May 25 marked the deadline for EU member states to transpose the so-called "cookie directive" into national law, though the requirements of that directive remain unclear.
The existing e-Privacy Directive (2002/58/EC) states that companies may place cookies—those pieces of Web code used to authenticate, track, and profile Web users—on consumers' computers for "legitimate" purposes so long as they provide to consumers "clear and precise information" and an opportunity to refuse the cookie. However, the amended version (2009/136/EC) clearly changes this standard by stating that a company may store or access information of a subscriber only if the subscriber "has given his or her consent, having been provided with clear and comprehensive information . . . about the purposes of the processing."
Whether this language requires companies to obtain affirmative (and cumbersome) "opt-in" consumer consent before placing cookies on the consumer's browser is open to debate. The EU Data Protection Directive (95/46/EC) defines "consent" as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." Interpretations of this definition have often regarded silence—i.e., failure to object—as an inadequate indication of consent.
Meanwhile, The Wall Street Journal recently reported EU Justice Commissioner Viviane Reding's position that U.S. organizations that target European consumers must be bound by the same privacy and data protection requirements as EU companies.
In light of these developments, businesses should consider how the EU countries in which they do business have implemented the cookie directive and consult with counsel about how their online data collection practices may need to be adjusted.