The deadline has come and gone for European Union (EU) Member States to start requiring companies to obtain individuals’ consent prior to placing cookies on computers, mobile devices and other hardware. In its wake, industry players continue to struggle to understand what this cookie consent requirement means. U.S. companies should consider basic compliance steps if they offer websites, mobile applications or other online offerings to EU individuals, as EU regulators have long sought to hold such U.S. companies responsible.

“Consent” was left ambiguous by EU lawmakers in late 2009 amendments to the EU E-Privacy Directive (directive 2009/136/EC, which amended directive 2002/58/EC). Thus, substantial uncertainty has persisted about whether the new EU law might disrupt the function of cookies. Cookies are small pieces of software saved by an online application to an individual’s hard drive. They are ubiquitous and nearly essential to the smooth functioning of many websites and mobile apps. Because cookies also underpin online tracking, behavioral targeting and advertising, EU privacy regulators have long viewed them with suspicion and have sought to require individual consent as a precondition to placing cookies. Accordingly, the new EU law presented a potential danger to the ordinary functioning of the web, as well as to online advertising revenue.

U.S. operators could be caught in the snare. For many years, EU data protection authorities (DPAs) have contended that a foreign website operator placing a cookie on a computer in the European Union is availing itself of “equipment” located in the EU. Thus, they argue, that operator is subject to EU law. By this theory, a U.S.-based website operator would be required to obtain the informed, opt-in consent of EU individuals before placing cookies on their hard drives. Not surprisingly, recent guidance from individual Member State DPAs concerning the cookie consent requirement does not disclaim a potential extraterritorial reach. Where a U.S. company has a prominent presence in the European Union, and especially where that company is active in online behavioral advertising, the threat of DPA action on cookies is greater.

Opt-In Consent to Cookies?

EU authorities have been mixed on the question of whether prior “opt in” consent is necessary to place a cookie. “Opt-in consent” generally is understood to require an individual’s affirmative act to signal assent—as opposed to a “default” presumption of consent in the absence of action. Needless to say, getting consumers to take action on the granular question of a company’s cookies can quickly become a practical and commercial impossibility, even if a consumer would consider the online offering valuable and the results of a cookie harmless.  

Interpretive language in the E-Privacy Directive itself suggests that consent could be based merely on an individual’s browser settings. As browsers are generally set by default to accept cookies, online operators wondered whether they perhaps faced no new requirement under the directive amendments, other than to build fulsome notice of cookies into their privacy policies.

Not so fast, said the EU data protection authorities. In a nonbinding 2010 opinion, a group of privacy regulators known as the “Article 29 Working Party” found that default browser settings are inadequate to demonstrate individual user preference, at least with respect to third-party cookies associated with ad networks. The DPAs acknowledged that, if a browser bars all cookies by default, then a user who changes the setting to allow cookies would appear to consent to such cookies. But regulators insisted that some informed, positive action by the user would be necessary to make cookies associated with online behavioral advertising legitimate.

Which Way Are the Winds Blowing?

Despite the May 2011 implementation deadline, many Member States have failed to fully implement the directive amendments. Even where legislation is in effect, it often fails to specify whether opt-in consent is necessary. Finally, Member States seem to be taking markedly different approaches to implementing the amendment, creating yet another “regulatory patchwork” in the EU privacy area.

U.S. companies that direct online offerings to EU individuals should continue to monitor how the cookie consent requirements develop. But it seems premature to overhaul online offerings in order to create a mechanism for obtaining opt-in cookie consent. For example, the United Kingdom’s implementation of the directive mentions that browser settings can be the basis for consent. Though UK privacy regulators contend in informal statements that default browser settings are insufficient, their proposed response—to work with browser providers to change default settings—seems unlikely to produce results in a commercially reasonable time frame. Moreover, it remains to be seen what success EU authorities will have in enforcing their preferred interpretations against EU-based offerings, let alone those of U.S.-based companies.

In this vacuum of meaningful guidance, U.S. companies doing online business in Europe should consider the relatively low-cost step of ensuring that their privacy policies fully describe whether cookies are used; whether third-party cookies are placed through the online offering; whether cookies support tracking and targeted advertising; the information that is collected by means of the cookie; how such information is used; and opportunities individuals have to opt-out from cookies. Privacy policies should be clear, concise and easy to find. Because informed choice is an important element of the directive amendments, a fulsome privacy policy would aid any reliance a company might place on implied consent based on a consumer’s browser settings.