In November 2009, the European Parliament amended the 2003 Privacy and Electronic Communications (“e-Privacy”) Directive. These revisions have caused considerable uncertainty about the obligations of companies that engage in e-commerce, particularly with respect to “cookies.” The new provisions were supposed to have been implemented into national law by all EU member states no later than May 25, 2011.
In terms of scope, the e-Privacy Directive applies to the processing of personal data in connection with the “provision of publicly available electronic communication services” within the EU. Thus, there may be an argument that only telecommunications and Internet service providers are covered. The amendments do not target particular types of companies, however, but rather the use of public communications networks for the purpose of providing services via such networks to the public. For this reason, most commentators and EU regulators such as the UK Information Commissioner’s Office (UK ICO) have interpreted the new rules to cover all websites that place cookies (small text files sent by a website to a user’s web browser that collect information about the user’s web usage) on computers located in the EU.
Cookies and Consent
Among other things, the amended e-Privacy Directive requires website operators to obtain consent from site visitors before storing and retrieving "information" from visitors’ computers or otherwise gaining access to a computer located in the EU. There are still questions about how the consent should be obtained. EU Member State laws can — and are expected to — differ in terms of how they implement the consent requirement. Thus, no one knows for sure how this requirement will be implemented in all of the Member States.
For example, in some Member States, consent may be implied by settings on a web browser, system or particular software application. Other Member States, however, have already indicated that implied consent is not sufficient. The EU’s article 29 Working Party — an advisory body that interprets EU data protection laws — has advised that users of cookies should “create prior opt-in mechanisms requiring an affirmative action by the data subjects indicating their willingness to receive cookies or similar devices and the subsequent monitoring of their surfing behavior for the purposes of serving tailored advertising.” Many current browsers and websites clearly do not meet the requirements of this standard.
The amended e-Privacy Directive requires that the notice and consent options be made as user-friendly as possible. Access to specific website content may still be conditioned on the acceptance of a cookie, but only if clear and explicit notice is provided and the cookie is used for a “legitimate purpose.”
The amended Directive now states that a cookie can be stored on a user’s computer, or accessed from that computer, only if the user “has given his or her consent, having been provided with clear and comprehensive information.” It still contains an exception if the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user. Thus, cookies can take a user from a page listing goods or services for sale to an online checkout page without the need for consent. Likewise, cookies needed for technical or security reasons are still permitted without consent. Other types of cookies — such as those used for advertising — will require prior consent. The implications for cookies used by web analytics services to evaluate anonymous clickstream data, such as Google Analytics, are less clear.
Preliminary Cookie Guidance from the United Kingdom
As of the date of this Alert, only two Member States (Estonia and Denmark) have notified the European Commission that they have fully implemented the amended Directive. The UK, France, Slovenia, Luxembourg, Latvia and Lithuania have notified the Commission that they have partially implemented the Directive. Meanwhile, UK Information Commissioner Christopher Graham recently directed businesses to get ready for the EU law on cookies, but gave a reprieve of one year before the UK ICO will begin enforcing the new law.
How the UK Government Proposes to Implement the Law
Behavioral Advertising. The UK ICO supports the development of cross-industry policies for the use of third-party cookies for behavioral advertising.
Websites hosted in the European Economic Area (EEA) and data controllers established in the EEA will be subject to the new Member State laws. Determining the applicability of EU laws to entities not established in the EEA, however, is always a complicated task. To further complicate matters, the amended e-Privacy Directive does not contain an “applicable law” or jurisdiction-related provision, but instead refers to article 4 of the 1995 EU Data Protection Directive (95/46/EC).
Generally speaking, under article 4, EU data protection laws apply only if the processing of personal data has sufficient nexus with an EEA territory, either because the data controller has an “establishment” in the EEA or it uses data processing equipment located in the EEA. The article 29 Working Party has emphasized that EU data protection laws apply even when the “data subjects” (individuals) in question are not EU citizens or physically present in the EEA.
By way of example, on Dec. 16, 2010, the article 29 Working Party released an opinion regarding the applicability of EU Directive 95/46/EC. This opinion identifies a number of shortcomings in the current wording of article 4 and recommends changes to such wording. The opinion suggests that the new wording take into account new criteria, such as whether an entity’s activities are “targeted” at individuals in the EU. This new criteria would mean that if a data controller collects personal data and offers goods or services explicitly accessible or directed to EU residents, it would be more likely that an EU regulator would to exercise jurisdiction over that controller. Examples include: 1) displaying information in one or more EU languages, 2) delivering goods or services to physical addresses in EU countries, 3) making goods or services available with the use of an EU credit card and 4) sending advertisements in an EU language.
Despite this uncertainty, we can expect that some Member State laws will apply the new provisions in the EU e-Privacy Directive broadly. Thus, data controllers established in the EEA, but that process personal data outside the EEA and data controllers established outside the EEA, but that use “equipment” (including the placement of cookies on end-user devices) located in the EEA, should plan to comply with the new provisions.
Potential Risk-Management Actions to Address the New ‘Cookie Consent’ Requirements
Although the specific treatment of the new “cookie consent” by various national authorities will not be understood for some time, if you operate a website located in the EEA and your servers knowingly place cookies on computers and other devices in the EEA, or if your site “targets” Europeans in some manner, here are some potential actions you can take to lower the risk that you will be subject to legal action under the new rules:
- seek consent with pop-up notices (although some users’ browsers may block pop-ups by default, which risks confusion, and pop-ups can create an annoying user experience);
- use highlighted or scrolling headers, footers or splash screens that must be acknowledged;
- display a landing page containing disclosures about each cookie used by the site and providing some choices;
- conspicuously post disclosures and provide choices on all web pages requesting personal information;
- incorporate cookie choices into terms and conditions for your site and require users to click “I Accept.”
Let’s Not Forget about Data Breaches
The revised e-Privacy Directive establishes, for the first time in the EU, a mandatory personal data breach notification framework. This framework applies only to providers of publicly available electronic communications services (e.g., communications and Internet access providers). However, the EU Commission has already indicated that it will soon propose legislation that will cover the entire scope of the providers regulated under the broader Data Protection Directive (95/46/EC). Furthermore, recital 59 of the e-Privacy Directive encourages EU member states, while new EU Commission rules are pending, to apply the new data breach rules very liberally, “regardless of the sector, or the type, of data concerned.”
Under the new rules, providers must notify — without undue delay — individuals and authorities when they suffer a breach. Individuals must be notified if the breach is likely to adversely affect the personal data or privacy of such individual. Regardless of the potential harm, all data breaches must be reported to the authorities. The notification should describe the nature of the breach, list the provider’s contact information and recommend measures to mitigate possible adverse effects. The notification to the competent national authority must also describe steps taken by the provider to address the breach.
Notification of a personal data breach to an individual is not required, however, if:
- the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures;
- the provider applied those measures to the data impacted by the security breach; and
- the technological protection measures render the data unintelligible to any person not authorized to access it.
Both the scope of providers covered by the reporting requirements and the appropriateness of the technological protection measures are expected to diverge in implementation by the various Member States, making the jurisdictional issues described above very important because forum shopping may become an attractive option until these concepts are further harmonized.