August 9, 2013

Data Protection in a Global Market: The EU Cookie Directive, Safe Harbor, and You

Posted by Jenny Comisford

​Google Analytics, marketing automation, re-targeting tools, social plug-ins, customer communities and email marketing programs are just a few examples of web-based solutions used by organizations around the globe to track, collect and analyze consumer demographic and behavioral data. Companies use this captured data to target advertising dollars; marketing to us based on our likes, dislikes, behaviors and personal networks. These targeted advertising efforts ultimately result in millions in revenue for these organizations.

With the rise of cloud computing and continuing technology advancements, more data, and deeper insights, are becoming available to companies every day. As these organizations scurry to draw value from this powerful asset, consumers are becoming increasingly uneasy about what this means for their privacy and lifestyle. Regulatory institutions across the global are being forced to re-examine data privacy laws in order to address these consumer concerns.

In some cultures, like the U.S., this data hoarding has become an expected, although sometimes irritating intrusion, with red flags only being raised for the most grotesque invasions of privacy. On the other hand if you were to travel to Northern Europe where governments sway towards Socialism, citizens have a different perspective on what’s an acceptable level of data capture and transfer.

Many regulatory bodies have developed standards to protect their respective citizens’ privacy, but these standards are not bound by geographical borders. As a marketer tasked with engaging an international market, what do you need to know to make sure you’re not overstepping cultural boundaries?

The EU Cookie Directive (Directive 95/46/EC), arguably the strictest data privacy regulation, was developed by the European Commission to protect the processing of personal data within the European Union. It consists of 7 principles:
So what’s this mean to you? What if your organization doesn’t reside in the EU? The Directive stipulates that these principles apply if your business is established in the EU OR if equipment is used in the EU. Meaning, if you have servers in the EU, or utilize an ISP in the EU, these standards remain applicable.

  1. Notice – All web visitors subject to tracking should be given notice when their data is being collected
  2. Purpose – A purpose for this data collection should be made known to the web visitor and the data should be used for no other purpose
  3. Consent – Data collected should not be disclosed to anyone with the web visitor’s explicit consent
  4. Security – Collected data should be kept secure from any potential abuses
  5. Disclosure – Web visitors should be informed as to who is collecting their data
  6. Access – Web visitors should be allowed access to their data to make corrections if they see fit
  7. Accountability – Web visitors should have a method available to them to hold data collectors accountable to the aforementioned principles.

But wait a minute: why am I not given notice, access, accountability, etc. on every European-ran website I visit? Although the Directive was developed initially in 1998, it’s been each individual country’s responsibility to build it into their existing legislation. This has been slow to happen. However, in September 2012, the Information Commissioner’s Office warned European businesses that they will face large fines if they do not implement necessary procedures to comply with the Directive. This has caused refocused attention on the Directive and countries are quickly moving to add this to their current regulation.

Why other countries should still take heed in regard to digital privacy

The EU Directive has forced other regulatory bodies to revisit their policies on data privacy and protection. Countries like Australia, New Zealand, Argentina and Canada have implemented stricter policies in the last couple of years. Several countries in the Asia Pacific region, including the Philippines, Malaysia, and Singapore, are working towards enacting new regulation to further protect citizens’ data privacy. We anticipate that as time passes, more regulation will be implemented globally. As a marketer in the digital age, it is important that we stay up-to-date on these changes.

The U.S. bridges the gap – Safe Harbor Certification

Although the seven principles of the EU Cookie Directive explicitly apply only to businesses established or utilizing equipment in the EU, The Directive also prohibits the transfer of personal data to non-European Union countries that do not meet an adequate standard for privacy protection. To overcome this hurdle, the United States’ Department of Commerce collaborated with the European Union to develop the Safe Harbor Certification Program.

Any U.S.-based organization who is seeking to expand their footprint in the E.U. is encouraged to opt into the Safe Harbor Certification Program. By opting in you are agreeing to adhere to the EU Privacy Standards, including the Cookie Directive, whether you’re transferring data domestically or abroad. As these standards are regulated more closely in the EU, European-based countries will seek out Safe Harbor certified organizations to do business with in order to eliminate their risk of fines.

2Checkout has been Safe Harbor certified since 2010, and is proud to take the appropriate measures to ensure our Sellers’ and Buyers’ data privacy and protection.

For more information on the EU Cookie Directive and other data privacy regulation, you can contact me at or connect with me on Twitter @jennybeal.