The Internet has long grappled with the issue of consumer privacy. In the sixth article of an eight-part series, Digiday examines the issue of “Redefining Privacy.” The series is made possible through the sponsorship of Truste, a provider of online privacy services.
Privacy laws are now going into effect across Europe that require publishers to gain users’ consent before dropping cookies on their computers and other Internet-enabled devices. The new requirements are intended to protect the privacy of citizens in Europe but could, in theory, have implications for publishers based outside of the region if their sites attract visitors from any of the EU’s member states.
Even if a website is operated and hosted in the U.S. but EU citizens can access it, then the site’s publisher is, in theory, legally required to comply with local privacy laws.
“If you have a site directed at EU citizens, you are more likely to be seen as falling under ePrivacy — even if the website and parent corporation are physically located elsewhere,” explained Alan Chapell, founder of privacy, data collection and legal consultancy Chapell & Associates. “Numerous U.S.-based publisher sites attract at least some traffic from the EU every month.”
But practically speaking, local data protection authorities in EU states such as the U.K., France, and Germany have neither the means nor the jurisdiction to aggressively enforce the laws beyond their borders.
“The short answer is, this is a European measure,” said Ashley Winton, a partner in the intellectual property and technology group at international law firm White & Case. “If you’re a standalone business outside of Europe, you can probably continue operating without respecting this privacy law.”
That said, it’s a different situation if a publisher has business entities or dealings directly within the EU, Winton added. “If you’re someone like Google with servers in the U.S. but also servers in Europe, then you’ll want to comply with these things,” he said. “For those companies with operations in Europe, local regulators can enforce against that arm of the company.”
With that in mind, American Lawyer Media appears to be playing it safe and is working to respect the new EU laws, despite the fact it’s headquartered in New York, using technology provided by online privacy firm Evidon.
According to Scott Meyer, Evidon CEO, it comes down to a judgment call on behalf of the publisher based on an interpretation of the local laws and the nature of said publisher’s business.
“If you’re a multinational publisher, you’re going to approach this differently than a U.S.-based, domestic one that happens to get some traffic from Europe,” Meyer said, though he noted he’s not a qualified lawyer.
Evidon isn’t the only company to have noticed a market for that type of service. Tag management firm Ensighten launched a similar free service yesterday that enables publishers to detect users’ locations, communicate with them, and subsequently tailor the types of data that are collected from them. “If you’re a business of size, you have to be thinking ahead of the curve with these things,” said Des Cahill, vp of marketing at the firm.
But ultimately it appears that only larger, international publishers are prioritizing their compliance with the new laws at this point, as opposed to smaller, largely U.S.-specific ones. In the short term, the vast majority of publishers within the EU member states where the laws have been implemented remain unclear as to exactly how they’re expected to comply and are failing to do so as a result.
Accordingly, local regulators are likely to turn their attention and enforcement capabilities to large domestic publishers in their local markets before they begin to think about those outside of them.