On May 26, 2011, the Member States of the European Union (“EU”) became obligated to begin enforcing the 2009 amendments1 to the e-Privacy Directive2 regulating the use of Internet “cookies” (“2009 Amendments”). Although delays in implementation of the new rules mean that enforcement is likely to be phased in over the next year, national regulatory authorities from EU Member States have made clear that companies must begin the process of achieving compliance now. Failure to comply could lead to the imposition of substantial monetary penalties and in some cases, even criminal liability.3
What Is A Cookie?
A cookie4 is a small file of letters and numbers that can be downloaded on a device when the user accesses certain websites. A cookie allows the website to recognize the user’s device and may convey information concerning the user’s activities and preferences.
In 2002, the EU passed the e-Privacy Directive, which, among other things, required that Internet users are provided with “clear and comprehensive information” about why cookies are used on the relevant website and are offered the right to refuse the cookies – the so-called “opt-out” consent.
National Implementation of 2009 Amendments
EU directives do not have direct legal force in countries within the EU – they need to be implemented through national legislation. Such implementation (also known as “transposition”) is mandatory under the EU law, though Member States often miss the deadlines imposed by the EU.
Though the 2009 Amendments were required to be implemented by May 26, 2011, out of the 27 Member States only Denmark and Estonia achieved full implementation within the given time frame. Seven other countries (Finland, France, Lithuania, Luxembourg, Slovenia, Spain and the UK) met the deadline but only with partial implementation of the 2009 Amendments. The EU-wide delay in the implementation has many EU countries considering a “moratorium” on the enforcement of the new cookie law. For example, the United Kingdom has granted businesses 12 months to bring their practices in line with the 2009 Amendments before the enforcement begins, though businesses must begin the process of achieving compliance now
What is Required to Meet The “Opt-In” Consent Requirement?
There is no clear consensus between the national EU governments, regulators and various business groups as to what type of consent will satisfy the 2009 Amendments. This has been left for each individual Member State to interpret and set out in their national laws.
In the UK, for example, the national regulatory authority has published guidance as to what could constitute a sufficient “opt-in” consent:
- pop-ups or features-led consent, asking for consent prior to allowing user to view a website or any particular feature of the website;
- terms and conditions to which the user agrees when he or she first registers or signs up;
- settings or preference-based consent, obtained by notifying the user that the site can “remember” a user preference by use of a cookie;
- Internet browser settings (although in the view of various EU countries and the European Commission, most browsers currently available in the market are not sophisticated enough to be capable of delivering valid consent to cookies via their settings. All of the major browser developers (e.g., Microsoft, Google, Mozilla) are actively exploring the possibility of providing a browser-based solution to achieve compliance);
- text in the footer / header of the web page which is highlighted or which turns into a scrolling piece of text when you wish to set a cookie on the user’s device.
Who needs to comply with 2009 Amendments?
The new cookie rules apply to all European website operators or other companies with a presence in Europe and that target European users. Companies based outside Europe who may have no physical presence in Europe but who target users in Europe may also need to comply. The specific consent requirements will vary from one Member State to another.
The challenge for businesses operating international websites will be not just to comply with the specific consent rules of each Member State but also to decide whether the EU-wide “opt-in” consent should be made available to their European customers only or to all of their business customers, including those in other non-EU jurisdictions.
What Actions Should You Be Taking Right Now?
Although EU countries have acknowledged the delay in implementation and/or enforcement of the 2009 Amendments, they have also made clear that businesses may not use the delay as an excuse for failing to make an effort to comply. Companies must begin to take steps now to achieve the broadly stated goals of the 2009 Amendments. Consider the following steps toward compliance:
- Consider Types of Consent: companies will need to consider various consent solutions, taking into account the nature of their business, likely costs and impact on user experience.
- Review Your Partner Agreements: companies should review their agreements with marketing partners and other service providers to ensure that appropriate security standards are incorporated for the collection of user data.
- Stay Informed: as more Member States of the EU announce their proposals for the implementation of the 2009 Amendments, the coming months will provide much needed specific guidance as to what will be expected of businesses in each particular jurisdiction.