On May 26, 2011, the Member States of the European Union (“EU”) became obligated to begin enforcing the 2009 amendments1 to the e-Privacy Directive2 regulating the use of Internet “cookies” (“2009 Amendments”). Although delays in implementation of the new rules mean that enforcement is likely to be phased in over the next year, national regulatory authorities from EU Member States have made clear that companies must begin the process of achieving compliance now. Failure to comply could lead to the imposition of substantial monetary penalties and in some cases, even criminal liability.3  

What Is A Cookie?

A cookie4 is a small file of letters and numbers that can be downloaded on a device when the user accesses certain websites. A cookie allows the website to recognize the user’s device and may convey information concerning the user’s activities and preferences.  

2009 Amendments

In 2002, the EU passed the e-Privacy Directive, which, among other things, required that Internet users are provided with “clear and comprehensive information” about why cookies are used on the relevant website and are offered the right to refuse the cookies – the so-called “opt-out” consent.

The 2009 Amendments introduced a significant change to the “cookie” law – the implied “opt-out” consent became no longer sufficient. Instead, the 2009 Amendments required website operators to obtain express and informed consent to use cookies (or similar technologies which involve storing data on a user's computer) -- the so-called "opt-in" consent.

A limited exception is provided where the use of cookies is "strictly necessary" to carry out an activity explicitly requested by a user (i.e., creating a "Shopping Cart" in advance of check-out). What types of activities will be deemed “strictly necessary” is left for the individual EU states to define.

National Implementation of 2009 Amendments

EU directives do not have direct legal force in countries within the EU – they need to be implemented through national legislation. Such implementation (also known as “transposition”) is mandatory under the EU law, though Member States often miss the deadlines imposed by the EU.  

Though the 2009 Amendments were required to be implemented by May 26, 2011, out of the 27 Member States only Denmark and Estonia achieved full implementation within the given time frame. Seven other countries (Finland, France, Lithuania, Luxembourg, Slovenia, Spain and the UK) met the deadline but only with partial implementation of the 2009 Amendments. The EU-wide delay in the implementation has many EU countries considering a “moratorium” on the enforcement of the new cookie law. For example, the United Kingdom has granted businesses 12 months to bring their practices in line with the 2009 Amendments before the enforcement begins, though businesses must begin the process of achieving compliance now

What is Required to Meet The “Opt-In” Consent Requirement?

There is no clear consensus between the national EU governments, regulators and various business groups as to what type of consent will satisfy the 2009 Amendments. This has been left for each individual Member State to interpret and set out in their national laws.  

In the UK, for example, the national regulatory authority has published guidance as to what could constitute a sufficient “opt-in” consent:

  1. pop-ups or features-led consent, asking for consent prior to allowing user to view a website or any particular feature of the website;
  2. terms and conditions to which the user agrees when he or she first registers or signs up;
  3. settings or preference-based consent, obtained by notifying the user that the site can “remember” a user preference by use of a cookie;
  4. Internet browser settings (although in the view of various EU countries and the European Commission, most browsers currently available in the market are not sophisticated enough to be capable of delivering valid consent to cookies via their settings. All of the major browser developers (e.g., Microsoft, Google, Mozilla) are actively exploring the possibility of providing a browser-based solution to achieve compliance);
  5. text in the footer / header of the web page which is highlighted or which turns into a scrolling piece of text when you wish to set a cookie on the user’s device.

Many websites allow third parties to set cookies on a user’s device. Businesses who use cookies to share information with third parties are urged to take special care to ensure that users are made aware of this sharing and are given the opportunity to make informed choices whether to permit it.

Who needs to comply with 2009 Amendments?

The new cookie rules apply to all European website operators or other companies with a presence in Europe and that target European users. Companies based outside Europe who may have no physical presence in Europe but who target users in Europe may also need to comply. The specific consent requirements will vary from one Member State to another.  

The challenge for businesses operating international websites will be not just to comply with the specific consent rules of each Member State but also to decide whether the EU-wide “opt-in” consent should be made available to their European customers only or to all of their business customers, including those in other non-EU jurisdictions.

What Actions Should You Be Taking Right Now?

Although EU countries have acknowledged the delay in implementation and/or enforcement of the 2009 Amendments, they have also made clear that businesses may not use the delay as an excuse for failing to make an effort to comply. Companies must begin to take steps now to achieve the broadly stated goals of the 2009 Amendments. Consider the following steps toward compliance:

  1. Know Your Cookies: companies should take the opportunity to re-evaluate their use of cookies (including those of third parties), eliminate cookies which are no longer serve a business purpose.
  2. Update Your Privacy Policies: most companies will need to revise their privacy policies to include more explicit disclosures concerning the use of cookies as well as information as to what existing customers can do to opt-out of the use of cookies.
  3. Consider Types of Consent: companies will need to consider various consent solutions, taking into account the nature of their business, likely costs and impact on user experience.
  4. Review Your Partner Agreements: companies should review their agreements with marketing partners and other service providers to ensure that appropriate security standards are incorporated for the collection of user data.
  5. Stay Informed: as more Member States of the EU announce their proposals for the implementation of the 2009 Amendments, the coming months will provide much needed specific guidance as to what will be expected of businesses in each particular jurisdiction.