EU e-privacy directive – back to the ‘spray and pray’ approach of old?

Ellie Edwards, MD at QUISMA: Now that the dust has slightly settled on the D-Day of 25 May, let’s take a look at the effects that the EU e-privacy directive has had within Europe…

The directive, often wrongly referred to the as ‘cookie law’, also covered websites’ privacy policy encompassing OBA (online behavioural advertising).

As a pan-European agency it’s important for us at QUISMA to be on top of changes all over Europe and there has been wildly different enforcement of the directive in different markets, with France and the Netherlands being among the most extreme cases.

The Dutch government passed the Telecommunications Act (DTA) going further than the original directive, not only requiring opt-in for cookies but also any technology that stores information on the user’s terminal equipment or that accesses stored information. The legislation applies to all cookies (Flash, java-script and analytics cookies) and makes no distinction between first party or third party cookies. Only cookies used in order to remember a user’s personal settings such as preferred language are exempt.

The new rules officially came into effect on 1 June 2012 yet the Dutch government has stated that it wants to await further developments of a “Do-Not-Track” standard within the European Union and therefore the new rules will not be enforced before 1 January 2013.

France also requires a strict opt-in policy for most cookies including tracking cookies – language and security settings are exempt from this but users can opt out of any cookies that would impact their user experience.

Italy has gone for a more relaxed view of the policy, not requiring website opt-in policy, instead allowing storage of information if the user has read information in the browser or application settings.

Similar to Italy, Spain has no requirement for strict ‘opt-in’ consent but websites have to provide clear information about personal data capture, for non-personal data consent can be sought at browser level.

Greece initially was slow to respond to the directive, however they have now made it law, although does not require explicit or prior consent. Browser settings or other applications are considered as an appropriate method to obtain consent.

Germany were initially defiant and rejected the directive (and managed to sidestep a fine by arguing that under the existing legislation things were fine) but since then have taken the approach that it is the users right to know what was collected and even demand the entity/website to delete it.

Some countries including Poland, Portugal and ironically Belgium fell victim to this paying daily fines ranging from €22,000 (Portugal) to €112,000 (Poland).

So what happened on 26 May? Armed with the knowledge of targeted advertising and implied versus explicit consent did consumers delete their cache and refuse to click on advertising? Well as often is the way, the reality didn’t live up to the hype and the naysayers who thought we’d all be out on the street, scrapping for a way to make a living were proved mainly wrong.

At the 11th or actually 48th hour the ICO changed their views to ‘implied consent’, shifting the responsibility from website operator to the user – this was a great relief to all those who had been struggling to comply within the 12 month deadline. With the threat of a fine of up to £500,000 and after seeing that fines have been given it seems that most UK companies are making the correct steps to compliance.

So what does the future hold and what has been done to educate the average user? It seems that in the main, users are still uneducated about different types of cookies, the difference between first and third party cookies and indeed how cookies even work!

Mr (or Mrs) average will still get the cookie that remembers that you are logged in, which is fine – and indeed handy and more secure in cases like online banking. However users who ‘opt-out’ of cookies that build a profile of your web surfing (searches, web pages visited, the content viewed, etc.) is tracked, for example in order to match ads against your interests as determined from the profile. The use of such cookies requires your consent.

This ‘step backwards’ for advertising takes us back to the ‘spray and pray’ approach of old.