Chris Babel

The new EU privacy directive (a.k.a. the “Cookie Directive”) has more than a few executives concerned over how to comply and protect their brand in Europe. While there has been a lot of industry debate over compliance technologies and mechanisms – as well as the requirements of the Directive itself, brands would be unwise to conclude that because there is ambiguity and uncertainty a “wait and see” approach is best. That time has come and passed. Enough member states have enacted the Directive and indicated they will begin enforcement in 2012 that companies must act now.

TRUSTe believes that an optimal compliance strategy is one that takes into consideration the differences that exist across cultures and is sufficiently flexible to address these differences.  TRUSTe has successfully deployed opt-out solutions across the US and Europe.  At the request of certain clients, we are also developing an opt-in solution which meets the needs of all constituents – consumers, regulators, and businesses. Our decade of international regulatory experience has taught us that a one-size-fits-all approach to privacy is problematic. Europe, with its fragmented politics and diverse approaches to data protection, is a perfect example to apply this lesson.

As of January 2012, eight of the twenty-seven EU member countries have implemented national legislation enacting an EU privacy directive requiring opt-in choice for online behavioral advertising. While opt-out based approaches currently exist in some member countries, a European privacy management strategy would be remiss to not also retain a working opt-in solution.  Companies must prepare for a scenario where regulators take a hard-line, opt-in-only enforcement approach in one or more of the twenty-seven EU member countries.

While there is ambiguity over enforcement plans for the directive, there is no ambiguity over its requirements. The directive clearly prohibits placing tracking files on consumer devices without the consumer’s informed consent (with certain exceptions). In a December 2011 opinion, the Article 29 Working Party, who advises the European Commission, confirmed that the current American opt-out approach overseen by the DAA does not satisfy the directive requirements – since tracking file placement and data collection activity occur regardless of consumer opt-outs. The Working Party members consist of representatives from the data protection authorities of each EU member country and it is these authorities that will ultimately enforce the directive.

While the directive enforcement plans of each EU member country remain ambiguous and largely undefined, it is highly unlikely that all member countries will adopt a uniform enforcement interpretation. Browser-based Do Not Track implementations may become acceptable compliance tools, dependent on the outcome of the standards work of the World Wide Web Consortium (W3C). TRUSTe recommends that companies immediately undertake an audit of all tracking technologies on their properties and implement robust opt-out solutions across Europe. Companies should also be prepared to pursue workable opt-in solutions to enable a comprehensive and flexible compliance strategy that will protect their brand from unacceptable levels of risk in Europe.