Are You in Compliance?

Europes
Spam and Cookie Directives
http://web.bluebirdstrat.com/blog/are-you-in-compliance-eu-spam-and-cookiedirectives

By Carol Spillman & Sue Hay | Aug 4, 2014 11:57:00 AM | Spam, Email
Spam,European Spam and Cookie Directives, EU Spam Laws
The online collection of information and electronic spam have long been a concern
for the European Union. Member States have two privacy directives to work from
that indicate how privacy and electronic communications (spam) and protection of
personal data (cookie) legislation should be enacted in every EU country. Though
both directives are widely interpreted and enforced, depending on the country, they
serve as a basis for understanding how to ensure youre in compliance with EU
online communication laws.
Spam
Email spam laws in Europe all fall under one European Union directive, which in
theory, makes email marketers in all EU countries subject to the same expectations.
In practice, however, the 2002 EU directive set guidelines, but each member state
has had to enact its own unique laws for electronic communications. Taking an opt-in
stance on email communications, the EU Directive 2002/58/EC stipulates the
following guidelines for electronic communications:

Prior explicit consent should be required before sending a commercial

electronic message (including email, SMS, voice, fax and other electronic forms of
messaging)

An opt-out (or unsubscribe) option must be easy and clear for recipients of
commercial messages
What does it take to be in compliance?
Because the EU directive isnt technically a law, each member state has the flexibility
to implement email spam laws at their own discretion resulting in varying levels of
legislation.

Laws in each country are pertinent to marketers in different countries, since they
pertain to all recipients within that country. All email marketing laws can be seen on
the European legislation chart below. Each countrys legislation either mandates
explicit consent (for which an opt-in is required) or implicit consent (for which an optout is required). The Informed Consent category found in the chart below relates to
the Cookie legislation in each country, which is discussed later in this post.

(Image source: Celsius International B2B Email Marketing European Legislation

White Paper, 2010.)

What are the fines for non compliance?

In the UK, for example, the ICO the body that enforces spam law compliance can
issue fines of up to 500,000 for serious breaches of the law. In Germany,
punishment can include imprisonment for up to 5 years.

There are a variety of penalties for spam law infractions, and most depend on intent
and degree of severity. In general, its better to be in compliance as quickly as
possible with the EU electronic communications directive stipulations than to risk
penalties by under-compliance.

What does it all really mean?

Heres what it all boils down to: unless you can prove an existing business
relationship for the contacts on your list, you need to be able to prove that youve
adopted opt-in practices. Although the EU spam directive isnt exactly law, for
companies sending electronic communications to European email addresses, its
best to be in compliance to avoid penalties in any country. A double opt-in is not
required but recommended in case recipients are located in a country like Germany,
for example, with strict opt-in laws.

What does it mean for my email lists?

Email campaigns are the lifeblood of marketing for many companies. Your lists are
vital to your pipeline and EU spam laws wont change that. The laws in Europe are
intended to protect individuals from spam. While it may require additional effort to
gather opt-in email addresses at first, it actually could help you tighten your list to
recipients who are interested in your communications, and therefore more likely to
convert.

The Cookie Directive

Cookies are used to collect valuable visitor information on business websites. This
information is critical to understanding who your customers are and what theyre
doing on your site. And cookies are an effective way to build your email list.
However, there are recent restrictions on cookie usage in the EU in order to protect
users. The EU Directive 95/46/EC came into effect in May 2011, stating that Member

States need to enact laws to meet the new cookie requirements. The Cookie
Directive usually requires an opt-in method of consent, which means Cookies should
be turned off so they dont begin immediate tracking, although implied consent can
work per the ICO in some cases. Using cookies on any website requires that
businesses clearly and explicitly inform users what their information will be used for.
Also the directive requires you to a bit more to be in compliance:

1.

Provide website visitors ability to control their Cookie preferences on your

website

2.

Make your Cookie policy and controls easy to find and prominent on the
website

3.

Provide either Implicit or Explicit consent of the website viewer that

they are aware of the use of Cookies. Each EU country may have
different laws/requirements as to the type of consent (Explicit Opt-in/out, or
Implicit) required for use of Cookies.

What is exempt?
The EU Cookie Directive states that cookies that are strictly necessary are exempt
from opt-in. Though this statement is not clearly defined and has been interpreted in
different ways in different countries, it is likely to include cookies that are used to
remember items in online shopping carts, cookies used to secure confidential
information (i.e. online banking security) and cookies used to enhance web page
load time. If your cookie usage goes beyond those three categories, you must then
comply with the EU Cookie Directive.
Since the Cookie Directive technically isnt a law, it is required that each Member
State enact a law based on an interpretation of the 2011 directive. Its true that
legislation varies from country to country. However, for companies collecting
information from users in Europe, gaining consent before collecting information is the
safest business practice. Consultation with your legal advisors is recommended to
determine your businesss best course of action.

