The Pragmatist’s Guide to Compliance with the ePrivacy Directive

Evidon's Steps to ePrivacy Compliance

One can recall a time in the recent past when the ePrivacy Directive appeared as an apparition on the horizon, a stern Directive, but one with vague requirements that no one seemed to be paying much mind.  In the second quarter of 2012, the market shifted dramatically, led initially with experiments from companies like the BBC, Barclays, and British Telecom, and culminating with the release of robust consent solutions from companies like Nectar, Reuters, and very public site changes from dozens of others.

Much of this activity has been spurred by the expiration of the enforcement grace period of the Information Commissioner’s Office (“ICO”) in the UK in May, and it has changed the landscape in two important respects:

  1. It’s real: The Directive is now a reality in the market, and as a result consumers and regulators have a new expectation that your site should be compliant.
  2. The path to compliance has been established: Through trial and error, the trailblazers have established a process to comply with what had previously seemed to be an unclear set of requirements.  Your path to compliance will be simpler and more direct as a result of their effort.

Policy Background

In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union adopted Directive 2009/136/EC (the “Citizens’ Rights Directive”).  This introduced various amendments to the existing Directive 2002/58/EC (the “e-Privacy Directive,” in this document the “Directive”), including to Article 5(3), regulating the use of tracking technologies on the internet, including cookies.

Before its amendment, Article 5(3) permitted tracking on a so-called ‘opt-out’ basis.  It required online operators to provide individuals with clear and comprehensive information about their tracking activities and to offer them the right to refuse cookies.  As amended, Article 5(3) now requires online operators to obtain ‘consent’ to store or access information on individuals’ terminal equipment.

The amended Directive includes a limited exemption to ‘strictly necessary’ tracking, but only for tracking required to fulfill a direct user request, and this is being interpreted in a very strict manner. The majority of tracking that occurs on contemporary websites and ads, including ad targeting, ad optimisation, and even routine analytics, both 1st and 3rd party, all require consent. This brings every advertisement and commercial website in the EU into scope. 

In May 2011, the UK became the first EU Member State to implement the amended Article 5(3) into national law.  The ICO initially provided the market with a 12-month grace period to come into compliance, but this expired on May 25th, 2012. As of June 2012, the Directive has also been passed in most of the major advertising markets in the EU, including France, Italy, Spain, The Netherlands, Ireland, Sweden, and Finland.

Compliance in 3 Steps 

1.    Audit your site for tracking activity

According to the Directive, consent must be specific to the parties involved, which means that you must know all of the individual parties tracking the user on your site, or the consent method that you deploy might be seen as incomplete.  This step is so essential that the ICO and CNIL (the French DPA) have both listed a comprehensive tracking audit as your first step.  Set up a system to regularly monitor and audit all the tracking code on your sites.  This is more than just a “cookie audit.”  While the Directive is often referred to as a “Cookie Directive,” its scope is never limited to cookies, and in fact covers all technologies used for a tracking purpose that is not ‘strictly necessary’ for the consumer.  You need to know the actual scripts that run on your pages, in addition to any flash objects, cookies, and any other methods being used to track the user.  Also bear in mind that the Directive covers both 1st and 3rd party tracking, so your audit will need to include your own activity as well.

If you have a broad portfolio of websites or if any of your sites are ad-supported, we guarantee that you will be surprised by the results.  Fortunately, audit data can also be used for non-compliance purposes, and can play a key role in helping you kick off unauthorised trackers and improve overall site performance.  Consider also that tracking activity can vary over time, and you may need an ongoing system to monitor how this tracking has changed so that your consent method can be updated accordingly.

2.    Determine your consent strategy

Details here will vary based on your business model, the results of our tracking audit, your vision of the ideal consumer experience, and the patience your organisation has to manage varying consent standards across the EU.  Make sure that you do your pre-work:

