ESOMAR is offering support to research companies with its new Practical Guide on Cookies to help companies understand new EU law regulating companies’ use of cookies and similar technologies
The recently amended EU law, known as the e-Privacy Directive, will affect every organisation doing business and/or contacting research participants in the EU. Any organisation operating its own website using cookies or similar technologies (hereafter referred to collectively as cookies), or which accesses information already stored on a user’s equipment should take into account the changes and how they will affect daily operations. The revised Directive entered into force in 2011 and recently individual EU countries have just adopted national laws to implement the Directive.
Online research, related technology or online panel companies in particular should act to comply with this new law. However, all research organisations, whether in the public, non-profit or private sectors, should take steps to conduct an audit to find out which cookies they use before national regulators follow up on recent threats of a new campaign to issue sanctions against organisations that have done nothing to comply with the new rules. Increasingly often, regulators are introducing powers to issue heavy fines.
The ESOMAR Practical Guide on Cookies helps research companies do five key things:
1) Get started with their cookie audit
2) Understand the need to clearly inform users about using cookies before placing them/accessing information on cookies already placed.
3) Understand how to determine which country’s law applies
4) How to begin contacting national regulators to find out about specific national consent requirements in all countries where the research is conducted.
5) Understand what a cookie audit and cookie privacy policy looks like through use of practical examples.
National laws implementing the EU law differ slightly in every country (in four EU countries – Belgium, Poland, Portugal and Slovenia – the law is still being finalised), therefore the Guide cannot be seen as a complete compliance solution, particularly with regard to how consent is obtained from website users.
The Guide also complements ESOMAR’s Guideline for Online Research with regard to how web users are informed about the use of cookies, etc. in each company’s privacy policy.
The Guide is split into three principal sections:
A section on helping organisations to determine the applicable law; a helpful Q&A on what essentials you need to know, including references to web analytics and digital fingerprinting; followed by practical steps to take for conducting a cookie audit. Appendices include valuable practical examples of a cookie audit and a privacy policy to effectively inform web users.
ESOMAR also provides advice on whether research cookies can qualify for the exceptions to the requirements of the new EU law. There are two narrow exceptions, either for carrying out the transmission of a communication over an electronic communication network, or as strictly necessary in order to provide a service explicitly requested by the subscriber or user. For example, for requested services such as panel members, no separate consent is required to set cookies every time they are presented with a survey. However, they must have been presented with clear information about the use of cookies at the time that they sign up to the panel and have consented at that point. The Guide suggests some user-friendly ways to do this.
ESOMAR warmly thanks the expert project team from the ESOMAR Legal Committee who led the drafting of this practical guide and provided their invaluable input:
•Adam Phillips – ESOMAR Professional Standards and Legal Committees Chair
•René Lamsfuß –Vice President Market Governance & Data Strategy Europe, The Nielsen Company (Lead Author)
•Alexander Singewald – Legal Consultant, ESOMAR Legal Committee
•David Stark – Vice President, Integrity, Compliance and Privacy Officer, GfK