I attended the Adobe Dig­i­tal Mar­ket­ing Sum­mit EMEA a few weeks ago—an event with more than 1,800 atten­dees, includ­ing Adobe cus­tomers, part­ners, mem­bers of the press, and indus­try ana­lysts.  Much of the event focused on the Adobe Dig­i­tal Mar­ket­ing Suite and related prod­ucts as well as on how our cus­tomers could fur­ther enhance their use of our prod­ucts with our part­ners’ prod­ucts. It was a suc­cess­ful event, and our cus­tomers walked away filled to the brim with new ways to opti­mize their use of Adobe products.

Dur­ing the event, I had the plea­sure of inter­view­ing Dave Evans, Group Man­ager in the Busi­ness and Indus­try Divi­sion of the Infor­ma­tion Com­mis­sion­ers Office (ICO), the UK gov­ern­men­tal body respon­si­ble for enforc­ing, among other things, the ePri­vacy Direc­tive.  Since the inter­view took place a week before the May 26 expi­ra­tion of the UK’s mora­to­rium on enforc­ing the ePri­vacy Direc­tive, it was excel­lent tim­ing for our cus­tomers to hear the ICO’s posi­tion on enforc­ing this high-profile Direc­tive directly from Dave.  Dave was quite forth­com­ing, and I believe his com­ments helped many of our cus­tomers bet­ter under­stand what is expected of them.  For the ben­e­fit of every­one who was not able to attend the event, let me share what we learned dur­ing the interview:

My first ques­tion to Dave was what would be dif­fer­ent for British users on May 27th —and whether the ICO had a pile of enforce­ment actions queued up and ready to go.  Hap­pily, they did not.  They are plan­ning on tak­ing a prag­matic approach to enforce­ment.  The ICO will start ask­ing com­pa­nies, espe­cially large com­pa­nies, ques­tions about their plans for reach­ing com­pli­ance with the UK guide­lines.  The ICO under­stands that the changes required are not easy to make, espe­cially for large com­pa­nies. As an exam­ple, Dave men­tioned that he would not expect a large eRe­tailer to make dras­tic changes to its site in the mid­dle of a busy buy sea­son.  If those com­pa­nies require changes to be made after May 27th, that will likely be fine as long as com­pa­nies have a clear solu­tion in mind, a plan for imple­ment­ing that solu­tion, and progress is being made on imple­ment­ing that solution.

On May 29th, the ICO did in fact announce that they reached out to about 70 com­pa­nies to deter­mine whether these com­pa­nies are in com­pli­ance with the Directive—and if they are not, how and when they plan to comply.

I also asked Dave if cook­ies used for ana­lyt­ics would be con­sid­ered “strictly nec­es­sary” by the ICO in the UK.  Unfor­tu­nately, they will not. (As of the date of this blog, only France has pub­lished guid­ance that ana­lyt­ics cook­ies would be con­sid­ered strictly nec­es­sary and even then, only under a spe­cific set of cir­cum­stances.)  How­ever, Dave did indi­cate that the ICO’s prag­matic approach will extend to con­sid­er­ing the use of a cookie when decid­ing the type of con­sent that may be required.  Because cook­ies used for ana­lyt­ics are not as intru­sive as cook­ies used for other types of data col­lec­tion, a less intru­sive con­sent mech­a­nism will likely be accept­able.  Hav­ing said that, the ICO will be look­ing for more trans­par­ent notice of the use of ana­lyt­ics on a web­site, and that notice should include some form of choice mech­a­nism.  Edu­ca­tion plays a key role here.  Con­sumers need to under­stand, in plain lan­guage, what is hap­pen­ing on the web­site, what data is being col­lected, and why.  Dave indi­cated we should be see­ing guid­ance on what the Arti­cle 29 Work­ing Party con­sid­ers “strictly nec­es­sary” within the next month or so.

Next, we talked about what enforce­ment would look like.  Dave acknowl­edged that enforce­ment will be chal­leng­ing.  It is unlikely that the ICO will pur­sue a web­site on an indi­vid­ual cookie level, i.e. the ICO will not likely be respond­ing to com­plaints that a par­tic­u­lar web­site placed a spe­cific cookie on a user’s com­puter.  When users do com­plain, the ICO will be ask­ing those users whether they looked for con­trols on the web­site and whether they looked into chang­ing their browser set­tings.  How­ever, the ICO will be track­ing the com­plaints received.  If it becomes clear that a par­tic­u­lar sec­tor or ser­vice is caus­ing con­cern, the ICO will try and engage with rel­e­vant trade asso­ci­a­tions, where they exist, to address any sys­temic issues rather than try to respond to each com­plaint indi­vid­u­ally. As I men­tioned above, the ICO has already con­tacted a group of about 70 com­pa­nies to learn more about their com­pli­ance plans.  The ICO is expect­ing com­pa­nies to fig­ure out what cook­ies are used on their web­sites and to have a plan in place for com­ing into com­pli­ance. Dave’s advice is that a com­pany should be open and trans­par­ent enough about pri­vacy so that it would be dif­fi­cult for users to claim they were unaware that the company’s web­site was using cookies.

In clos­ing I asked Dave the ques­tion I get asked the most: Does a web­site have to obtain opt-in con­sent to be com­pli­ant?  Dave’s response was that an opt-in is uber-compliant, but as the ICO has seen on its own site, opt-ins might not work for every­one since few peo­ple choose to opt in.  He indi­cated that it may be accept­able to inter­pret con­tin­ued use of a site as con­sent pro­vided that users can­not claim they were unaware the web­site was using cook­ies, i.e. an implied con­sent model.   Since my inter­view with Dave dur­ing the Adobe Dig­i­tal Mar­ket­ing Sum­mit EMEA, the ICO has issued new guid­ance, which dis­cusses when implied con­sent may be accept­able in the UK.

Over­all, I have begun to see more web­sites launch new solu­tions focused on com­pli­ance. Time will tell exactly how the var­i­ous reg­u­la­tors will react to these solu­tions. Adobe is explor­ing how to best inte­grate pri­vacy solu­tions that pro­vide our cus­tomers with tools to assist with com­pli­ance. Cus­tomers inter­ested in learn­ing more about such solu­tions and/or pro­vid­ing input into their devel­op­ment are encour­aged to con­tact privacyfeedback@​adobe.​com for more infor­ma­tion.  For addi­tional details about the ePri­vacy Direc­tive, take a look at the FAQ posted on the Adobe Dig­i­tal Mar­ket­ing Blog.

MeMe Jacobs Ras­mussen
Chief Pri­vacy Offi­cer, Vice Pres­i­dent and Asso­ciate Gen­eral Counsel