A number of national enforcement agencies recently indicated they are going to start actively enforcing 2009/135/EC Directive (the “EU Cookie Directive”). If a US company has business operations in an EU member country, or if a US company has assets (including without limitation, bank accounts or employees), in an EU member country, it is likely that that EU member country will be able to exercise jurisdiction over the US company. It is therefore imperative that US companies carefully consider whether they need to comply with the EU Cookie Directive.
Background
In 2002, the European Parliament and European Union Council passed the 2002/58 /EC Directive (the “2002 Directive”) regarding the processing of personal data and protection. Article 5(3) of the 2002 Directive requires member countries to modify their laws to require entities that access information from subscribers or users’ computers or other electronic devices to provide users with “clear and comprehensive information” about the collection, use and disclosure of such information.
In 2009, the European Parliament and European Union Council passed the EU Cookie Directive which amended Article 5(3) of the 2002 Directive and requires member countries to modify their laws to require entities that access information from subscribers or users’ computers or other electronic devices to (1) give a user advanced written notice that a cookie is being placed on his or her device and describes what the cookie is doing; and (2) obtains the user’s consent to the placement of the cookie before placing the cookie on the user’s device. The EU Cookie Directive is forward-looking in the sense that it applies to all future technologies that allow companies to track users’ preferences. It is not just limited to cookies.
The European Parliament and European Union Counsel required member states to enact national laws that comply with the EU Cookie Directive by May 2011. Today, 20 of the 27 EU member states have enacted such laws.
EU Member Countries’ Inconsistent Implementation of the EU Cookie Directive
The 20 countries that enacted the EU Cookie Directive have not done so consistently. One key area where these 20 countries’ laws differ is whether companies are required to obtain a user’s opt-in consent before placing a cookie on his or her computer or other electronic device. Some countries require opt-in consent for all cookies. Other countries require opt-in consent for certain types of cookies (such as cookies used to collect sensitive personal information or track users for marketing purposes). Other countries generally will not require opt-in consent. And, it is still unclear how a number of countries will implement this requirement.
These legal inconsistencies are made even more complex by the fact that each of the seven EU member states that have not enacted the EU Cookie Directive has its own laws regarding opt-in consent. This inconsistency in EU member countries’ laws makes compliance difficult.
Penalties for Failing to Comply with the EU Cookie Directive
Enforcement agencies are stepping up enforcement of the EU Cookie Directive. For example, earlier this month, Dave Evans, Group Manager for Business and Industry of the Information Commissioner’s Office (“ICO”) (a UK independent authority charged with enforcing the UK’s implementation of the EU Cookie Directive) stated it is going to dramatically increase enforcement actions against companies that do not comply with the law. The ICO may fine companies up to £500,000 for failing to comply with the UK’s implementation of the EU Cookie Directive, and a company could potentially be fined in multiple countries.
Special Concerns – M&A
If your company is acquiring another company, you should conduct due diligence to determine whether the target company has complied with applicable laws and confirm that the representations, warranties and indemnities adequately cover any damages for breach of these laws.
If a company’s end-goal is acquisition, it should confirm that it complies with all applicable EU member state laws, because the issue of EU Cookie Directive compliance is being reviewed with increased scrutiny during the due diligence process – particularly if the acquirer is a large, multinational corporation. Failure to comply with the EU Cookie Directive could result in anything from increased liability for the target company under the merger agreement to a decreased sale price.
What Must Companies do to Comply with the EU Cookie Directive?
The simple answer is that if a company is required to comply with the EU Cookie Directive, the company must: (1) provide users with some form of clear, comprehensive written notice that they are placing cookies on their computer or other electronic device; and (2) obtain consent from users before placing cookies on the user’s computer.
However, in practice, compliance is very complex. Companies and their legal counsel, must make business and legal decisions about a number of issues, including without limitation the following:
(1) What are the company’s business goals?
(2) What EU member countries’ laws must the company comply with?
(3) What content to include in the written notice. (This depends on a number of factors, including without limitation: (a) what types of cookies a company uses; (b) how many cookies a company uses; (c) what information a company is collecting by means of the cookies; and (d) how a company is going to use or disclose information obtained by means of the cookies.)
(4) How to present the written notice to users (i.e., via splash screen, tiered notices, etc.). And, if information is being collected via cookies placed on a mobile device, one must particularly consider the format of notice and make sure it is easy for users to view on a small screen.
(5) Whether to notify users about the company’s third party service providers that may place cookies on the users’ computers or other electronic devices.
(6) How to obtain users’ consent (i.e., via browser setting, implied consent, opt-in consent, opt-out consent, etc.).
(7) When to obtain users’ consent (i.e., before a user accesses a web page, before a user may register to use a service, etc.).
(8) What to do if a user does not consent to the placement of the cookies, and whether to treat an opt-out as a permanent opt-out.
(9) When and whether to give updated notice to users and obtain new consent from users if a company changes use of a cookie.
If you have any questions about whether your company must comply with the EU Cookie Directive or how to comply with the EU Cookie Directive, please contact Helen Christakos at (650) 696-2545 or at hchristakos@carr-mcclellan.com.