The deadline has come and gone for European Union (EU) Member States to start requiring companies to obtain individuals’ consent prior to placing cookies on computers, mobile devices and other hardware. In its wake, industry players continue to struggle to understand what this cookie consent requirement means. U.S. companies should consider basic compliance steps if they offer websites, mobile applications or other online offerings to EU individuals, as EU regulators have long sought to hold such U.S. companies responsible.
U.S. operators could be caught in the snare. For many years, EU data protection authorities (DPAs) have contended that a foreign website operator placing a cookie on a computer in the European Union is availing itself of “equipment” located in the EU. Thus, they argue, that operator is subject to EU law. By this theory, a U.S.-based website operator would be required to obtain the informed, opt-in consent of EU individuals before placing cookies on their hard drives. Not surprisingly, recent guidance from individual Member State DPAs concerning the cookie consent requirement does not disclaim a potential extraterritorial reach. Where a U.S. company has a prominent presence in the European Union, and especially where that company is active in online behavioral advertising, the threat of DPA action on cookies is greater.
Opt-In Consent to Cookies?
EU authorities have been mixed on the question of whether prior “opt in” consent is necessary to place a cookie. “Opt-in consent” generally is understood to require an individual’s affirmative act to signal assent—as opposed to a “default” presumption of consent in the absence of action. Needless to say, getting consumers to take action on the granular question of a company’s cookies can quickly become a practical and commercial impossibility, even if a consumer would consider the online offering valuable and the results of a cookie harmless.
Interpretive language in the E-Privacy Directive itself suggests that consent could be based merely on an individual’s browser settings. As browsers are generally set by default to accept cookies, online operators wondered whether they perhaps faced no new requirement under the directive amendments, other than to build fulsome notice of cookies into their privacy policies.
Not so fast, said the EU data protection authorities. In a nonbinding 2010 opinion, a group of privacy regulators known as the “Article 29 Working Party” found that default browser settings are inadequate to demonstrate individual user preference, at least with respect to third-party cookies associated with ad networks. The DPAs acknowledged that, if a browser bars all cookies by default, then a user who changes the setting to allow cookies would appear to consent to such cookies. But regulators insisted that some informed, positive action by the user would be necessary to make cookies associated with online behavioral advertising legitimate.
Which Way Are the Winds Blowing?
Despite the May 2011 implementation deadline, many Member States have failed to fully implement the directive amendments. Even where legislation is in effect, it often fails to specify whether opt-in consent is necessary. Finally, Member States seem to be taking markedly different approaches to implementing the amendment, creating yet another “regulatory patchwork” in the EU privacy area.
U.S. companies that direct online offerings to EU individuals should continue to monitor how the cookie consent requirements develop. But it seems premature to overhaul online offerings in order to create a mechanism for obtaining opt-in cookie consent. For example, the United Kingdom’s implementation of the directive mentions that browser settings can be the basis for consent. Though UK privacy regulators contend in informal statements that default browser settings are insufficient, their proposed response—to work with browser providers to change default settings—seems unlikely to produce results in a commercially reasonable time frame. Moreover, it remains to be seen what success EU authorities will have in enforcing their preferred interpretations against EU-based offerings, let alone those of U.S.-based companies.