So where is the big, bad, ePrivacy Directive that we’ve heard so much about? Looming around the corner, a governmental specter, ready to chill the online industry by adding friction to the user experience and slowing the pace of data collection. In Germany, we’ve hardly heard a peep. No new law has been passed to incorporate the Directive, and regulators have been low-key in their messaging about enforcement. But around the rest of Europe, the signs are more ominous, and the effects will be felt in Germany sooner than you think.
In November 2009, the European Union adopted an amendment to the original ePrivacy Directive that included a requirement for consent to non-essential tracking online. They gave member states until May of 2011 to pass their own version of the amended Directive into law. As of February 2012, ten countries have passed the law, including the UK, France, Ireland, Sweden and Finland. Similar legislation is currently in the process of being adopted across multiple other countries, most notably the Netherlands and, wait for it … Germany.
Legal State of Affairs
The UK was the first significant online market to pass the Directive, and the ICO has since been the most active with specific guidance about how and when they will enforce, including a ‘Half Term Report on Cookie Compliance,’ combined with updated guidance on the changes companies should consider to come into compliance. When the law was passed in May of 2011, the ICO gave industry a 12-month enforcement extension, but that extension expires on May 26th, 2012, and their enforcement powers include fining authority of up to £500,000. The ICO’s path will be watched closely across the EU and has the potential to set precedent.
In the Netherlands, a bill has already been approved in the Lower House that would not only pass the Directive into law, but would add an explicit consent requirement that goes further than the Directive requires. If the Upper House approves the bill in March, the strictest version of the Directive yet would come into immediate effect without an enforcement extension. Such a development would also embolden regulators elsewhere in Europe that have considered the viability of an explicit consent standard.
Back home in Germany, the Minister of the Interior has argued that existing telemedia law already requires consent for tracking activity, and that a new law to reflect the Directive is not necessary. But that view no longer appears to reflect political consensus. A draft bill is circulating that closely resembles the Dutch law, also requiring explicit consent. If this passes, the current state of data collection in Germany, whereby a company can collect data as long as the consumer has a means to discover information about the practice, would be flipped by legal mandate. Companies would be responsible for demonstrating that tracked consumers were actually aware of the practice and used informed judgment to provide their consent.
Practical Implications in Germany
While the state of German law is in flux, the fact that other significant markets are moving at a faster pace has important implications for commercial operators in Germany. In the US, thanks to a largely successful self-regulatory program, companies are currently deploying billions of icons on ads and on websites through companies like Evidon (my company) that link to detailed information on the precise 3rd parties collecting their data. Global companies like Google, Microsoft, and Yahoo! have decided to take the icon program into Europe, and these icons are likely to become commonplace as a consequence in Germany.
Global and Pan-European brands are right now working overtime to plan their compliance strategies in advance of UK enforcement in May. Many are folding in requirements that they anticipate in the Dutch law. As a practical manner, these companies see the writing on the wall across Europe, and have no intention of introducing consent one country at a time. Just as with icons, new consent methods for routine tracking activities will shortly begin appearing on site and in ads in the German market, operated or otherwise mandated, by companies with some of the largest budgets in Germany.
These market based developments, which have no dependency on the timing of German law, mean that compliance with the Directive, using tools that right now seem radical, is going to be a commercial reality in very short order. Once this happens, the expectations of both consumers and regulators in Germany will be forever changed. Smart companies will research their compliance options now, so that when clients ask for support, they are ready. And so that when legal requirements come, they already have solutions lined up that are consistent with their brands and impact their commercial metrics as lightly as possible.
The Directive is coming and unfortunately, you can’t fight it. The best approach is to be prepared.