The EU recently enacted its new Privacy and Electronic Communications Directive (the “E-Privacy Directive”), an important new policy directive establishing rules for the use of cookies for tracking/storing information on European users will change. Prior to the enactment of the E-Privacy Directive, website operators with customers in the EU were simply required to: (a) inform website users how they use cookies; and (b) provide “opt out” information.

Under the new rules, which went into effect on May 25th, 2011, cookies can only be placed on computers where the user has given their express consent, except in cases in which a website operator doing something that is “strictly necessary” for a service specifically requested by the user.

What exactly does this new law mean to website operators both inside and outside the EU?  The UK Information Commissioner’s Office (“ICO”) has recently provided some advice on how to comply.

How Is Consent Obtained?

The ICO guidance states that information pertaining to cookies must be provided before a cookie is set for the first time. Once consent is obtained, a website operator need not seek consent again for the same person each time the same cookie (for the same purpose) is used in the future.  Obtaining the consumer’s consent could be a dicey proposition for data management organizations that use cookies to track consumer preferences that wind up in the hands of third party marketers.  Giving permission to a site to remember what you selected to purchase is one thing, but allowing the site’s operator a doorway into your likes, dislikes, and purchase history for the purpose of passing it on to strangers is quite another.

So how does a company obtain the required consent?  The ICO states that “the more privacy intrusive your activity, the more you will need to do to get meaningful consent.” For example, the guidance explains that consent can be obtained via the following methods (note that these are not exhaustive suggestions):

  • Pop-ups. A website operator could ask a user directly if they agree to a website operator putting something on their computer.  Clicking “yes” would constitute consent.
  • Terms and Conditions. A website operator could alternatively make users aware of the use of cookies via the terms and conditions, asking a user to tick a box to indicate that they consent to the new terms.
  • Settings-led consent. Consent could also be gained as part of the process by which the user confirms what they want to do or how they want the website to work, e.g., some websites “remember” which language version of a website a user prefers. If this feature is enabled by the storage of a cookie, then the website operator could explain this to the user and that it will not ask the user every time they visit the website.

How Does the “Strictly Necessary” Exception Operate?

The ICO states that the “strictly necessary” exception is a narrow one that may apply to cookies that website operators use to ensure that when a user of its site has chosen the goods they wish to buy and clicks “add to basket”, the website “remembers” what the user chose on a previous page. In this case, the guidance suggests, consent would not be required. Yet the guidance goes on to say that the exception would not apply, for example, just because a website operator decides that its website would be more attractive if it remembered users’ preferences or it decides to use a cookie to collect statistical information about use of the website.

Do Website Operators Have to Comply With the Changes and Guidance?

If sites are based in EU countries, the answer is a definitive yes. What does all this mean to U.S. website operators?  At the moment, not too much, as the E-Privacy Directive is intended to protect EU citizens.  Many US based sites already incorporate information regarding the use of cookies in their website privacy policies (although not as many offer the opportunity to opt out).  It would nevertheless be prudent for U.S. sites that employ tracking cookies to incorporate a specific paragraph addressed to EU users that discusses compliance with the E-Privacy Directive.

However, one cannot lose sight of the fact that there are currently four bills pending in Congress regarding this same issue, and the steps taken by those on the other side of the Atlantic will certainly be taken into consideration when the final bill is ready for the President’s signature.

 

 

Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.

1 Comment

  1. Great intro to a very tricky topic Seth. Clearly there are multiple unknowns at this point but US-based businesses do need to be tracking this topic (pun intended).

    Any thoughts on US firms being held to this law, for example when someone in the EU visits a US-based dot com website?

    Stephen Cobb, CISSP

Leave a Reply