Edit ModuleShow Tags

European cookie monsters


Internet privacy has been the subject of much legal debate recently, on both sides of the Atlantic. U.S. lawmakers seek legislative updates to protect the privacy of U.S. citizens who use cell phones, webmail, and other data technologies.

In Europe, amendments to the Privacy and Electronic Communications Directive, dubbed the ‘cookie directive,' mean that storing and accessing information from users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing."

A cookie is a small file of letters and numbers downloaded onto a device when the user accesses certain websites. Cookies allow a website to recognize a user's device and store information, which can be used to help the browser navigate the website and fully use its features. Some cookies are essential for certain functions of a website, for example the cookie that remembers items a user has placed in a shopping basket. Cookies can also be used to identify the surfing habits of the computer, and build a profile of the individual's online behavior for advertisers. Most of the time, the user doesn't know that a cookie has been left.

Consent to use cookies on websites is not a new requirement in Europe. However, requiring that consent be explicit is where the new cookie directive changes. Previous legislation allowed for website owners to assume consent if a user had not opted out of cookie use through his or her browser settings. Lawmakers believe this approach is no longer satisfactory for current technology.

The difficulty with the new law, however, is how to interpret "explicit consent." Advertisers claim that browser settings-which can be set to block unwanted cookies-should still suffice as consent. Privacy groups argue that browsers cannot fully comply with the directive language, and many users never change their default settings.

Therefore, consent must be given in every instance a cookie is issued, when it is not essential to a site's functionality. Subsequently, sites could be forced to issue a pop-up consent form every time a user visits. In the UK, the exception to explicit consent is interpreted as when the function of the website cannot be operated without the use of cookies.

As with all European Directives, each of the 27 member states of the EU is responsible for turning the cookie directive into law and implementing it in its own country. Each country, therefore, must decide for itself what ‘explicit consent' actually means. Given the vagueness of the directive, it is likely that differences in practice and enforcement will exist within the EU.

Most countries have passed laws which implement the directive verbatim. Some, for example the UK, have issued further guidance through their privacy commissioners as to interpretation. In the case of the UK, the guidance in itself is vague, but does make clear one point - that reliance on browser settings alone will not suffice for consent. The UK government has recently announced that it will not enforce the law for a period of one year.

The cookie directive has created panic among website owners. U.S. organizations fear they will need to adopt stringent measures such as consent pop ups on all sites. For now, not all U.S.-based sites will be subject to these laws. Whether EU countries have jurisdiction over foreign owned and operated websites will depend on a number of factors, including whether the website owner has either hardware or ‘feet on the ground' in the country in question.

The presence of branch offices, servers, employees or other infrastructure in a European country will require compliance with the directive. However, merely operating a website which is accessible from Europe is unlikely to have the same effect, at least for now. It is worth noting that the European Commission is increasingly vocal in its calls for overseas websites to be subject to enforcement action over non-compliance with European privacy laws.

Pending clear guidance from European member states on the interpretation of the consent requirement, website operators would be well advised to analyze their European operations to ascertain whether they have ‘feet on the ground.' For operators who do, many use a statement indicating that by not disabling cookies (along with a link to instructions on how to disable) the individual has consented to their use. Other sites have taken the more direct step of using pop ups on the landing page of their site to obtain consent from users.

Whichever method is used to obtain consent, website operators with a presence in Europe should keep a close eye on developments in this area. Compliance with European cookie laws (as well as privacy laws generally) is likely to be an on-going and dynamic matter.
{pagebreak:Page 1}
Elizabeth Harding is an attorney with Holland & Hart. Ms. Harding's practice focuses on sophisticated technology transactions and international data privacy.

Edit Module
Elizabeth Harding

Elizabeth Harding is an attorney with Holland & Hart. Ms. Harding's practice focuses on sophisticated technology transactions and international data privacy. She can be reached at 303- 473-2863 or eeharding@hollandhart.com.

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Civitas Designs Water Resiliency Into North Stapleton Open Space Plan

Known for delving into the history of a place to inform its future, Civitas looked to the original wetlands and sand dunes that comprised the indigenous Sandhills Prairie ecosystem long before jets and runways crisscrossed the former Stapleton Airport.

Coding-School Growth Ebbing, Not Ending

According to Course Report’s 2017 Coding Bootcamp Market Size Study, Colorado is among the top 10 states for number of coding boot camps. Course Report co-founder Liz Eggleston says five boot camps in Colorado offer full-time, in-person courses in web/mobile development: General Assembly, Galvanize, Turing, Skill Distillery and CodeCraft School.

Adrian Tuck's Leadership Training Helps Him Keep Calm in Crisis

Adrian Tuck has been named a World Economic Forum Technology Pioneer, which recognizes companies from around the world that are poised to have a significant impact on business and society.
Edit ModuleShow Tags
Edit ModuleEdit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags