European cookie monsters
Internet privacy has been the subject of much legal debate recently, on both sides of the Atlantic. U.S. lawmakers seek legislative updates to protect the privacy of U.S. citizens who use cell phones, webmail, and other data technologies.
In Europe, amendments to the Privacy and Electronic Communications Directive, dubbed the ‘cookie directive,' mean that storing and accessing information from users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing."
A cookie is a small file of letters and numbers downloaded onto a device when the user accesses certain websites. Cookies allow a website to recognize a user's device and store information, which can be used to help the browser navigate the website and fully use its features. Some cookies are essential for certain functions of a website, for example the cookie that remembers items a user has placed in a shopping basket. Cookies can also be used to identify the surfing habits of the computer, and build a profile of the individual's online behavior for advertisers. Most of the time, the user doesn't know that a cookie has been left.
The difficulty with the new law, however, is how to interpret "explicit consent." Advertisers claim that browser settings-which can be set to block unwanted cookies-should still suffice as consent. Privacy groups argue that browsers cannot fully comply with the directive language, and many users never change their default settings.
As with all European Directives, each of the 27 member states of the EU is responsible for turning the cookie directive into law and implementing it in its own country. Each country, therefore, must decide for itself what ‘explicit consent' actually means. Given the vagueness of the directive, it is likely that differences in practice and enforcement will exist within the EU.
Most countries have passed laws which implement the directive verbatim. Some, for example the UK, have issued further guidance through their privacy commissioners as to interpretation. In the case of the UK, the guidance in itself is vague, but does make clear one point - that reliance on browser settings alone will not suffice for consent. The UK government has recently announced that it will not enforce the law for a period of one year.
The cookie directive has created panic among website owners. U.S. organizations fear they will need to adopt stringent measures such as consent pop ups on all sites. For now, not all U.S.-based sites will be subject to these laws. Whether EU countries have jurisdiction over foreign owned and operated websites will depend on a number of factors, including whether the website owner has either hardware or ‘feet on the ground' in the country in question.
The presence of branch offices, servers, employees or other infrastructure in a European country will require compliance with the directive. However, merely operating a website which is accessible from Europe is unlikely to have the same effect, at least for now. It is worth noting that the European Commission is increasingly vocal in its calls for overseas websites to be subject to enforcement action over non-compliance with European privacy laws.
Pending clear guidance from European member states on the interpretation of the consent requirement, website operators would be well advised to analyze their European operations to ascertain whether they have ‘feet on the ground.' For operators who do, many use a statement indicating that by not disabling cookies (along with a link to instructions on how to disable) the individual has consented to their use. Other sites have taken the more direct step of using pop ups on the landing page of their site to obtain consent from users.
Whichever method is used to obtain consent, website operators with a presence in Europe should keep a close eye on developments in this area. Compliance with European cookie laws (as well as privacy laws generally) is likely to be an on-going and dynamic matter.
Elizabeth Harding is an attorney with Holland & Hart. Ms. Harding's practice focuses on sophisticated technology transactions and international data privacy.