Most recently attention around the ‘Cookie’ Directive* has focused on the UK, where the Information Commissioner’s Office (ICO) began enforcing the law on May 26, 2012. Just prior to this deadline the ICO released updated guidance, which notably endorsed implied consent as a valid consent mechanism. This came as a great relief to companies concerned about the potential business impact of implementing widespread express consent mechanisms.
The current regulatory stance in the UK is much clearer now and many companies have since implemented solutions to address the Directive in this jurisdiction. There remains regulatory ambiguity, however, in many of the other EU member countries. Companies must understand and prepare for regional compliance standards, as it’s unlikely that a one-size-fits-all approach will work across the EU.
When the European Commission passes a Data Protection Directive each member country must transcribe the Directive requirements into their respective body of law. While most member countries have passed laws of some form or another to incorporate the Cookie Directive, some countries are still considering legislation and some have yet to even initiate this process. Yet, even among those countries that have passed legislation there are interpretive differences in their laws that could affect the way companies approach the Directive.
These interpretive differences largely revolve around the standard for obtaining consumer consent. There are three schools of thought:
- Express Consent: whereby consumer consent must be obtained prior to the use of trackers and cookies. Examples of possible compliance mechanisms for this type of consent include: interstitials, pop-ups, website banners, and user registration consent events.
- Implied Consent: whereby consumer consent to the use of trackers and cookies is inferred by their engagement with a site on which prominent notice of tracking activity occurs. In this standard, consumers are offered the opportunity to withdraw consent at any time.
- Contextual Consent: whereby a mix of express and implied consent mechanisms are required, depending on the context of the data collection activity.
Countries that have adopted an express consent standard include:
- Germany (from existing federal law)
- Hungary (from existing law)
- Poland (from existing law)
Countries that have adopted an implied consent standard include:
- Czech Republic
Countries that have adopted a contextual consent standard include:
Countries that did not explicitly specify a consent standard include:
- Ireland (has been interpreted to be implied plus notice)
Countries that are considering a law include:
Countries that have not yet considered a law include:
While in theory the Data Protection Authorities of each member country could publish compliance guidance making implied consent the de facto standard, that event seems rather unlikely. Companies should retain solutions that can address both forms of consent (express vs. implied) and that can seamlessly adapt should standards evolve within member country jurisdictions.
In the future websites with pan-European audiences will need solutions that scale flexibly and provide localised consent experiences for users. At TRUSTe we counsel our clients that in the face of regulatory uncertainty the best strategy for companies to adopt is to make good faith efforts to comply and to remain flexible.
Many clients also leverage our Data Collection Certification product to further strengthen their privacy practices and build trust with their audiences. More information on how companies can address the EU Cookie Directive can be found at TRUSTe.
*Popularly known as the “Cookie Directive”, its requirements came about as the result of 2009 amendments to the ePrivacy Directive.
Want to discover how performance marketing strategies compare in other countries? If you do, you'll definitely want to attend A4u's next event, a4uexpo Europe. The two-day conference takes place in Barcelona on the 19th and 20th of June. It features over 40 sessions from the industry's leading brands and over 1000 delegates from more than 30 countries. With a continuous pan-European undercurrent, you'll be able to discover first-hand how to make big gains in performance marketing beyond your own territory. Registration is now open for publishers, advertisers, networks and agencies, and you will receive a discount of up to 30% on group bookings.