This month (July 2015), the IAB Europe published new Guidance titled "5 Practical Steps to help companies comply with the E-Privacy Directive". These 5 sensible steps in the document are aimed at brand advertisers, publishers and advertising businesses. The EU's cookie compliance rules were remodelled as far back as 2009 when a broader set of telecommunications rules updated the e-Privacy Directive. There's been no change since so this Guidance has not been prompted by any regulatory change or significant shift in the compliance landscape. It it does however serve as a useful practical reminder to anyone considering or revisiting their compliance strategy.
The context and Article 5.3
The advice in the Guidance centres around that now familiar extract from the e-Privacy Directive, Article 5.3. This of course requires you obtain the prior informed consent for storage of, or access to, information stored on a user's terminal equipment.
The Guidance rightly acknowledges that there are differences in both the national implementations of this rule as well as the related regulatory guidance Member State to Member State. Therein lies the rub, as many are seeking a "one-size-fits-all" approach for Europe. Often criticised, the law requires you to get consent, but doesn't actually say how. These 5 steps from the IAB delve into the "how" and may assist you.
The 5 recommended steps in the Guidance
At a high-level the Guidance makes the following practical observations:
- Monitor and assess your digital property – know your properties, their technology, and what data they collect. Regularly audit these to understand the data collected and how it is used. Be particularly cautious when using partners who are collecting data on your properties.
- Be clear and transparent in how you present information to consumers – use plain and easy-to-understand language and don't mislead. Consider a layered approach and, where appropriate, use helpful websites (eg like aboutcookies.org or www.youronlinechoices.eu) to convey messages about how and why your property deploys its technologies (and for what purposes).
- Make things prominent – ensuring your privacy property is available and distinguishable. There are some short tips around ways you could go about this.
- Context is king! – the Guidance suggests you consider ways to achieve consent in a contextual way. Rightly this step suggests "that the key point is that you must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to indicate their acceptance." Fieldfisher reminds you that are a number of mechanisms (express and implied) by which you may achieve this and the Guidance suggests a few of the available approaches in this step.
- Consider joining the EU industry programme to provide greater contextual transparency and control to consumers over customised digital advertising – "why not?" we say, as this is another tactic for in staying in touch and demonstrating commitments. This step highlights the benefits of edaa.eu to behavioural advertisers and the "icon" initiative and transparency mechanisms available via www.youronlinechoices.eu.
The so what?
The e-Privacy Directive and the EU cookie compliance issues associated with it have been alive and well for years now. We've frequently updated readers on the enforcement issues, sweep days other stories where cookie compliance comes to the fore. It's not entirely clear what prompted this "best practice" advice and steps from the IAB, but the short document is practical and insightful, whether you're new to cookie compliance or revisiting your compliance approach.
As other members of the team have recently blogged, the CNIL recently issued a press release stating that, following its online cookies audits conducted last October (see our previous blog article), it has sent out a formal letter of enforcement (“lettre de mise en demeure“) to approximately 20 companies requesting them to comply with the cookie rules in France. Cookie compliance needs are not going away nor are they particularly difficult for most online properties. What's more, when looking at your peers, there's no doubt that a level of compliance and transparency is fairly prevalent across EU and EU facing websites today.
So how should you deal with cookies? Well, the steps in this Guidance give you a great practical head start. Cookie compliance and the approach to compliance has been market-led since the outset. When asked what "good" looks like, even among the regulators the thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen. That's where bodies like the IAB Europe have played a central role and, by aligning your own practices with the pack, you are rarely in a bad place in the world of cookie compliance.
Mark Webber, Partner - Digital Regulation and Technology (Silicon Valley)