EU Member States Struggle with New Opt-in Policies Regarding Use of Cookies on Computers and Other Terminal Equipment

Background

The EU has amended its 2002 E-Privacy Directive to require customer consent under certain circumstances for use of cookies. The EU amendment requires that website operators which target the EU market must obtain the active and informed consent of their users before placing a cookie or using similar technologies for storing information about their customers.¹ EU member states are required to adopt implementing regulations that will govern their respective jurisdictions. In spite of a May 26 EU implementation deadline, to date only a few smaller EU member states have implemented the required regulations. Most member states have not yet done so. Companies doing business within the EU will need to comply with the varying laws of different jurisdictions and choice-of-law issues may arise. There is robust debate about what “opt-in” means in this cookie context and how it should be implemented. Although the state of the law throughout the EU is still in flux, the following recent developments should be considered as they may impact a company’s approach and strategy on how to comply with the new rules.

Recent Developments

In May 2011, as one of the first member states, the U.K. prepared a groundwork for other member states to follow through the Information Commissioner’s Office (“ICO”) publication of a guidance requiring that users take an “active” step to consent to the use of cookies on their devices. While the ICO may not immediately use its recently expanded authority to fine noncompliant companies up to £500,000 for serious breaches, the ICO may issue a ruling or an opinion against website operators that fail to take steps to comply.

On Aug. 3, 2011, the chairman of the Working Party (“WP”), the body of the representatives of the national data protection authorities at the EU Commission, sent a letter to the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA); both had proposed a new self-regulatory code for online behavioral advertising, including the use of cookies for these purposes. In particular, they have suggested that companies that adopt the code display an icon telling users that the company tracks their online activity for advertising purposes. Through the use of this icon web users would be able to manage their preferences or stop receiving behavioral advertising via a new EU website: www.youronlinechoices.eu. However, the WP has rejected this approach, stating that placing cookies, tracking and serving ads would take place unless the users exercise the option to opt-out. The WP concludes the approach does not meet the EU’s legal requirements to obtain informed consent of the individual user. The WP will hold further meetings with the IABE/EASA in September to resolve the differences.

On Aug. 26, 2011, France issued a new ordinance that modifies the French Data Protection Act of 1978, the French Postal and Electronic Communications Code, and the French Consumer Protection Code to comply with the Directive by requiring an opt-in.

Suggested Approaches for Compliance

• Companies that do business in the EU should implement procedures, depending on the type of cookies used and other factors, to comply with the Directive and anticipate settling of outstanding issues. Companies should monitor the current regulations and the ongoing debate, particularly between marketing organizations and the EU, about how consent rules of the Directive should be implemented. In particular, companies with customers in the EU should as a first step develop a comprehensive strategy by creating an inventory of the types of cookies generated by their website. After compiling a comprehensive list of cookies, companies should then take steps to assess how intrusive a website’s use of cookies is. This will allow them to evaluate what level of consent may be needed for each cookie. This evaluation may also reveal that some of these cookies fall under the law’s narrow exemption for obtaining consent, which covers cookies that are strictly necessary for a service requested by a user.
• Companies should closely monitor the further discussions between the IABA/EASA and the EU data protection authorities regarding online advertisements and placing cookies on a computer. Although the ICO and the WP have both rejected the use of standard (default) browser settings for obtaining consent, the possibility exists that these tools could be sufficiently updated to allow users to give the active and informed consent necessary under the new regulations and to protocol such consent. By contrast, the new French ordinance apparently allows individual consent to be obtained through user-controlled settings on an electronic device.
• Website operators should be mindful that a solution in one EU member state may not necessarily work in another member state. Therefore, monitoring the legal developments and discussions within the EU and within the relevant member states is highly advisable.

If you have any questions or concerns as to how your business should address the Directive and the national laws and regulations in the EU, please contact one of the lawyers listed below.

 

For further information about the subject matter of this alert, please contact the lawyers listed below:

Dr. Axel Spies, Rechtsanwalt, Of Counsel, Telecommunication, Media & Technology Group
a.spies@bingham.com, 202.373.6145 or +49.69.677766.0

---

¹ EU Directive 2009/136/EC, Amendment to Art 5(3) of Directive 2002/58/EC: “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing . . .”