and fol­low com­plaints that are brought to their atten­tion by con­sumer asso­ci­a­tions and dis­grun­tled users.

What does con­sent mean?

The con­cept of con­sent under the terms of the amended Direc­tive is one of the most heav­ily debated por­tions of this Directive. At its core, con­sent means “any freely given spe­cific and informed indi­ca­tion of his wishes by which the data sub­ject sig­ni­fies his agree­ment to per­sonal data relat­ing to him being processed.”  How­ever, the Mem­ber States are inter­pret­ing this dif­fer­ently. If some Mem­ber States inter­pret the new Arti­cle 5(3) in iso­la­tion (that is ignor­ing Recital 66 men­tioned above), they might imple­ment the con­sent require­ment as requir­ing explicit con­sent by the user.  How­ever, this inter­pre­ta­tion is only one poten­tial out­come from the change to the ePri­vacy Direc­tive.  It is also pos­si­ble that Recital 66 will pre­vail, pro­vided that reg­u­la­tors become sat­is­fied with browser options in the near future. However many Mem­ber States, includ­ing the UK and Ire­land for exam­ple, state that the set­tings panel of cur­rently avail­able browsers is unlikely to be suf­fi­cient to obtain user con­sent (although future browser releases which allow more gran­u­lar choice might be suf­fi­cient).  Depend­ing on the type of cookie and the way it is used, a web­site that relies only on browser set­tings to demon­strate con­sent might encounter prob­lems with regulators.

Who will have to com­ply with the Directive?

Gen­er­ally speak­ing, Euro­pean web­site oper­a­tors or other com­pa­nies with a web­site domain reg­is­tered in the EU that tar­get users in EU Mem­ber States will have to com­ply.  Web­site oper­a­tors based out­side of the EU, who may have no phys­i­cal pres­ence in a Mem­ber State but who tar­get users in EU Mem­ber States, will also likely need to com­ply.  How­ever, juris­dic­tional issues asso­ci­ated with Euro­pean laws are com­plex, and we encour­age our EU cus­tomers to dis­cuss the effect of the Direc­tive and ensu­ing Mem­ber State leg­is­la­tion with their data pri­vacy and legal advi­sors to deter­mine, if and how their busi­ness will need to com­ply with the Directive.

How are the var­i­ous coun­tries trans­pos­ing the Directive?

Approx­i­mately half of EU Mem­ber States have offi­cially enacted their trans­po­si­tions.  While pre­cise details vary, the need for some form of con­sent and enhanced notice is com­mon across the national laws. The Inter­ac­tive Adverts­ing Bureau (IAB) has gath­ered the national (trans­po­si­tion or the pro­posed) legal basis in one sin­gle doc­u­ment, which is avail­able on the IAB web­site at http://www.iabeurope.eu/media/63211/eprivacy%20directive%20-%20transposition%20texts%20march%202012.pdf.

Addi­tion­ally, some Mem­ber States, such as the UK, Ire­land and France, have issued guid­ance. For details, see:

What is hap­pen­ing in the Mem­ber States that do not yet have an offi­cial transposition?

Most  Mem­ber States that do not yet have an offi­cial trans­po­si­tion have draft leg­is­la­tion in process.  We are mon­i­tor­ing the devel­op­ments in these Mem­ber States and are work­ing with other trade orga­ni­za­tions to lobby for trans­po­si­tions that will not unduly hurt businesses.

What has Adobe been doing from a pol­icy per­spec­tive to deal with the Directive?

