It’s not quite Y2K but online publishers are awaiting May 26, the day U.K. regulators begin monitoring for compliance with the European Union’s privacy directive in the U.K. The directive has and will continue to play out in a variety of ways depending on how individual countries interpret it and set it into law. But the way in which site owners – from content publishers to e-commerce sites to brand websites – respond will be observed by privacy wonks, legal counsels, site operators, industry groups, and tech firms stepping in to help publishers comply.
At this stage, some large companies are implementing compliance systems now. Others are sitting back, waiting to see how others respond to a complex web of country-specific regulations.
“If you’re a large company with, say, 1,000 websites, you’ve got a lot of work to do here,” said Kevin Trilli, VP, product at TRUSTe. The company developed products to help clients navigate current and potential rules, and implement systems allowing site visitors to have the required amount of control over the information sites can collect.
“We are at the final test stages and due to go live with our new privacy initiatives across all IDG U.K. sites imminently,” Dawn Briddon, CMO for tech publisher IDG UK told ClickZ. The publisher is using TRUSTe’s products for privacy directive compliance.
“Companies have to understand if you don’t have your act pulled together [in the next few days] it’s not like your computers are going to explode,” said Scott Meyer, CEO of Evidon, a big player in the growing online privacy compliance industry, who said his firm has clients in the U.K. that will launch stringent privacy systems as of next week.
IDG Dives in Head First
Though some companies are holding off, Briddon said IDG will offer privacy notice and controls to all users, not just those in the U.K. “Compliance is now a legal, enforceable requirement,” wrote Briddon in an email interview. “Whether website publishers agree with this or not, we are all now required to do this, and even though the [U.K.’s Information Commissioner’s Office] have made it clear that they will not be actively enforcing it unless complaints are received (it will be interesting to see if this will still be the case in a few months), there are possible penalties that can’t be ignored.” The ICO is the agency responsible for enforcing privacy legislation in the U.K.
Like others, IDG will highlight links to disclosure with the Ad Choices icon, developed for targeted ads here in the U.S. “We felt that this was the most recognizable symbol that consumers associate with cookie disclosure,” noted Briddon.
“We also believe it is important our clients are confident that when they book adverts on our sites that they are appearing in an online environment that takes user privacy seriously. As a website publisher, we feel it is our responsibility to provide this and compliance with this directive is just part of this policy,” added Briddon.
Evidon is another U.S. company doing additional business in the U.K. and Europe as a result of the E.U. privacy directive. CEO Scott Meyer spends almost half his time in Europe these days, working with regulators and helping clients deal with the directive. The company manages the ad industry’s privacy protection and control program for behavioral advertising here in the U.S., but Meyer said the E.U. privacy directive has created the need for far more complicated and pervasive compliance systems for companies. It’s not just about notifying users in web ads about which companies are tracking them for ad targeting and helping them opt-out from tracking; it’s about notifying consumers of the types of information collected when they visit their sites, and helping them control collection.
“The scope of this law is much broader than online behavioral advertising,” said Meyer, noting that the firm developed its compliance products in conjunction with E.U. regulators. “It’s a big market…so much bigger than the US [online behavioral advertising] market,” he said.
Evidon and TRUSTe both offer systems that audit publishers’ sites to determine which tracking cookies are on their sites. Even if publishers don’t go the next step to implement additional privacy controls, they need to be prepared to share a list of tracking cookies on their sites with regulators if asked.
The Tangled Web of E.U. Privacy Rules
Companies – think large CPG firms with hundreds of product and brand sites – need to conduct such audits to locate stray code from old site pages, or surface tags that may have been dropped by ad networks unbeknownst to the publisher. The next step for site owners is determining which approach or approaches to take to satisfy laws in the U.K. and in other European countries where compliance will be required in the future.
It’s no simple task. For one thing there are varied interpretations of the E.U. privacy directive, which relies on individual countries to devise their own national laws based on the directive. Some countries require users to provide implied consent – or consent that is presumed unless users opt-out from data collection. Others require express consent – meaning users must specifically allow data collection.
“We do have customers that will be running with an explicit consent model” as of next week, said Evidon’s Meyer.
Still others – including the U.K. take more of a blended approach, requiring implied and contextual consent, which takes into consideration the context, or type of tracking taking place.
Countries including France, Germany, and Spain – though they have yet to set deadlines for compliance – call for site publishers to obtain prior consent from users; in other words users will need to give permission for companies to drop cookies on their machines, a scary concept for advertisers and publishers reliant on cookies to enable things like ad frequency capping or site customization.
If that isn’t enough confusion, there remain questions as to whether publishers need to provide notice and consent for site measurement and analytics tracking.
Product suites from companies like Evidon and TRUSTe have been built to give clients options for how to deal with the wide array of privacy directive interpretations across Europe. Both firms are partnering with tag management systems to make it easier for site owners to implement additional privacy controls.
“What we can do as a service provider is provide technology solutions… as a company they have to decide how to interpret this spaghetti of laws,” said TRUSTe’s Trilli. In the coming weeks, he said, stakeholders will watch closely whether site owners comply, prepare to comply, or simply sit back. “All of this will be scrutinized,” he said.
Using LinkedIn for personal and professional branding is easy, so why do so many brands and individuals get it so wrong?
Over the past few weeks we’ve largely used #ClickZChat as a chance to delve into the pros and cons of content and ... read more