Skip to main content

An update on the ePrivacy Directive for Affiliates

by Dave Tinneny | 20.04.2012
Disclaimer: This blog post, or any other information released by Tug is purely our own opinion and cannot be taken as binding legal advice. This is because none of us are lawyers. Also, trying to find anyone who will give you some straight-forward advice on this topic is like searching for hen’s teeth and unicorns.


On Tuesday, the annual Linkshare Symposium was held in The Brewery here in London. This event brings together publishers, advertisers, agencies and hangers-on of all descriptions, so that they can make deals, network and hear the latest industry insights from the experts. It was a great event and a complete success for the Network.


The highlight of the day’s discussions however, was a session by Liz Robertson advising on the new ePrivacy Directive. Liz is a lawyer who advised on behalf of Linkshare. Considering the latest stats that suggest only 20% of site users would accept cookies given the choice, there were quite a few anxious faces, and the distinct smell of nervous sweating, as soon as the topic came up.


Liz assured us all that none of what she said was legal advice and that everyone had to fend for themselves, as far as the Information Commissioner was concerned. This really set the tone of how serious the issue is.

It wasn’t all bad news however, and considering I’ve requested information from the majority of the big networks, Liz was the first to offer help without looking like a rabbit who has just watched their whole life flash before their eyes in the headlights of a big oncoming EU truck.


The main action points of the law are as follows:

  • Cookies can only be used if the customer has given prior consent.
  • The user only has to consent once and then they don’t need to be asked again.
  • The level of consent should also be tied to the intrusiveness of the cookie.
  • Consent is needed on a site by site basis (just because they agree on an affiliate site, it still doesn’t count when they click through to the advertiser site).


The reason for italics is that the approach you take to compliance depends entirely on your own situation. The law is vague when it comes to how you obtain prior consent and no one seems to know which cookies are deemed too intrusive (should a Google analytics cookie require a pop-up to opt out for example?).


There have been some admirable attempts at solutions from sites such as BT and Tanqueray and I’ve added some further examples/ideas below:

  • Pop –up window
  • Tie it to a ‘consent on entry’ box – usually over 18’s sites
  • Terms and conditions update – tick box to accept (more on this further down)
  • Feature access – ‘to use this feature we need to enable cookies, do you agree?’
  • Registration – Add it to the registration T&C’s


There are other essential steps to take when complying:

  • A full cookie audit – Find out what you use on your site and remove anything redundant that doesn’t need to be there anymore. Also, can you disable all of those cookies? You need to have that option.
  • Updating Privacy Policy & Terms of Use – I could almost have a separate post about this, but use clear to understand language, remove inconsistencies/contradictions and whatever you do, NEVER copy and paste it from another site. Include information on tracking, use full disclosure on any cookies used and details of how to disable cookies.
  • If your site is international, get legal advice for each local jurisdiction.


Still not convinced? ‘Bah, no one has a clue what’s happening with it, I’ll be fine’ – does that sound familiar? How about a £500,000 fine?

Well, everyone I spoke to on Tuesday agreed that at least one site will be made an example of, in the worst way possible, to drive home how important this is to the guys in Europe.

You have been warned…