Web-users may have noticed an increase in cookie consent banners across the internet in recent weeks. This results from Google’s new EU user consent policy. The policy, accessible here, requires website publishers who use Google cookies to obtain their European site visitors’ consent before dropping and reading cookies.
While the law in this area hasn’t changed recently, the regulatory atmosphere has. European privacy regulators are increasingly focusing on US based organisations that target EU users. In this climate, EU data protection authorities requested changes to the way Google obtains end user consents. The changes to its consent policy are a direct result of Google’s engagement with regulators.
In its FAQ, Google states:
The Article 29 Working Party, an umbrella body that comprises representatives of all EU data protection authorities, has requested some changes to current practices for obtaining end user consents. We understand these principles will be applied across the industry. It has always been Google’s policy to comply with privacy laws, so we’ve agreed to make certain changes affecting our own products and partners using Google products.
The new user consent policy will not only impact Google-owned websites but also ad publishers who are using Google services such as AdSense, DoubleClick for Publishers and DoubleClick AdExchange.
Publishers will have to add consent policies in respect of EU traffic only. However, many website publishers may not be in a position to ascertain where their traffic comes from, or to incur the engineering cost of having different versions of their website for different regions. This could result in EU consent notices appearing on many websites, including those based outside of the EU that primarily target non-EU users.
Google is pushing for publishers to update their own consent policies by September 30th, 2015. To assist publishers in implementing a consent mechanism on their websites, Google unveiled a resource website earlier this month. The site is designed to provide publishers with information as to how they can ensure they comply with this policy. The website includes examples and tools to help implement an effective consent mechanism for users.
This change in policy reflects the heightened scrutiny that internet companies are facing across Europe. It also shows how EU online privacy standards are being “exported” and may need to be complied with by non-European internet companies that provide services to EU users. Further guidance on EU website legal compliance issues can be found in our Checklist series: Part 1, Part 2 and Part 3.