FAQ on European Privacy Directive

Version 6

    In late May 2011, the European e-Privacy directive went into effect in Europe. This directive legally mandates that websites tracking users with cookies must obtain explicit consent from the person before dropping the cookie. Marketing automation will become an even more powerful revenue engine when online participants feel safe about their data.  In addition to being given the option to opt-in to marketing and lead nurturing programs that are relevant to them, with the standardization of privacy protections, unsavory players will be cut out of the market. Businesses that are trusted will excel in this environment.

    What is a cookie?

    A cookie is a very small piece of software code that websites use to track visitors.

    What do these regulations mean?

    When asking permission, the website must be clear on what data is being tracked and how it will be used. A record of the permission confirmation action (e.g. clicking an agreement link) must be retained.

    What if I am based in the US?

    The regulations apply to all businesses and websites tracking European users. To be in compliance with the EU, American businesses must take reasonable measures to identify which website visitors are European and obtain their permission. The former EU’s commissioner for justice, Viviane Reding, is quoted as saying “Privacy standards for European citizens should apply independently of the area of the world in which their data is being processed,”. “To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU customers.”

    http://gigaom.com/2011/03/17/u-s-web-firms-told-to-stick-to-eu-privacy-laws/

    In addition to this new cookie tracking regulation, US businesses servicing Europeans should also be Safe Harbor certified. Safe Harbor ensures that American businesses are compliant with the European Commission’s previous Directive on Data Protection. http://www.export.gov/safeharbor/

    What if I am a multinational corporation?

    The regulations apply to all businesses and websites tracking European users.

    Is this really a law?

    The European e-Privacy directive is EU law. However, it is not yet national law for all EU members. With EU directives, member states are required to enact national laws implementing the directive. Most member states have not implemented national laws requiring explicit consent for cookies. The exceptions here are Germany, Italy, and the UK (see next question).
    The national legislatures do not always move at the schedule ordered by the EU directives. This process could very well take many years to cover all of Europe. Marketo will continue to watch developments and update this FAQ appropriately.

    Is explicit consent already law in any EU country now?

    Currently, there are several countries that have enacted this law.

    Germany has had rules on the book requiring explicit consent before tracking by cookies for some time now. Indeed, in many ways the EU e-Privacy directive is designed to harmonize EU member state laws with Germany’s privacy laws. Because Germany already requires explicit consent and other EU countries are starting too, Marketo recommends that businesses begin compliance implementation now.

    The UK Department of Culture, Media, and Sport (DCMS) is currently developing specific guidelines for compliance with this law. So, while the law went into effect on May 25, 2011, in the UK, the DCMS has stated that they will not be enforcing the law until an unspecified date in the future.

    http://www.culture.gov.uk/news/media_releases/8051.aspx

    Italy has also enacted laws to comply with the EU privacy directive.

    Marketo will continue to monitor developments and update this FAQ document appropriately.

    What happens if I am not compliant?

    This is a major transformation in privacy protections that businesses worldwide will be adapting. Most countries in Europe, like Britain, have not yet released specifics on regulations. Until specific regulations are created, there will not be details on the penalties. It is likely that over time, EU penalties for non-compliance will increase.

    What caused this change?

    Over a long period of time, the EU member states have had different privacy laws. It is a stated goal of the EU to have uniform and cohesive privacy regulations.

    Is the change good or bad?

    This change will be good for companies that are able to compete by online trust and privacy protection. With the new privacy protections, consumers and B2B buyers will be able to easily compare privacy practices of businesses they are evaluating to engage with. Businesses need to start competing on how much they are trusted with subscribers’ data. Businesses that are good at online trust will benefit. Marketo believes that initiatives that encourage trust will benefit the online marketing
    ecosystem over time.

    Who are the experts in this field? Who are the leaders in this information? I.e. where can I get more info or how can I stay on top of this topic?

    Many Marketo customers are experts in building online trust and competing on privacy. Marketo’s Privacy team is dedicated to Marketo customers and provides know-how on best practices compliance. The Online Trust Alliance (OTA - https://otalliance.org/) is a great non-profit working to foster trust in online ecosystems. The OTA is tapped into the developing privacy trends in the EU and Washington as is a great resource for member companies. MAAWG (Messaging Anti-Abuse Working Group) is a regular gathering of the top experts in privacy and messaging abuse prevision.

    How can I become compliant?

