Dear Adobe Customer,

With the deadline for implementation of the ePrivacy Directive into national law by each European Union member state approaching, some of you are asking what the Directive means for you and what Adobe has been doing from a policy perspective in preparation for the Directive being accepted into law.

This communication summarizes information Adobe has gathered on the revised EU ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) and what Adobe has been doing to prepare both ourselves and our customers for this Directive.

If you have specific questions on this topic, please contact your Account Manager.

What is the ePrivacy Directive?

In 2002, the European Union enacted the ePrivacy Directive.  Among other things, this legislation required the 27 EU member states to put in place a “notice” and “opt-out” regime for storing or accessing any information on a user’s computer.  Under that Directive, users must be provided with “clear and comprehensive information” about, in particular, why cookies are used on the relevant website (the “notice” element).  In addition, users must be offered the right to refuse the cookies (the “opt-out” element), although there is no direction as to how the opt-out should be provided.

On December 25, 2009  an amended Directive came into force and brought with it a vast array of changes primarily aimed at telecoms and Internet service providers.  It must be implemented into the national law of each member state by May 25, 2011.  It is this amended Directive that is the subject of the current headlines.

One section of the amended ePrivacy Directive - Article 5(3), also known as the “Cookie Amendment” - will require consent to store or access information on a user’s device.  However, narrow exceptions apply for information used solely for electronic transmission (such as an Internet Protocol, or IP, address) or for a service expressly requested by the user.

What is a Directive?

Directives are EU-wide laws proposed by the European Commission and generally enacted jointly by the European Council and the Parliament.  Directives only have binding legal effect when transposed into national law by the member states of the EU.  Transposition is mandatory, although member states often miss the stated deadlines.  Once transposed, the language is open to interpretation by the enforcement authorities of each member state (i.e. the data protection authorities (DPAs)).

What is the exact language of the Directive?

The language of the amended ePrivacy Directive - which may or may not be transposed verbatim in the laws of the member countries - is as follows:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.  This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. (emphasis added)

Recital 66 to the amended Directive expressly states that

“where it is technically possible and effective… the users consent to processing may be expressed by using the appropriate settings of a browser or other application”

Most member states are still in the infancy stage of drafting implementation legislation of the Directive.  It has been a controversial Directive shrouded in much debate.

What information is covered by the Directive?

Any information that is read from or written to a user’s device from across the Internet or a network is covered by the Directive.  This is a very broad definition.  Practically speaking, the concern the European legislators were focused on when drafting the Directive was the use of cookies to track users without their knowledge.  It is likely (but not guaranteed) that most of the enforcement actions will be around the use of cookies (or local storage) for tracking users across sites for the purpose of serving behaviorally targeted ads.  Many member countries have indicated that they will be not actively looking to enforce the legislation right away, but will focus on evident breaches and follow complaints that are brought to their attention by consumer associations and disgruntled users.

What does consent mean?

The concept of consent under the terms of the amended Directive is one of the most heavily debated portions of this Directive.  If the new Article 5(3) is viewed by certain member states in isolation (that is ignoring Recital 66), they might implement the consent requirement as requiring explicit consent.  However, this interpretation is only one potential outcome from the change to the ePrivacy Directive.  It is equally likely that Recital 66 will prevail.  If member states view (as we believe they should) the amending Directive as a whole, their national law should make clear that Web browser privacy settings are a valid means for users to provide their consent.  As most settings allow cookies to be set by default, the new prior consent regime could look very similar indeed to the existing notice and opt-out regime.

As stated above, no member country has released language yet.

Who will have to comply with the Directive?

Generally speaking, European companies or other companies with a presence in Europe that target European users will have to comply.  Companies based outside of Europe who may have no physical presence in Europe but who target users in Europe will also likely need to comply.  However, jurisdictional issues associated with European laws are complex and in a flux.  Customers should seek counsel to determine if your business will need to comply with the Directive.

What has Adobe been doing from a policy perspective to deal with the Directive?

Adobe’s Public Policy team began monitoring and actively lobbying around the amendments to the ePrivacy Directive in 2007.  We, along with many other companies in the industry, have spoken to numerous representatives at the European institutions and in the member countries to explain the implications of the Directive for our customers and to raise our concerns (e.g. an increased number of dialog boxes that will likely be ignored, less free content available on the Web, websites requiring users to log in to gain consent).  We have also been stressing the importance of including the language in the Recital as part of the law in the member countries.

What else is Adobe doing to prepare for the Directive?

Adobe is actively looking at ways to implement our Omniture services without the requirement of storing information on a consumer’s device.  We are also investigating various options for providing notice to consumers.  As we get closer to resolution of our solutions we will reach out to our customers with more information.

What is Adobe doing to address other privacy concerns in Europe?

European privacy law differs by member state and the ePrivacy Directive will not be implemented or inforced in a vacuum without consideration of other privacy laws.  For example, there is some concern in some states that IP addresses are considered personal data. To address this concern, Adobe’s Omniture products obfuscate IP addresses by default before storing them to address this concern.  We actively monitor other European laws that may affect our products and evaluate whether there are changes we can or  need make to our products to comply with these laws.

What are publishers doing in response to the Directive?

Not many companies have explicitly stated their plans. However, from our conversations with various companies, it appears that the following are responses to the Directive that publishers are currently considering pending implementation:

• Using a dialog box to get consent before storing or accessing information
• Obtaining consent for all storage and access to a user’s device the first time a user accesses the site or the service (but any changes not identified when consent was initially obtained would require additional consent)
• Forcing users to log in to the site or service and get consent on log-in
• Offering premium content to those users who grant consent and minimal content to those that do not
• Reviewing their practices and evaluating the types of cookies they are using
• Considering limiting the use of cookies to only those that are strictly necessary

For now, it appears that many companies are in a holding pattern, waiting to see how the Directive will be adopted and enforced by the member states. The diverse nature of the potential responses that we’re seeing in the market now reflects the uncertainty over how the Directive will be implemented and enforced in member states.

What is Adobe’s advice to its customers in Europe?

There are several things our European analytics customers can do to prepare for this Directive:

• First, each customer should seek advice from their own counsel. Every business is different and has a different risk tolerance.
• Make sure your privacy policy is up to date. Your policy should accurately describe how you use your customers’ data as well as the data practices on your site, including your use of analytics software and your advertising practices.
• Make sure your privacy policy includes a link to the page to opt-out of the analytics services offered by Adobe. Ideally, the link to the opt-out page should also be included somewhere more obvious on your website in addition to in your privacy policy.
• The more notice you give to your users about your practices on your site the better.
• Carefully review your use of cookies to make sure that use is in line with your privacy policy.
• Consider using cookies only when strictly necessary to operate the service the user is requesting.
• Closely monitor the development of the implementations of the ePrivacy Directive. As mentioned above, none of the member states have published their implementation as of the writing of this document.

We hope this information answers some of your questions. Again, if you have specific questions on this topic, please contact your Account Manager.

MeMe Jacobs Rasmussen
Chief Privacy Officer
Adobe Systems Incorporated