The EU’s ePrivacy Directive: What You Need to Do Between Now and May 25th

Vincent Flood 20 March, 2012 

Nick Stringer

All digital advertisers and publishers buying or selling in the EU will have to comply with the EU’s ePrivacy Directive by 25th May, 2012. The directive focuses particularly strongly on the use of cookies, which are widely used to serve ads online on both the buy and the sell side. VAN interviewed Nick Stringer, the IAB’s Director of Regulatory Affairs, to find out what video advertisers and publishers (and the rest) need to do to prepare for the May deadline.

Who will the ePrivacy Directive affect? 

The revised EU ePrivacy Directive (now enshrined in UK law as the amended Privacy and Electronic Communications Regulations 2011) replaces the ‘notice and opt out’ requirements for cookie and other technologies for “the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user” with a requirement to obtain informed consent. The new law affects every organisation – large or small – operating in a digital environment. There’s a narrow exemption for those uses deemed ‘strictly necessary’ to the service that an internet user explicitly requests (eg shopping baskets).

If an advertiser or publisher is based outside of Europe, will the new rules affect them in any way? 

Potentially yes. The law specifically relates to the device of the user but it may also depend on how each country has transposed the Directive (ie via what legal instrument) into its national law.

What would a video publisher need to do in order to comply with the UK law? 

There are five simple and practical steps a publisher should take to work towards compliance with the new law.

1.     Know what’s going on! Conduct an audit of the use of cookies and other technologies that you’re working with or that are being dropped on your site.

2.     Be clear and transparent. Revisit your privacy information to make sure you are clear on the technologies being used. Take a layered approach and make the top level information easy for the user to understand, and provide more detailed information for those that want it.

3.     Deliver prominence. Place your privacy information ‘above the fold’ or label it in a different font or colour. Web publishers can use the advertising icon on their pages as well.

4.     Context is king! Find ways to achieve informed consent in a contextual way. One suggested way is by using a discrete and one-time banner overlay with links to greater user control.

5.     Join the EU advertising self-regulatory programme. Make sure you or your ‘data partners’ are involved in this initiative. For further information (and to see the 100+ businesses that are already signed up) see:

What has the IAB been working on with the government and the ICO? 

In partnership with other advertising and media groups, the IAB has been working on a pan-European self-regulatory programme for customised advertising based upon previous web browsing activity. This pre-dates the new law and requires the use of a small icon in display ads and on websites which, when clicked, will provide internet users with greater transparency and control over this type of advertising, including a pan-EU opt out page at The initiative is backed by the UK Government and is at the heart of its package of measures (see below) to comply with the new law. We remain engaged with the European Commission in the development and rollout of the initiative.

What would a video advertiser need to do in order to comply with the UK law? 

The most important thing a video advertiser can do is ensure that its data partners (or its agency / agency’s partners) are involved in the icon programme. The advertiser will have to meet the obligations on its own site(s) as well.

Is there any particular reason the ICO hasn’t been more specific in terms of their requirements? 

The law is ambiguous and could, if interpreted strictly, be very restrictive on digital advertising (as well as many other internet business models). However, the UK Government has chosen a pragmatic path recognising that, whilst the new law may be well-intentioned, it is challenging to make work in practice. It has set out its view in an open letter at: . The ICO has chosen not to be overly prescriptive but has issued guidance which the above five steps are based upon.

What will the consequences be for non-compliance with the UK law? 

This remains to be seen. The law is in effect now but the UK is taking a phased approach to implementation. The UK Government and ICO recognise that changes will not happen overnight, particularly as the law reaches deep into the ‘long tail’ of the internet. However, the ICO does have the power to fine up to £0.5m in the event of the most serious of breaches. We can expect the ICO to take a less relaxed approach from the middle of 2012.

Is there any chance the user will be able to offer consent via their browser settings? 

Yes, but it will be in combination with other measures. Browsers probably do not offer an approach that ‘fits the bill’ just yet though many internet users do manage their privacy settings this way already. However, web browsers do present the most logical and straightforward means of users obtaining control of their web-browsing experience though this may not be the case in a mobile environment.

Are there any other privacy issues looming on the horizon?

Yes. The European Commission recently announced new data protection proposals to update existing law. In the past this was all about protecting the personal details I share with, for example, an electricity provider to hold an account. However, the proposed reform extends what is meant by ‘personal data’ to cover the likes of cookies / IP addresses even when they don’t/can’t be linked directly to an individual. You can see the IAB’s initial views of the proposals at:


About the Author:

Go to Top