Dear Adobe Customer,

With the deadline for implementation of the ePrivacy Directive into national law by each European Union member state having past, some of you are still trying to understand what the Directive means for you and what Adobe has been doing from a policy perspective in with the Directive being accepted into law.

This communication summarizes information Adobe has gathered on the revised EU ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) and what Adobe has been doing to prepare both ourselves and our customers for this Directive.

In addition we look at how are the various countries have been transposing the Directive to date.

If you have specific questions on this topic, please contact your Account Manager.

What is the ePrivacy Directive?

In 2002, the European Union enacted the ePrivacy Directive.  Among other things, this legislation required the 30 EEA member states to put in place a “notice” and “opt-out” regime for storing or accessing any information on a user’s “terminal equipment” such as a computer or smart phone.  Under the Directive, users must be provided with “clear and comprehensive information” about, in particular, why cookies are used on the relevant website (the “notice” element).  In addition, users must be offered the right to refuse the cookies (the “opt-out” element), although there was no direction as to how the opt-out should be provided.

On December 25, 2009, amendments to the ePrivacy Directive came into force and brought with them a vast array of changes.  The amendments were to be transposed into the national law of each EU Member State by May 25, 2011, although many EU Member States have yet to enact their transpositions of the ePrivacy Directive.  It is this amended Directive that is the subject of the current headlines.

One section of the amended ePrivacy Directive - Article 5(3), also known as the “Cookie Amendment” - requires consent to store or access information on a user’s device.  However, narrow exceptions apply for information used solely for electronic transmission (such as an Internet Protocol, or IP, address) or as strictly necessary for a service expressly requested by the user.

What is a Directive?

Directives are EU-wide laws (often followed by the other four countries (Switzerland, Norway, Liechtestein, and Iceland, that together with the EU form the European Economic Area (EEA)) proposed by the European Commission and generally enacted jointly by the European Council and the Parliament.  Directives only have binding legal effect when transposed into national law by the EU Member States.  Transposition is mandatory, although Member States often miss the deadlines.  Once transposed, the language is interpreted and enforced by the enforcement authorities of each Member State (i.e. the data protection authorities (DPAs)).

What is the exact language of the ePrivacy Directive?

The language of the amended ePrivacy Directive - which may or may not be transposed verbatim in the laws of the member countries - is as follows (emphasis added):

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.  This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

Recital 66 to the amended Directive expressly states that

“where it is technically possible and effective… the users consent to processing may be expressed by using the appropriate settings of a browser or other application”

What information is covered by the Directive?

Any information that is read from or written to a user’s device from across the Internet or a network is covered by the Directive.  This is a very broad definition.  Practically speaking, the concern the European legislators were focused on when drafting the Directive was the use of cookies to track users without their knowledge.  It is likely (but not guaranteed) that most of the enforcement actions will be around the use of cookies (or local storage) for tracking users across sites for the purpose of creating user profiles to serve behaviorally targeted ads.  Many Member States, such as the UK, have indicated that they will be not actively looking to enforce the legislation right away, but will focus on evident breaches and follow complaints that are brought to their attention by consumer associations and disgruntled users.

What does consent mean?

The concept of consent under the terms of the amended Directive is one of the most heavily debated portions of this Directive.  If some Member States interpret the new Article 5(3) in isolation (that is ignoring Recital 66), they might implement the consent requirement as requiring explicit consent by the user.  However, this interpretation is only one potential outcome from the change to the ePrivacy Directive.  It is also possible that Recital 66 will prevail, provided that regulators become satisfied with browser options in the near future.  The UK, for example, is actively working with browser manufacturers to that end.

Who will have to comply with the Directive?

Generally speaking, European website operators or other companies with a website domain registered in the EU that target European users will have to comply.  Website operators based outside of the EU who may have no physical presence in a Member State but who target users in EU Member States will also likely need to comply.  However, jurisdictional issues associated with European laws are complex and in flux.  We encourage our EU customers to discuss the effect of the Directive and ensuing Member State legislation with their data privacy and legal advisors to determine if and how their business will need to comply with the Directive.

How are the various countries transposing the Directive?

