Privacy In Focus® welcomes guest author Anthony Woolich, partner at the London office of Holman Fenwick Willan LLP, as an expert commentator on the new European Union (EU) Directive concerning electronic communications privacy (please see the next article "Privacy and the New EU Regulatory Package"). The impact of the new Directive will depend greatly on its implementation by individual EU Member States, as well as the influence of the European Commission. Accordingly, Wiley Rein appreciates Mr. Woolich's willingness to share his on-the-ground perspective from the European Union.
The "Cookie" Requirements
U.S. companies should watch for regulatory and technical developments in response to the EU Directive's restrictions on "cookies." As Mr. Woolich explains, Directive 2009/136/EC generally requires end-user consent to the storing of information-such as the piece of software known as a "cookie"-on the user's computer. Accessing stored cookie data-the raison d'être of a cookie-would also require consent. Further, a user's consent would be valid only if he or she is "provided . . . clear and comprehensive information" concerning the cookie's use.
Cookies are ubiquitous and functionally central to many websites, and indeed, trying to surf the web while refusing all cookies can be a frustrating, clumsy experience. Thus, EU watchers are asking whether the Directive really means that a website operator, or third-party advertiser, must get specific, verifiable, opt-in consent from each user in the European Union before placing cookies on their hard drives. Without knowing how EU Member States will implement the Directive, and what guidance national privacy regulators will issue, one cannot be certain. But the answer may well be "no."
First, the Directive explicitly exempts from the consent requirement cases where: (a) cookies are strictly necessary to provide a requested online service, or (b) information storage is for the sole purpose of carrying out an online communication. So, core website functionality that depends on cookies may not require prior user consent.
Third-Party Advertisers Could Escape, But Not "Flash Cookies"
Moreover, even third-party advertisers, which are of concern to many European privacy regulators, potentially could escape the consent requirement. A recital to the Directive explains that users can communicate consent through their browser settings. As almost all browsers include privacy settings that control cookies (including browsers on many mobile devices), almost all browser users may have already "consented" to the cookies stored on their computers. Further, third-party advertisers whose cookies are allowed by browser privacy settings could satisfy the Directive's notice requirement through their existing online privacy policies.
Accordingly, the Directive's cookie-consent rule might require only limited changes in today's prevailing online practices. However, placing so-called "flash cookies" would likely require some type of user consent, as such cookies are controlled through Adobe's widely used Flash plug-in, rather than a browser. But more conventional cookies might not require further demonstrations of user consent if they behave in accordance with a user's privacy settings, even those set by default in a browser.