How the Cookie Crumbles: Cookie Enforcement Sweeps Begin in EU

European Data Protection Authorities (DPAs) — the entities responsible for enforcing the European Union (EU) Data Directive and the EU Cookie Directive — are taking part in what is being referred to as “Cookie Sweep Day.” This “day” will actually last a week, beginning September 15, 2014 and ending on September 19, 2014.

What’s the Sweep About?

As background, the Cookie Directive requires website operators to obtain informed consent before a cookie or other tracking technology is placed on a European visitor’s computer. The Directive makes a very narrow exception for those cookies that are necessary to provide the service offered on a site. In addition to requiring consent, visitors must also be given the option to access their data to correct it or delete it, and the data should only be used for those purposes disclosed in the notice and consent. To comply, a website must audit the cookies that are present on the website and provide appropriate notice and obtain consent from website visitors.

Despite the fact that the EU Cookie Directive applies across the European Economic Area, the various countries have the responsibility of drafting laws to implement the Directive and are tasked with the responsibility of ensuring compliance. The laws vary from country-to-country with respect to the extent to which companies should provide notice and obtain consent. For example, some DPAs have deemed implied consent acceptable. Therefore, a visitor to a website may be served with notice regarding the cookies and told that their decision to continue reviewing the website will constitute consent. Other countries require express consent, by which each website visitor must actively click an “I Agree” icon or other button to acknowledge that they have reviewed the website’s notice regarding cookies before any cookies can be placed.

Given the varying laws and the administrative difficulties that may arise by requiring express consent, many websites have opted for obtaining implied consent in the hopes that having some notice and consent is better than having none at all. Alternatively, there are still many websites that have failed to provide any notice at all. To verify compliance, the various DPAs intend to conduct online investigations of various websites.

What Will the Sweep Entail?

The DPAs intend to search for several things when reviewing websites. Namely, they will review websites to determine the types of cookies present on the website. They will then determine what, if any, consent is obtained from website visitors. The authorities will also be concerned with the information provided by website operators about their cookies and tracking technologies, the rights granted to visitors, and the amount of time that cookies will stay on a visitor’s device.

What Should Companies Do?

All companies with an international presence, especially those attracting visitors from the EU, should be aware of the Cookie Directive and should ensure that their websites are designed to provide notice and obtain appropriate consent from website visitors. As noted above, compliance entails a cookie audit to determine the types of cookies used on a website. Once that is done, a website operator must simply provide adequate notice to its visitors and obtain consent for the placement of cookies on those visitors’ devices. While compliance may take some time and restructuring of a website, failure to comply may result in fines.

Arent Fox will continue to monitor issues related to international data protection requirements. 


Continue Reading