Comment: New EU e-Privacy Legislation – Why You Should Act Now

The EU e-Privacy Directive will have far-reaching implications for any company that does business in the region
The EU e-Privacy Directive will have far-reaching implications for any company that does business in the region
George Thompson, KPMG
George Thompson, KPMG

Advertising models have changed dramatically in recent years, moving away from traditional methods such as direct mail toward highly targeted online approaches. This has led to an increase in tracking online consumer behavior to improve the effectiveness of advertising and marketing spend. In return, consumers should benefit from a more relevant online experience.

Tracking online shopping and browsing habits is big business. It also necessitates the collection of large amounts of personal data, which has led to increasing levels of scrutiny and now regulation. In May 2011, the UK implemented an EU Directive on the use of cookies to track consumers online.

It sounds dramatic, but the EU has regarded storing information in cookies without prior consent a violation of human rights. The only exception is if what you are doing is “strictly necessary” for a service requested by the user. In all other cases consent is needed to collect, store and process this information, even when it is sent back to other servers – for example, in advertising tracking applications.

Digital inclusion is a priority for the UK government. National access to the internet is seen as vital to future economic success and competitiveness. As a result, people need to be adequately protected from any abuse of their data.

The e-Privacy Directive has considerable implications for any organization looking to use cookies online. As such, the Information Commissioner has given companies until May 2012 to comply with the regulations. Yet, there remains an air of mystery around what this really means for UK PLC.

The Information Commissioner is taking a “light touch” approach to enforcement. By no means does this give companies a license to rest on their laurels. On the contrary, they should use this time to identify and implement the organizational and technical changes needed to comply with the regulations. They need to be ready when the Information Commissioner comes knocking.

In order to achieve this, they must keep track of any announcements from the Information Commissioner's Office (ICO) such as the recent amalgamation of its guidance. They must also review their processes and prioritize any remedial actions. Following are some steps to consider.

Compiling an Inventory

Companies need to understand their risk exposure. This will determine the likely level of action required, and show good faith to the ICO that it is taking the new law seriously. While this may sound like a weak argument for investment, the ICO is likely only to investigate cases of negligence or bad faith and might yet come under pressure from the EU to take a stricter line.

This can be done by compiling an inventory of all of the cookies across the company's websites. The cookies are then classified so those that are marketing and advertising can be segregated from strictly necessary ones. This is also a good opportunity to retire any dormant websites and ensure that all others are adequately patched and maintained.

Identifying Consent

There are various mechanisms available for gaining permission to use cookies. However, they do not all comply with the new law.

Organizations need to identify the methods they use to gain and record consent for all cookies and determine where their practices fall short. This will enable them to build a remediation strategy based on different levels of priority.

Gaining Explicit Consent

Companies now need to build mechanisms that give users a choice about whether or not to allow cookies on their first and future visits to a website. This implies that it is not sufficient to rely on the small print in a website’s terms and conditions, read by only the most diligent users.

For many organizations, this is made more complex by the use of third-party web service providers. Organizations must take reasonable steps to ensure that the third parties comply with the e-Privacy Directive. They must also keep track of new browser features and developments in web server software.

Gaining Company-wide Support

Companies may have until May 2012 to comply, but this is a short timeframe to achieve everything that is required to get their houses in order. An effective way to accelerate this is by gaining company-wide support for e-privacy objectives. An IT-led approach is less likely to succeed than one that is also sponsored by the legal department and risk managers, for example.

This cross-departmental involvement may raise a few eyebrows from budget holders, but businesses have always been required to gain consent from consumers to use their information. It was only a matter of time before this was extended to the web.

Act Now

The implications of failing to comply could be severely disruptive, potentially damaging trust and reputation. not to mention financial loss. It follows that a frontrunner is likely to gain significant marketing advantage.

Now more than ever, it pays to be ready for regulation. Companies’ actions today will continue to count for years to come.


George Thompson’s security experience covers the spectrum of security, including corporate security policy and governance, IT security policy, procedures and standards, security process and technology, application security, security architecture development and deployment. He has management experience of a number of security businesses, including consulting, application development and has acted as interim CISO for clients. He has over 30 years of experience in the IT, security & networking industries and has been a director at KPMG since 2004. George is married with two children and is a keen competitive sailor.

What’s Hot on Infosecurity Magazine?