Inside EU Cookie Laws

What it is: The UK’s Privacy and Electronic Communications Directive, an amendment to the EU’s E-Privacy Directive, will restrict the use of cookies and virtually any other tracking methods used for advertising purposes. Both legal frameworks would require any company with users in an EU country to be subject to EU-wide and country-specific privacy legislation. The UK law’s translation of the EU’s E-Privacy Directive principles is far more restrictive than the present incarnation of the US-EU Safe Harbor agreement, which requires US companies to offer notification when cookies are used on a website.

Why it matters: The restriction on cookie use could impose financial and even criminal penalties for the improper use of cookies. The UK government today announced a deferment on non-compliance penalties for one year. The law, however may still place large American brands at a disadvantage. Because many major American campaigns employ rich media ads and display content from multiple sources, the bigger and more elaborate an advertising campaign or a retail website is, the more vulnerable it would be to restrictions through the new EU directives.
How it works: The law would require notice each time a cookie is used, setting up a flurry of notifications. The bigger the website and the richer the media, the greater the risk. A browser solution might work for webpages, but it wouldn’t work for mobile apps and even Web apps. The ICO suggests that companies use “some other way” to alert users to cookie use. Adding information to a terms of use agreement won’t work either, according to the report, unless all users are issued a new agreement and certify their acceptance.
Who’s doing it: Every company with a user in the EU or the UK will eventually have to implement the measures, but at present only two EU members, Denmark and Estonia, have implemented controls to enforce the EU directives besides the UK’s efforts. The EU and the UK are presently working with all major browser manufacturers to create browser-level solutions for privacy. Some American companies, such as Truste and AdSafe, are creating products for EU-compliance.
Assessment: The cookie-use evaluation process is only half the battle, as American companies will also have to contend with further EU legislation meant to limit data storage practices globally, on mobile and online. “Businesses may want to check their sites to work out where they are using cookies and what those cookies are doing,” wrote attorney Johnathan Armstrong, of Duane Morris, a firm specializing in technology law. “They may want to stop using unnecessary cookies, especially those sending data to third parties. Businesses may then work on ways of telling visitors to their sites what is happening to their data. Given that the law is in a state of uncertainty, transparency should be the guiding principle of any business in its online activities.”

Sign up to get the day’s top stories at 6am eastern.