Adobe’s Pub­lic Pol­icy team began mon­i­tor­ing and actively lob­by­ing around the amend­ments to the ePri­vacy Direc­tive in 2007.  We, along with many other com­pa­nies in the indus­try, are speak­ing (and are con­tin­u­ing to speak) with pol­i­cy­mak­ers at the Euro­pean insti­tu­tions and in the Mem­ber States to explain the impli­ca­tions of the Direc­tive for our cus­tomers and to raise our con­cerns (e.g. an increased num­ber of dia­log boxes that will likely be ignored, less free con­tent avail­able on the Web, web­sites requir­ing users to log in to gain con­sent).  We have also been stress­ing the impor­tance of includ­ing the lan­guage in the Recital as part of the law in the Mem­ber States.  In addi­tion, we are work­ing with indus­try asso­ci­a­tions across Europe to lobby for the inclu­sion of Recital 66 in any trans­po­si­tion of the Direc­tive in the Mem­ber States. We are also actively par­tic­i­pat­ing in the W3C Track­ing Pro­tec­tion (“Do Not Track”) Work­ing Group, which will hope­fully, at some stage in the future, deliver a mech­a­nism which con­tributes to ePri­vacy com­pli­ance. This is likely to be in the form of a pro­to­col that allows web­sites and browsers to com­mu­ni­cate and respond to users’ requests to opt out from cer­tain cookies.

What is Adobe doing to address other pri­vacy con­cerns in Europe?

Euro­pean pri­vacy law dif­fers by Mem­ber State and the ePri­vacy Direc­tive will not be imple­mented or enforced in a vac­uum with­out con­sid­er­a­tion of other pri­vacy laws.  For exam­ple, there is con­cern in some Mem­ber States that IP addresses may con­sti­tute per­sonal data because they may relate to iden­ti­fi­able indi­vid­u­als. To address this and related data pro­tec­tion con­cerns, Adobe’s Web ana­lyt­ics solu­tion, Site­Cat­a­lyst, obfus­cates IP addresses by default before stor­age and  pro­vides an opt-out mech­a­nism cus­tomers can offer their web­site vis­i­tors should such vis­i­tors elect not to be tracked. Other Adobe Dig­i­tal Mar­ket­ing Suite prod­ucts, such as Adobe Audi­ence­M­an­ager and tech­nol­ogy acquired from Effi­cient Fron­tier, also pro­vide a choice mech­a­nism our cus­tomers can offer to their web­site vis­i­tors. [If this is news to you, please speak with your account rep­re­sen­ta­tive for assis­tance on imple­ment­ing it on your site.]  Audi­ence­M­an­ager and tech­nol­ogy acquired from Effi­cient Fron­tier also rec­og­nize Do Not Track head­ers in browsers.  We actively mon­i­tor other Euro­pean laws that may affect our prod­ucts and eval­u­ate whether there are changes we can or need to make to our prod­ucts to com­ply with these laws.

In Jan­u­ary 2012, the EU pub­lished plans to update its 1995 Data Pro­tec­tion Direc­tive, which cov­ers all aspects of pri­vacy (beyond sim­ply the “cook­ies” aspect cov­ered by the ePri­vacy Direc­tive). The pro­pos­als will trig­ger a great deal of dis­cus­sion about issues includ­ing con­sent, but a final reg­u­la­tion is expected to take at least two years to nego­ti­ate and would take an addi­tional two years to come into effect. Adobe is speak­ing with pol­i­cy­mak­ers and work­ing with our indus­try asso­ci­a­tions to try and shape a bal­anced outcome.

What are pub­lish­ers doing in response to the Directive?

Not many com­pa­nies have explic­itly stated their plans, and there are few clear exam­ples of new com­pli­ance approaches in the mar­ket­place. How­ever, from our con­ver­sa­tions with var­i­ous com­pa­nies, it appears that the fol­low­ing are among the responses to the Direc­tive that pub­lish­ers are cur­rently con­sid­er­ing pend­ing implementation:

  • Per­form­ing a cookie audit to iden­tify all the cook­ies on their site
  • Includ­ing notice in a promi­nent loca­tion on their home page regard­ing their use of cook­ies with a link to controls
  • Mak­ing ref­er­ences to browser set­tings more prominent
  • Forc­ing users to log in to the site or ser­vice and get con­sent on log-in or on account creation
  • Offer­ing pre­mium con­tent to those users who grant con­sent and min­i­mal con­tent to those that do not
  • Review­ing their prac­tices and eval­u­at­ing (and min­i­miz­ing where pos­si­ble) the types of cook­ies they are using

