Join Us
Press  |  Investors
Contact  |  Content

Transparency, informed consent and control needed from publishers under EU ‘Cookie law’

Nigel Edmund-Jones – Data Privacy officer (EU)

Download Rubicon Project’s UK Cookie Compliance – Best Practice for Publishers here

The European Union’s (EU) ‘Cookie Law’ Directive (2011), an amendment to existing data privacy laws, required each EU member state to transpose new controls into local country law. Its aim is to give consumers more insight and control into how ‘personal’ data is collected, tracked and used on websites. This was a reaction to privacy concerns raised over use of data, including that used for online advertising. For consumers, the most overt use of data has been for retargeted marketing messages in website display advertising.

In the UK, the Information Commissioner’s Office (ICO), the data protection regulator, promoted compliance with the new, transposed UK law (see ref below) for website publishers through iterative published guidance (see ref), including suggestions of a light-touch regulation approach to non-compliance and a one-year grace period (expiry date: May 26 2012) for specific compliance.

So where do UK publishers now stand – and how seriously have they taken this?

Many publishers have already added improved deep-linking and signage to ‘clear and relevant’ cookie explanations on their websites, as well as adding an ‘informed, implied consent’ mechanism for users. The latter generally consists of a clearly obvious site notice informing users that continued use of that site gives the publisher their implied consent to use cookies and trackers for ‘strictly necessary’, ‘performance’ and ‘functionality’ purposes. These cookie definitions (see ref) have been proposed by the ICC (International Chamber of Commerce) and have already begun to see adoption.

 Ad Choices icon

From a business perspective, the IAB (Interactive Advertising Bureau) Europe and EASA (European Advertising Standards Alliance) followed the US lead and reacted to the EU directive with an industry-wide OBA (Online Behavioural Advertising) self-regulation solution (see ref), including Your Online Choices (similar to the US NAI – Network Advertising Initiative) and the AdChoices on-ad icon (US initiative link here). Subsequently, this initiative alone was not considered sufficient to address original privacy concerns in the EU. However, a proliferation of icons is already appearing on ads on UK sites, providing consumers with clickable links directing them to more information and control of cookies and trackers used for advertising.

Across the rest of the European Union there has been a variety of reactions, ranging from those countries that have yet to do anything to transpose the EU Directive into domestic law to those who have introduced their own law and either given no guidance on compliance or, like in the UK, given documented guidance (referenced below). The Netherlands seem to be out on a limb, as they have gone for an explicit consent option, treating tracking cookies as personal data, making the Data Protection Act applicable in that country from Jan 2013.

Rubicon Project, in conjunction with lawyers Taylor Wessing, have interpreted the ICO guidance and detailed the current UK market position in UK Cookie Compliance – Best Practice for Publishers document, published here. In summary, transparency, informed consent and control are key measures need to be considered by all UK publishers.

Nevertheless, with the ‘Do Not Track’ (DNT) initiative (a proposed single, persistent choice to opt out of third-party tracking) and Microsoft’s suggestion that DNT may be set as default in the next major release of Internet Explorer (IE10), the water is beginning to get muddy again – just as UK publishers have begun to implement their cookie and user privacy solutions for addressing the new law.

Rubicon Project is a signatory to the IAB’s pan-European self-regulatory Framework for Online Behavioural Advertising (OBA), which outlines good practice aimed at enhancing transparency and consumer control in the online advertising business.

Download Rubicon Project’s UK Cookie Compliance – Best Practice for Publishers

Rubicon Project works in partnership with TRUSTe to provide data management and privacy solutions for publisher partnerships.

Trust-e logo
Taylor Wessing


UK – Law: http://www.legislation.gov.uk/uksi/2011/1208/contents/made

UK – ICO guidance: http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx

UK – ICC cookie categorisations: http://goo.gl/t4w1o

EU – EASA Best Practice Recommendation on Online Behavioural Advertising: http://www.easa-alliance.org/page.aspx/386

EU – IAB Your Online Choices: www.youronlinechoices.eu

US – Network Advertising Initiative: http://www.networkadvertising.org/

US – DAA Self-regulatory Program for OBA: http://www.aboutads.info/

Rubicon Privacy: https://rubiconproject.com/privacy/

TRUSTe: http://www.truste.com/

Taylor Wessing – Download – Media and Tech Law: http://www.taylorwessing.com/download/