To date, we are aware of only a few countries that have officially enacted their transpositions.  Here is a brief summary of some of the transpositions:

Estonia

• Express consent is not required for the use of cookies; opt-out is sufficient
• Notice must be provided prior to cookies being set.  It is unclear how this requirement will be applied in practice.
• Privacy policies should include details on how cookies are used, the purposes  for which cookie information is used, how and to whom the data will be shared, and whether the information will be combined with log-in information

Finland

• Consent is required prior to cookies being set, but consent can be expressed through browser settings
• Privacy policies should include details on how cookies are used, the purposes  for which cookie information is used, how and to whom the data will be shared, and whether the information will be combined with log-in information
• Privacy policy should include information on how to manage cookies
• Privacy policy should be prominently placed and be easily accessible and intelligible to users

Sweden

• The Swedish transposition is a copy of the language of the Directive but does not include the language in Recital 66
• The transposition does not provide any details on whether consent should be opt-in or opt-out, or on how often consent should be sought. However, supporting legislative materials do refer to the possibility to obtain consent via browser settings and suggest that opt-out via browser settings is sufficient

United Kingdom

• Consent is required, but there is no requirement that consent be prior to the setting of the cookie.  Browser settings may be used to obtain consent, but not in the current form where cookies are accepted by default.
• The ICO has issued guidance that consent may be obtained through various means, including terms of service, pop-ups, and header/footer language.
• Guidance from the ICO can be found at: http://www.ico.gov.uk/~/media/documents/library/
  Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.ashx

What is happening in the countries that do not yet have an official transposition?

Most other countries have draft legislation in process.  We are monitoring the developments in these countries and are working with other trade organizations to lobby for transpositions that will not unduly hurt businesses. 

What has Adobe been doing from a policy perspective to deal with the Directive?

Adobe’s Public Policy team began monitoring and actively lobbying around the amendments to the ePrivacy Directive in 2007.  We, along with many other companies in the industry, have been speaking (and are continuing to speak) with numerous representatives at the European institutions and in the Member States to explain the implications of the Directive for our customers and to raise our concerns (e.g. an increased number of dialog boxes that will likely be ignored, less free content available on the Web, websites requiring users to log in to gain consent).  We have also been stressing the importance of including the language in the Recital as part of the law in the Member States.  In addition, we are working with industry associations across Europe to lobby for the inclusion of Recital 66 to any transposition of the Directive in the Member States.

What else is Adobe doing to prepare for the implementation of the Directive?

We are investigating various options to help our customers provide notice to their users about our products.

What is Adobe doing to address other privacy concerns in Europe?

European privacy law differs by Member State and the ePrivacy Directive will not be implemented or enforced in a vacuum without consideration of other privacy laws.  For example, there is concern in some Member States that IP addresses may constitute personal data because they may relate to identifiable individuals. To address this  and related data protection concerns, Adobe’s web analytics solution (offered by Adobe’s Omniture Business Unit) obfuscates IP Addresses by default before storage, and  provides an opt-out mechanism for customers to offer their website visitors should such visitors elect not to be tracked.  [If this is news to you, please speak with your account representative for assistance on implementing it on your site.] We actively monitor other European laws that may affect our products and evaluate whether there are changes we can or need to make to our products to comply with these laws.

What are publishers doing in response to the Directive?

Not many companies have explicitly stated their plans. However, from our conversations with various companies, it appears that the following are among the responses to the Directive that publishers are currently considering pending implementation:

• Using a dialog box to get consent before storing or accessing information
• Obtaining consent for all storage and access to a user’s device the first time a user accesses the site or the service (but any changes not identified when consent was initially obtained would require additional consent)
• Including notice in a prominent location on their home page regarding their use of cookies with a link to controls
• Making references to browser settings more prominent
• Forcing users to log in to the site or service and get consent on log-in
• Offering premium content to those users who grant consent and minimal content to those that do not
• Reviewing their practices and evaluating (and minimizing where possible) the types of cookies they are using

For now, it appears that many companies are in a holding pattern, waiting to see how the Directive will be adopted and enforced by the member states. The diverse nature of the potential responses that we’re seeing in the market now reflects the uncertainty over how the Directive will be implemented and enforced.  However, most companies we have spoken with are, at a minimum, analyzing the use of cookies on their sites.

What is Adobe’s advice to its customers in Europe?

There are several things our European web analytics customers can do to prepare for the ePrivacy Directive:

• First, each customer should seek advice from their own counsel. Every business, and its associated website and data collection practices, is different thus, every business is implicated by the Directive in a different way.
• Make sure your privacy policy is up to date, conspicuous, and transparent. Your policy should accurately and simply describe how you use your customers’ data as well as the data practices on your website, including your use of web analytics software and your advertising practices.  Your policy should also include references to browser settings..
• Make sure your privacy policy includes a link to the page or mechanism for opting-out of the web analytics services on your website.  Ideally, the link to the opt-out page or mechanism should also be included somewhere more obvious on your website in addition to in your privacy policy.
• The more notice and control you give to your users about your practices on your website the better.
• Carefully review your use of cookies (and the Site Tags/Beacons/JavaScript and other means of calling third party servers from your website, which result in the dropping of cookies on consumers’ computers) to make sure that your use is in line with your privacy policy.
• Closely monitor the development of the implementations of the ePrivacy Directive. As mentioned above, only very few Member States have adopted implementation legislation as of the writing of this document.