EU Member Consent
State
Method

Practical Interpretation

Austria

Unclear

Get an explicit opt-in from your visitors via a banner, pop-up or

lightbox.

Implied

A preference for consent to be obtained prior to the setting of

cookies exists, however implied consent is considered allowable.
Browser controls are not acceptable for indicating consent.

Implied

The use of cookies is only allowed under condition that the

subscriber or user concerned have been provided with clear and
comprehensive information.

Croatia (Non
Explicit
member)

Although Croatia is not a currently a member of the EU, it is

adopting EU directives as part of its commitment to joining. No
other details released currently.

Cyprus

Explicit

Get an explicit opt-in from your visitor via a banner, pop-up or

lightbox.

Czech
Republic

Implied

Implied consent is considered acceptable but the site is obliged to

offer users a way to refuse the possibility of the processing.

Denmark

Implied

The consent must be freely given and specific however implied

consent should be sufficient.

Estonia

Implied

Implied consent should be sufficient the law contains a 'right to

refuse' approach.

Finland

Unclear

Users may give the consent via browser or other application

settings.

France

Explicit

Cookies can only be served if the visitor gives explicit consent.

This consent must be given prior to any service relating to
cookies. Consent must also be given for each cookie with a
different purpose.

Germany

Explicit (per
Explicit consent is required for any cookies that process personal
personal
data, implied is acceptable for all other types.
data)

Greece

Explicit

Belgium

Bulgaria

While not yet implemented into law, the regulatory requirement

us consent qualified by the ability to rely on browser or other

application settings.

Hungary

Browser
settings

General practice is that consent can be obtained via browser

settings; however, so far this has not been confirmed by the
opinion or the guidance of the Authorities yet.

Iceland

No known steps have been taken in Iceland.

Ireland

Browser
settings

Information must be "prominently displayed and easily

accessible" and be as "user friendly as possible". Where it is
technically possible and effective consent may be given by
browser settings.

Italy

Implied

Implied consent is sufficient (for now). In order to assess the true

impact of the new legislation, Italy is awaiting an opinion from
the local data authority.

Latvia

Explicit (for
No official guidance has been issued by Data State Inspectorate
personal
to current date regarding collection of consent for use of cookies.
data)

Liechtenstein
Lithuania

No known steps towards implementation.

Explicit

Cookies can be served only where the individual has consented

in advance of receiving them.

Browser
Luxembourg
settings

The method of providing information and right to refuse should

be as user friendly as possible and where it is technically possible
and effective, the users consent may be expressed by
appropriate browser/applicationsettings.

Malta

The new regulations do not mandate the form or type of consent

required; however the local DPA will recommend against relying
on browser settings.

Netherlands

Explicit
(with
burden-ofproof)

The Norwegian government is considering a proposal to prohibit

processing cookies without valid consent from individuals.

Norway
Poland

An additional 'burden-of-proof', particularly for tracking cookies

used in behavioural advertising. This creates a legal presumption
that cookie data comprises personal data unless the website
operator can establish otherwise.

Browser
settings

Allows that visitor consent may be given through adjusting

browser settings, it also requires that consent should be obtained

(explicit for
prior to any setting or reading of cookies.
targeted ads)
Portugal

Explicit

The law requires prior consent for cookies. Fines can be up to 5

million Euros - much more significant than most other countries.

Romania

Implied

No guidance has been published as yet.

Slovakia

Browser
settings

The law recognizes the possibility of obtaining consent via

browsersettings/other application settings.

Slovenia

Browser
settings

The legal requirement is qualified by an explicit reference to the

ability to rely on browser settings or other applications.

Spain

Browser
settings

Where it is possible and effective, consent may be provided using

browser settings as long as this requires a positive action from
the individual.

Sweden

Browser
settings

Requires users consent to cookies. For the time being, this is

understood to mean that consent can be achieved relying on
browser settings.

Implied

Browser settings are not sufficient to demonstrate consent, but

implied consent is a valid solution. A maximum fine of 500,000
can be issued for non-compliant websites.

United
Kingdom

(EU cookies law chart source: http://ico.org.uk/enforcement/fines)

Who can I talk to and who can help me with this?

To learn more about EU spam laws, read Directive 2002/58/EC issued by the
European Parliament. For more information about EU and cookies, you can visit
the Information Providers Guide through the EU online handbook. Bluebird
Strategies provides resources regarding the existing EU cookie and spam directives,
and we can discuss best practice options to quickly bring your company into
compliance. Or, click to view our spam law chart that shows details of the legal
requirements for email content in Canada, Europe and the United States.
Consultation with your legal advisors is recommended to determine your business
best course of action.