    The key to compliance is explicit consent. Explicit consent means specific language on how you are marketing and tracking. Explicit consent also means that there must also be some kind of affirmative action (e.g. clicking) where the subscribers acknowledges their consent to marketing and tracking. A good example of this is where a subscriber provides consent by clicking which causes a pop-up box specifying what you will do with the subscriber’s personal data. It is important that you do not mix up consent wording with more general wording on your business policies. If you integrate consent language into your general, then highlight consent language and record the click making consent.

    Do I have to collect this explicit consent on the first page of my website?

    You can decide where to collect consent and then drop the cookie. Many websites will allow European visitors to browse some pages or sections of the website before “popping the question”. The idea in these cases is to enable the website visitor to see the value of the web content or services before asking for tracking permission. For example, you might want to pop the question after a European visitor has viewed a certain number of pages, spent a given amount of time on the site, or visited specific webpages.

    Are there exceptions to this requirement?

    The EU directive provides an exemption for cookies that are dropped to track shopping cart contents. Furthermore, in Germany, transaction messages or messages that are needed to do previously specified business are exempt from these opt-in requirements. It is likely that other EU counties will adopt similar exemptions for existing business relationships.

    What about my personal blog or our employees' personal blogs and web pages?

    The EU focus is currently on business compliance. It will be interesting to see how Europe approaches tracking and consent for personal web properties.

    How is going to affect users who visit websites?

    If you are in the US it probably will not affect you at most websites you visit. Europeans, on the other hand, will likely be asked for their permission often. Europeans will be better able to factor privacy protection into their business and purchase decisions.

    Is this likely to change in other places too? Will the US change its laws?

    US privacy regulations are almost certainly going to change over the next year. The FTC and the Commerce Dept have both launched major privacy initiatives. Some national US legislators have also proposed federal privacy laws. While the final version of US privacy rules are nowhere near finished, it is very likely that US privacy is changing.


    What are others saying about this?

     

    Different organizations are saying different things. For example, Yahoo is saying they are compliant
    already:

    http://online.wsj.com/news/articles/SB10001424052748703512404576208700813815570?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052748703512404576208700813815570.htmlhttp%3A%2F%2Fwww.pcworld.com%2Fbusinesscenter%2Farticle%2F222640%2Fyahoos_offers_cookie_optout_button_ahead_of_new_eu_law.html

    What are the laws in the US? Are they different?

    The US does not currently have Federal baseline privacy laws. Many online tracking methods are not yet regulated in the US. This is changing, however, with major initiatives from the FTC, Commerce Dept, and legislators.

    How does this affect Google and Facebook?

    The EU has made statements indicating the Google and Facebook will be affected by this. Indeed, it sometimes seems that Google is every EU country's favorite example company to drag into court on privacy matters. Industry blog GigaOm summarized, some EU statements about “one senior European Union official making a broadside attack aimed at services such as Google and Facebook” here - http://gigaom.com/2011/03/17/u-s-web-firms-told-to-stick-to-eu-privacy-laws/

    Does this affect only my website? Do my landing pages, social media profiles, or blogs, matter
    too?

    The EU regulations speak to any tracking by cookies independent of the nature of the web property doing the tracking. (Although, any cookies dropped to track shopping basket contents are exempt and in Germany, business interacting with existing customers are also exempt.)

    Will this mean I get less targeted advertising?

    Europeans that decline to opt-in will likely see less targeted advertising.

    Does this mean that marketing automation or companies like Doubleclick, Omniture, and Quantcast will go out of business?

    The EU privacy regulations create more need for marketing automation and web analytics companies. As businesses need to implement more sophisticated privacy protocols and compete on trust, they will turn to their marketing automation solutions to make it happen.

    Will web analytics work in the EU anymore?

    Of course. Businesses will need web analytics for the EU subscribers that choose to opt-in. They will also need web analytics on subscribers they do not cookie for things like testing different action flows to obtain consent. Web analytic solutions are good at analyzing both known subscribers and unknown visitors.

    Can I get in trouble if my marketing automation, web analytics, or other software does not comply and I am still using it?

    It is unlikely that EU courts will excuse lack of technical capabilities. Good marketing automation solutions will make this easy for customers to implement in the ways they want.
     
    Can I not allow my website visitors to see my content unless they accept cookies?

    Sure. Business can decide what content to show or services to offer based on whether a subscriber has opted-in for tracking. Indeed, smart businesses will intelligently use content and services to entice subscribers to opt-in.