We have reported previously in our Duane Morris Alerts about the progress with new cookie laws across Europe. The laws were introduced following a European Union Directive [the E-Privacy Directive (2009/136/EC)] at the end of 2009. As part of the Directive process, each member state within the European Union agreed to introduce new domestic laws by May 2011, substantially following the form of the Directive. A recent influential EU body has returned the spotlight to those laws with a report on what corporations should do to comply.

Enforcement

As we have noted previously, enforcement of these new laws got off to a slow start, with the UK and Ireland taking the lead. Regulators have written to a number of well-known multinational organisations as part of their enforcement activities. The full list of initial organisations written to by the UK regulator is here: http://www.ico.org.uk/news/blog/2012/~/media/documents/library/
Privacy_and_electronic/Notices/cookies_regulations_organisations_contacted_by_ico.ashx. The full list of initial organisations written to by the Irish regulator is here: http://dataprotection.ie/viewdoc.asp?m=f&fn=/documents/press/listwwebsites.htm. In May 2012, the European Commission referred five countries (Belgium, the Netherlands, Poland, Portugal and Slovenia) to the EU Court of Justice because of their delay in introducing the new rules into their national laws. (See http://europa.eu/rapid/press-release_IP-12-524_en.htm?locale=en.)

The New Article 29 Working Party Report

In an effort to clarify some of the confusion over the Directive and its implementation into local law, the EU's Article 29 Working Party (WP29) recently published an opinion about these cookie laws. WP29 is an advisory body whose membership includes a representative from the data protection authority of each EU country. Its opinions are advisory rather than binding, but in practice, they are likely to be followed by the regulatory authorities across the EU.

The opinion (technically known as Working Document 02/2013) was adopted on the 2nd October and published on the 14th October 2013. It seeks to clarify the widespread variance of cookie laws.

The opinion states that there are four elements to cookie compliance:

  1. Specific information must be given about the use of cookies.
  2. Timing—As a general rule, no cookies can be sent to a user's device before consent has been obtained.
  3. There must be an active choice that includes unambiguous consent. Consent could be given by the settings on a device's browser in some circumstances, but clicking on a link saying "more information on cookies" would not constitute consent as WP29 says the user was simply requesting information rather than agreeing to the use of cookies.
  4. Consent must be freely given. Real choice must be present.

The specific information that must be given will include:

  1. The purpose of the cookies being used.
  2. How long the cookie data will be kept.
  3. What information the cookies are collecting.
  4. How users can express their preferences (for example: by accepting some, none or all of the cookies).

WP29 confirms in its opinion that there is no all-encompassing solution, saying "The website operator is free to use different means for achieving consent, as long as this consent can be deemed as valid under EU legislation." The opinion emphasises that specific consent must be given. "In other words, blanket consent without specifying the exact purpose of the processing is not acceptable."

What Happens Next?

As we highlighted in our earlier Alerts, however, problems remain with the implementation of cookie laws. Enforcement of the laws is down to individual EU countries, not WP29 or the European Commission. As a result, enforcement is likely to still vary across Europe. Some countries like the Netherlands and Spain have taken a more restrictive position. Even in the UK, where there has been measured enforcement activity, there is evidence that public concern has lessened. In its enforcement report on 28th October 2013 (See http://www.ico.org.uk/enforcement/action/cookies) the UK data protection regulator said that complaints had dropped to 73 per quarter from a high of more than 250 per quarter when enforcement activity began.

What Does This Mean for Businesses?

It is apparent there is still a move to enforce cookie laws even if, as the UK regulator suggests, the public is less concerned about the use of cookies than when the legislation was introduced. Businesses may want to heed the regulators' warnings and ensure that their sites comply.

Businesses may also wish to perform a detailed analysis of the cookies used on their site to determine exactly the type of cookies their site is using and their purpose. This will include auditing the practices of third parties who supply services to their website, such as order tracking; payment fulfilment; or investor relations content. Many organisations find that challenging, as third parties will often use cookies as part of a service they provide without giving full disclosure. Businesses also should be mindful when incorporating content from providers to ensure that they have a legal agreement in place regulating the use of cookies.

For additional background, please see our previous Duane Morris Alerts on this topic.

UK Cookies Update: New Laws on Cookies and E-commerce

European Union Confirms "Get-tough" Approach on Cookies

United Kingdom's New Laws on Cookies and E-commerce

If you have any questions about this Alert, please contact Jonathan P. Armstrong in our London office, any of the members of the Information Technologies and Telecom Practice Group or the attorney in the firm with whom you are regularly in contact.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.