May 30, 2012
The May 26th UK deadline for compliance to the EU ePrivacy Directive has come and gone.
The result? Confusion among eBusiness executives. Some action. Some sites are informing us of what they are doing. Many aren’t. And a last minute refresh of compliance guidance from the Information Commissioners Office.
The ICO has been steering UK organizations toward compliance for a while, though this steering has been frustratingly vague. But to give credit where credit is due, it released a last-minute guide, which is actually very helpful. Rather than reproduce the content here, I encourage you to read this blog post and download the PDF linked on the page.
The ICO has been taking an admirably pragmatic approach to compliance. The latest document sets out definitions of "implied consent," "session," and "persistent" cookies (among other things) as well as delivering some useful tips on how to inform consumers, even looking at the style of language needed. It's a real shame for UK sites that this guidance was issued at literally the eleventh hour. But as many UK sites have still yet to take any action, this guidance will still be helpful.
The situation in the rest of Europe is also beginning to become clearer.
The CNiL in France has released compliance guidance along very similar lines to that in the UK. Its guidance grants that a cookie that has "the sole purpose of enabling or facilitating electronic communication; or is strictly necessary for the provision of an online communication service at the express request of the user" does not require explicit user consent.
At the opposite end of the spectrum, the Lower House in the Netherlands has approved a change to the Dutch Telecommunications Act stating that consent must be granted by the user for all cookies prior to them being deployed. Furthermore, the use of behavioral or tracking cookies will be classified as the processing of personal data, and will therefore be legislated by the Dutch Data Protection Act. This is not without opposition, and major eCommerce names such as eBay are active in voicing their concerns.
I could go on.
There are as many different interpretations of this legislation as there are member states. In fact, it’s more accurate to say there is less than that, because at the current count, less than half of the member states have actually passed any legislation.
The reality for eBusiness executives, particularly those operating in a pan-European context is one of complexity. If you haven't taken any action yet, then realistically, an immediate audit of your estate is overdue. You need to understand the scope of your exposure, country by country. In countries like the Netherlands, you need to be planning on seeking prior consent from your users. In countries like the UK and France you need to understand your risk and work out what constitutes "essential" functional cookies and which need to be included in the scope of any consumer communication.
Either way, you need to be thinking longer term about how you manage this problem as you continue to develop your site and add new functionality, because it isn't going away.