I attended the Adobe Digital Marketing Summit EMEA a few weeks ago—an event with more than 1,800 attendees, including Adobe customers, partners, members of the press, and industry analysts.  Much of the event focused on the Adobe Digital Marketing Suite and related products as well as on how our customers could further enhance their use of our products with our partners’ products. It was a successful event, and our customers walked away filled to the brim with new ways to optimize their use of Adobe products.

During the event, I had the pleasure of interviewing Dave Evans, Group Manager in the Business and Industry Division of the Information Commissioners Office (ICO), the UK governmental body responsible for enforcing, among other things, the ePrivacy Directive.  Since the interview took place a week before the May 26 expiration of the UK’s moratorium on enforcing the ePrivacy Directive, it was excellent timing for our customers to hear the ICO’s position on enforcing this high-profile Directive directly from Dave.  Dave was quite forthcoming, and I believe his comments helped many of our customers better understand what is expected of them.  For the benefit of everyone who was not able to attend the event, let me share what we learned during the interview:

My first question to Dave was what would be different for British users on May 27th —and whether the ICO had a pile of enforcement actions queued up and ready to go.  Happily, they did not.  They are planning on taking a pragmatic approach to enforcement.  The ICO will start asking companies, especially large companies, questions about their plans for reaching compliance with the UK guidelines.  The ICO understands that the changes required are not easy to make, especially for large companies. As an example, Dave mentioned that he would not expect a large eRetailer to make drastic changes to its site in the middle of a busy buy season.  If those companies require changes to be made after May 27th, that will likely be fine as long as companies have a clear solution in mind, a plan for implementing that solution, and progress is being made on implementing that solution.

On May 29th, the ICO did in fact announce that they reached out to about 70 companies to determine whether these companies are in compliance with the Directive—and if they are not, how and when they plan to comply.

I also asked Dave if cookies used for analytics would be considered “strictly necessary” by the ICO in the UK.  Unfortunately, they will not. (As of the date of this blog, only France has published guidance that analytics cookies would be considered strictly necessary and even then, only under a specific set of circumstances.)  However, Dave did indicate that the ICO’s pragmatic approach will extend to considering the use of a cookie when deciding the type of consent that may be required.  Because cookies used for analytics are not as intrusive as cookies used for other types of data collection, a less intrusive consent mechanism will likely be acceptable.  Having said that, the ICO will be looking for more transparent notice of the use of analytics on a website, and that notice should include some form of choice mechanism.  Education plays a key role here.  Consumers need to understand, in plain language, what is happening on the website, what data is being collected, and why.  Dave indicated we should be seeing guidance on what the Article 29 Working Party considers “strictly necessary” within the next month or so.

Next, we talked about what enforcement would look like.  Dave acknowledged that enforcement will be challenging.  It is unlikely that the ICO will pursue a website on an individual cookie level, i.e. the ICO will not likely be responding to complaints that a particular website placed a specific cookie on a user’s computer.  When users do complain, the ICO will be asking those users whether they looked for controls on the website and whether they looked into changing their browser settings.  However, the ICO will be tracking the complaints received.  If it becomes clear that a particular sector or service is causing concern, the ICO will try and engage with relevant trade associations, where they exist, to address any systemic issues rather than try to respond to each complaint individually. As I mentioned above, the ICO has already contacted a group of about 70 companies to learn more about their compliance plans.  The ICO is expecting companies to figure out what cookies are used on their websites and to have a plan in place for coming into compliance. Dave’s advice is that a company should be open and transparent enough about privacy so that it would be difficult for users to claim they were unaware that the company’s website was using cookies.

In closing I asked Dave the question I get asked the most: Does a website have to obtain opt-in consent to be compliant?  Dave’s response was that an opt-in is uber-compliant, but as the ICO has seen on its own site, opt-ins might not work for everyone since few people choose to opt in.  He indicated that it may be acceptable to interpret continued use of a site as consent provided that users cannot claim they were unaware the website was using cookies, i.e. an implied consent model.   Since my interview with Dave during the Adobe Digital Marketing Summit EMEA, the ICO has issued new guidance, which discusses when implied consent may be acceptable in the UK.

Overall, I have begun to see more websites launch new solutions focused on compliance. Time will tell exactly how the various regulators will react to these solutions. Adobe is exploring how to best integrate privacy solutions that provide our customers with tools to assist with compliance. Customers interested in learning more about such solutions and/or providing input into their development are encouraged to contact privacyfeedback@adobe.com for more information.  For additional details about the ePrivacy Directive, take a look at the FAQ posted on the Adobe Digital Marketing Blog.

MeMe Jacobs Ras­mussen
Chief Pri­vacy Offi­cer, Vice Pres­i­dent and Asso­ciate Gen­eral Coun­sel