Background
The EU has amended its 2002 E-Privacy Directive to require customer consent under certain circumstances for use of cookies. The EU amendment requires that website operators which target the EU market must obtain the active and informed consent of their users before placing a cookie or using similar technologies for storing information about their customers.1 EU member states are required to adopt implementing regulations that will govern their respective jurisdictions. In spite of a May 26 EU implementation deadline, to date only a few smaller EU member states have implemented the required regulations. Most member states have not yet done so. Companies doing business within the EU will need to comply with the varying laws of different jurisdictions and choice-of-law issues may arise. There is robust debate about what “opt-in” means in this cookie context and how it should be implemented. Although the state of the law throughout the EU is still in flux, the following recent developments should be considered as they may impact a company’s approach and strategy on how to comply with the new rules.
Recent Developments
In May 2011, as one of the first member states, the U.K. prepared a groundwork for other member states to follow through the Information Commissioner’s Office (“ICO”) publication of a guidance requiring that users take an “active” step to consent to the use of cookies on their devices. While the ICO may not immediately use its recently expanded authority to fine noncompliant companies up to £500,000 for serious breaches, the ICO may issue a ruling or an opinion against website operators that fail to take steps to comply.
On Aug. 3, 2011, the chairman of the Working Party (“WP”), the body of the representatives of the national data protection authorities at the EU Commission, sent a letter to the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA); both had proposed a new self-regulatory code for online behavioral advertising, including the use of cookies for these purposes. In particular, they have suggested that companies that adopt the code display an icon telling users that the company tracks their online activity for advertising purposes. Through the use of this icon web users would be able to manage their preferences or stop receiving behavioral advertising via a new EU website: www.youronlinechoices.eu. However, the WP has rejected this approach, stating that placing cookies, tracking and serving ads would take place unless the users exercise the option to opt-out. The WP concludes the approach does not meet the EU’s legal requirements to obtain informed consent of the individual user. The WP will hold further meetings with the IABE/EASA in September to resolve the differences.
On Aug. 26, 2011, France issued a new ordinance that modifies the French Data Protection Act of 1978, the French Postal and Electronic Communications Code, and the French Consumer Protection Code to comply with the Directive by requiring an opt-in.
Suggested Approaches for Compliance
If you have any questions or concerns as to how your business should address the Directive and the national laws and regulations in the EU, please contact one of the lawyers listed below.
For further information about the subject matter of this alert, please contact the lawyers listed below:
Dr. Axel Spies, Rechtsanwalt, Of Counsel, Telecommunication, Media & Technology Group
a.spies@bingham.com, 202.373.6145 or +49.69.677766.0
This article was originally published by Bingham McCutchen LLP.