This communication summarizes information Adobe has gathered on the revised EU ePrivacy Directive. Directive 2002/58/EC of the European Parliament and of the Council of July 12 2002 concerns the processing of personal data and the protection of privacy in the electronic communications sector. This document also discusses what actions Adobe has taken for this Directive.
Directives are EU-wide laws that the European Commission proposes. The European Council and the Parliament often enact them jointly. Directives only have binding legal effect when transposed into national law by the member states of the EU. Transposition is mandatory, although member states often miss the stated deadlines. Once transposed, the language is open to interpretation by each member state.
In 2002, the European Union enacted the ePrivacy Directive. Among other things, this legislation required the 27 EU member states to put in place a “notice” and “opt-out” regime for storing or accessing any information on a user’s computer. Under that Directive, users must be provided with “clear and comprehensive information” about, in particular, why cookies are used on the relevant website (the “notice” element). In addition, users must be offered the right to refuse the cookies (the “opt-out” element), although there is no direction as to how the opt-out should be provided.
On 25 Dec 2009, an amended Directive came into force and brought with it a vast array of changes primarily aimed at telecoms and Internet service providers. The deadline for this directive to be transposed into national law was May 25 2011.
One section of the amended ePrivacy Directive - Article 5(3), also known as the “Cookie Amendment” - requires consent to store or access information on a user’s device. However, narrow exceptions apply for information used solely for electronic transmission (such as an IP address) or for a service that the user expressly requests.
The language of the amended ePrivacy Directive - which may or may not be transposed verbatim in the laws of the member countries - is as follows:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. (emphasis added)
Recital 66 to the amended Directive expressly states that “where it is technically possible and effective [ ].the users consent to processing may be expressed by using the appropriate settings of a browser or other application”
Most member states are still in the infancy stage of drafting implementation legislation of the Directive. It has been a controversial Directive shrouded in much debate.
The concept of consent under the terms of the amended Directive is one of the most heavily debated portions of this Directive. If the new Article 5(3) is viewed by certain member states in isolation (that is ignoring Recital 66), they might implement the consent requirement as requiring explicit consent. However, this interpretation is only one potential outcome from the change to the ePrivacy Directive. It is equally likely that Recital 66 will prevail. If member states view (as we believe they should) the amending Directive as a whole, their national law should make clear that Web browser privacy settings are a valid means for users to provide their consent. As most settings allow cookies to be set by default, the new prior consent regime could look very similar indeed to the existing notice and opt-out regime.
As stated above, no member country has released language yet.
Generally speaking, European companies or other companies with a presence in Europe that target European users will have to comply. Companies based outside Europe who have no physical presence in Europe but who target users in Europe will also likely need to comply. However, jurisdictional issues associated with European laws are complex and in a flux. Customers should seek counsel to determine if their business must comply with the Directive.
Adobe’s Public Policy team began monitoring and actively lobbying around the amendments to the ePrivacy Directive in 2007. We, along with many other companies in the industry, have spoken to numerous representatives at the European institutions and in the member countries to explain the implications of the Directive for our customers and to raise our concerns (for example, an increased number of dialog boxes that will likely be ignored, less free content available on the Web, websites requiring users to log in to gain consent). We have also been stressing the importance of including the language in the Recital as part of the law in the member countries.
Adobe is actively looking at ways to implement our Omniture services without the requirement of storing information on a consumer’s device. We are also investigating various options for providing notice to consumers. As we get closer to resolution of our solutions, Adobe will reach out to our customers with more information.
European privacy law differs by member state and the ePrivacy Directive will not be implemented or enforced in a vacuum without consideration of other privacy laws. For example, there is some concern in some states that IP addresses are considered personal data. To address this concern, Adobe’s Omniture products obfuscate IP addresses by default before storing them to address this concern. We actively monitor other European laws that may affect our products and evaluate whether there are changes we can or need make to our products to comply with these laws.
Not many companies have explicitly stated their plans. However, from our conversations with various companies, it appears that the following are responses to the Directive that publishers are currently considering pending implementation:
Using a dialog box to get consent before storing or accessing information
Obtaining consent for all storage and access to a user’s device the first time a user accesses the site or the service (but any changes not identified when consent was initially obtained would require additional consent)
Forcing users to log in to the site or service and get consent on log-in
Offering premium content to those users who grant consent and minimal content to those that do not
Reviewing their practices and evaluating the types of cookies they are using
For now, it appears that many companies are in a holding pattern, waiting to see how the Directive will be adopted and enforced by the member states. The diverse nature of the potential responses that we’re seeing in the market now reflects the uncertainty over how the Directive will be implemented and enforced in member states.
There are several things our European analytics customers can do to prepare for this Directive:
First, each customer should seek advice from their own counsel. Every business is different and has a different risk tolerance.
The more notice you give to your users about your practices on your site the better.
Consider using cookies only when strictly necessary to operate the service the user is requesting.
Closely monitor the development of the implementations of the ePrivacy Directive. As mentioned above, none of the member states have published their implementation as of the writing of this document.
We hope this information answers some of your questions. If you have specific questions, contact your Account Manager.