  • Organise the results of your tracking audit so that you can quickly see which companies are tracking, what data they are collecting, and what technologies they are using.  Your goal is to organise them at the company level, not the cookie level, to determine if they are ‘strictly necessary’ and for those that are not, that the tracking activity is routine enough that a standard consent method will suffice.  As a guide, the only tracking that will qualify as ‘strictly necessary’ will be tracking that is somehow connected to a consumer action and is required for the proper function of that interface (login cookies, video player settings, shopping cart tracking).  On a typical site, more than 90% of tracking activity will not be ‘strictly necessary,’ though all of that activity will be routine enough for a standard consent method.
  • Understand which territory has been designated as your Data Protection Authority “DPA”.  If you are incorporated in the UK and your site is built for a UK audience, don’t expend extra effort with this step, as your DPA is clearly in the UK.  As it happens, this would be good news, as you need only comply with the UK interpretation of the Directive, which is tolerant of implied consent, and you will not need to worry about varying standards across Europe.  If you are a US based company, or if you have sites that cater to a range of specific audiences around the EU, the picture muddies quickly.  You may be held to individual country level standards.  Some territories already require explicit consent (like The Netherlands) and others have not yet determined their standard (like Germany).  In this case, you can build an explicit consent standard to ensure you are compliant everywhere, or you can invest in the systems to vary your consent methods by territory, with flexibility to adjust them over time.

With your pre-work done, you can now make a commercial decision on the consent strategy that is appropriate for your organisation.  Most UK sites will be deploying implied consent methods. Implied consent is a much stricter standard than the market was accustomed to before the Directive.  Providing a link at the bottom of a page or a tab in the corner of the page linking to a cookie policy are good first steps, but no one has successfully argued that these methods alone achieve consent in the eyes of the law.  Companies deploying implied consent methods must demonstrate that they are providing enough information up front so that a typical user understands that tracking is taking place, and that their decision to continue using the site is an active indication of their consent.  A more prominent link to further information clearly does not reach this bar.  For examples of an implied consent implementation live, see Nectar and Reuters, or refer to the Appendix of this document.  

3.    Deploy consent

This is where you introduce your tracking to consumers in detail in a much more assertive manner.  You will want to coordinate the rollout of these tools closely with your IT team.

Your consent solution should include three components:

  1.  New consumer interfaces: One emerging best practice is to include visual overlays on every page of your site that are viewable to everyone above the fold.  The overlays should both communicate to the visitor that tracking is taking place using cookies and related technologies, and also present a link to opt-out options.  Remember that these tools, either immediately or shortly after the first click in a very clear interface, will need to disclose the specific companies that could be tracking the visitor on your site.
  2.  A method to opt-out: Enhanced notice alone will not be considered consent.  You will also need to integrate a mechanism that allows a visitor to withdraw consent from the non-essential trackers on your site, both 1st and 3rd party.  You can do this by a) integrating with opt-out tools of each of the parties tracking on your site, such that they are able to set opt-out cookies which they will then individually honor; b) use your own server side logic to withhold tags from companies where an opt-out request has been made; or c) integrate your consent interface with a tag management service, where the tag manager will withhold tags where appropriate.
  3.  Ongoing management options: If only consent requirements allowed for a static implementation.  For sites with no third party ad activity, very limited tracking activity overall, and a narrowly defined audience in only one European country, perhaps a static implementation will suffice.  But alas, tracking is extremely dynamic, especially for an ad-supported site.  One-time reports of tracking activity rapidly grow stale over time, and since consent under the directive must be specific to the parties involved, your consent tool must be refreshed over time with any new trackers.  Make sure that you have a process and tools in place to keep pace.

These three steps provide a framework for compliance that has been vetted with regulators across Europe and also commercially validated by companies across a wide range of industries.  And if you undertake the process fully, you will also find improved consumer trust and a wealth of actionable data about your site that will help you to enforce data ownership and improve site performance.


Appendix: Consent Visuals

This appendix includes screenshots of implied and explicit consent models that Evidon has developed after extensive discussions with regulators across Europe.  Other models may also satisfy the law, provided that they meet the same objective criteria.

1. Implied Consent

The visitor will first see an overlay on the bottom of the page explaining that tracking is taking place, and that action can be taken with the Cookie Consent tool.  This message and the tool icon hover on the bottom of the page to ensure visibility.  The portion shown here in orange will only be seen for the first few visits and thereafter only the Cookie Consent icon will be visible.

If the visitor clicks on the Cookie Consent icon, they will see a custom message fromt he site owner, an overview of the categories of tracking activity that are taking place, and a tool that allows for the withdrawal of consent from non-essential tracking by category.

If the visitor clicks through on a category, they will see a list of tracking companies within that category, along wtih details about the purpose of their tracking and the ability to withdraw consent from the particular tracker.

2. Explicit Consent

In the explicit consent model, a barrier page is invoked the first time a user accesses a site. Details of the site’s tracking activity are provided, and the visitor is asked to provide consent. Once consent is obtained, the barrier page will no onger appear. The visitor can withdraw consent by category or by tracker through the Cookie Consent tool on the barrier page or at anytime thereafter through the icon that will appear on each page after consent is provided.