For now, it appears that many com­pa­nies are in a hold­ing pat­tern, wait­ing to see how the Direc­tive will be adopted and enforced by the Mem­ber States. The diverse nature of the poten­tial responses we’re see­ing in the mar­ket now reflects the uncer­tainty over how the Direc­tive will be imple­mented and enforced.  How­ever, most com­pa­nies we have spo­ken with are, at a min­i­mum, ana­lyz­ing the use of cook­ies on their sites.

There has also been some infor­ma­tive press cov­er­age on com­pli­ance with the ePri­vacy Direc­tive.  One such exam­ple can be found at http://​econ​sul​tancy​.com/​u​k​/​b​l​o​g​/​9​2​0​2​-​e​u​-​c​o​o​k​i​e​-​l​a​w​-​t​h​r​e​e​-​a​p​p​r​o​a​c​h​e​s​-​t​o​-​c​o​m​p​l​i​a​nce.

What is Adobe’s advice to its cus­tomers in Europe?

There are sev­eral things our Euro­pean Web ana­lyt­ics cus­tomers can do to pre­pare for the ePri­vacy Direc­tive. Please note that fol­low­ing these rec­om­men­da­tions will not guar­an­tee com­pli­ance. Until more infor­ma­tion is avail­able from all of the Mem­ber States on how they will inter­pret this Direc­tive, the advice below should be con­sid­ered as good first steps.

  • First, each cus­tomer should seek advice from their own coun­sel. Every busi­ness, and its asso­ci­ated web­site and data col­lec­tion prac­tices, is dif­fer­ent. Thus, every busi­ness is impli­cated by the Direc­tive in a dif­fer­ent way.
  • Make sure your pri­vacy pol­icy is up to date, con­spic­u­ous, and trans­par­ent. Your pol­icy should accu­rately and sim­ply describe how you use your cus­tomers’ data as well as the data prac­tices on your web­site, includ­ing your use of Web ana­lyt­ics soft­ware and your adver­tis­ing prac­tices.  Your pol­icy should also include ref­er­ences to browser settings.
  • Make sure your pri­vacy pol­icy includes a link to the page or mech­a­nism for pro­vid­ing users with a choice regard­ing the Web ana­lyt­ics ser­vices or adver­tis­ing prac­tices on your web­site.  Ide­ally, the link to the choice mech­a­nism should also be included some­where more obvi­ous on your web­site, in addi­tion to being ref­er­enced in your pri­vacy policy.
  • The more notice and con­trol you give to your users about your prac­tices on your web­site, the better—including pro­vid­ing an easy-to-find link to your cookie prac­tices, which should be explained in an easy-to-understand man­ner on a sep­a­rate page.
  • Care­fully review your use of cook­ies (and the site tags/beacons/JavaScript and other means of call­ing third-party servers from your web­site, which result in the drop­ping of cook­ies on con­sumers’ com­put­ers) to make sure that your use is in line with your pri­vacy pol­icy and your state­ments on your cook­ies page.
  • If you require users to log in to your site, include a link to your cookie and ana­lyt­ics prac­tices in a con­spic­u­ous place when users cre­ate an account, and ask your users to agree to your practices.
  • Closely mon­i­tor the devel­op­ment of the imple­men­ta­tions of the ePri­vacy Direc­tive. As men­tioned above, only about half of the Mem­ber States have adopted imple­men­ta­tion leg­is­la­tion as of the writ­ing of this document.

MeMe Jacobs Ras­mussen
Chief Pri­vacy Offi­cer, Vice Pres­i­dent and Asso­ciate Gen­eral Coun­sel

0 comments