May 25th is a big day for online media. It’s the day that some predict will be “the Rapture” for all the 3rd party data companies in the EU. The doomsayers believe that on the 25th, the first laws will be passed which will require all 3rd party cookies to be opt-in. Well, I hate to disappoint them, but that’s not what’s about to happen. And like most things involving public policy, it’s a lot more complicated.
Much of the press and opinion pieces have made what’s happen in the EU more murkier and confusing than it already is. In oversimplified terms, the EU process works like this: once the EU Parliament passes a directive, the each member countries must pass laws which address the Directive items within a certain time. The May 25th deadline corresponds to the 2009 update to the ePrivacy Directive. For those playing at home, I’ve included a helpful timeline that outlines the important policy and legislative developments.
So, what is about to happen? A couple of months ago the IAPP brought ~2500 privacy experts and regulators from EU and the US together for a global privacy summit. Listening to both EU and US privacy regulators, it is clear that the EU wants to be the leader in online privacy and is aggressively pushing the May 25th deadline. However, it is clear that there is no consensus as to what the best policy is – so much so that the EU privacy directors are encouraging countries to “cut-and-paste” the Directives update into their own laws. For 3rd party cookies, this means directly using the Recital 66 language, which as you can see below, is pretty general and non-explicit.
A couple of countries are going to pass laws that go further, but early indications are that they will go forward cautiously. The UK recently based their law, but as this government “advice” piece demonstrates, it doesn’t look they are too sure of what exactly should happen.
The next question is, after cut-and-paste, what actual regulations are going to be passed? The main focus is on how to unambiguously obtain user consent for 3rd party data collection. The European Data Protection Supervisor Peter Hustinx remarked that the default ‘opt-in’ of web browsers is not a good indicator of consent and consequently not within the Article 66 guidelines. He and others also mentioned that having user’s opt-in to every 3rd party service is just not practical. Consequently, there is a lot of focus on other solutions – several EU personnel mentioned that ‘privacy set up wizards’ for the web browsers would be a very interesting option.
While this might seem a bit haphazard, the good news is that the EU regulators are really trying to understand the issues and find a solution that works for consumers and service providers. There is a universal feeling that the Internet is by and large a good thing for consumers as it is. It does need to mature and provide better privacy protections, but no one wants to break the current system. For the US, the EU developments provide our policy makers a chance to see how certain policies play out in the “real world” as we consider our own options.
The EU Cookie Timeline
For the cookie debate, there are 5 main developments at the EU level that are relevant:
1996 – To help member countries form actual laws around the Data Protection Directive, Article 29 Working Party is formed. Composed of privacy experts from each member country, it more or less acts as a legal and policy consultant.
2002 – ePrivacy Directive (officially Directive 2002/58) is an update to the DPD which addresses electronic privacy issues, including specific language on Internet technologies such as cookies. Section 5(3) outlines the need for individual notice and choice in data collection.
2009 – The ePrivacy Directive is updated with more granular requirements. The significant part is Recital 66, which specifically mentions 3rd party data collection and the need for individual consent (the actual language below). The deadline of May 25, 2011 for each country to have laws which address the issues including in the Directive is set.
2010 – The Article 29 working group offers infamous ‘opt-in’ opinion when interpreting Article 66. Section 4.1.2 is the sticky part, where they express the opinion that current ‘opt-out’ mechanisms are not sufficient for collecting individual users’ consent.
Great resource for more EU privacy information: http://ec.europa.eu/justice/policies/privacy/index_en.htm
 This is the actual language of Recital 66
(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.