EU On Data Privacy: One Tough Cookie
By Ryan Nier
“Hey, you want a cookie?” That’s the question on the minds of data protection regulators in the EU as they guide states and companies on how to interpret and apply the 1995 European Data Protection Directive. If you’re offering someone a cookie and they happen to be in the EU, asking that question of your users is necessary and is becoming ever more complex.
“Cookies,” also known as “browser cookies” or “web cookies,” are little bits of data that can be sent from a website and stored on a user’s web browser. They are commonly used to store helpful information, such as items in a shopping cart, a login name, or a set of preferences (e.g., “use US English when I visit this site”).
While US law has taken a very permissive approach to cookies – generally allowing their use absent nefarious purpose – the EU has taken a strikingly different approach which focuses on user consent. On October 14, the EU’s Article 29 Working Party -- which is tasked with advising on how member states should read and apply the terms of the Data Protection Directive – outlined the four corners of what likely will be required for valid “consent.” The Working Group’s recommendations are not binding, but they are given great weight by EU member states.
Per the Working Party’s guidance, consent must be (1) specific in nature, (2) given prior to use of the cookies, (3) acquired via active behavior, and (4) chosen freely. More specifically:
Active Behavior: Consent must be acquired through “positive action” such as clicking a button or checking a box. Moreover, the Working Party advised that consent may be invalid if consumers are not given specific choices that allowed them to choose which cookies they would like and not like. Once again, in practice, this may require significant changes to how sites are designed and how users interact with them (e.g., a website may be required to delineate categories of cookie use, explain how they work, and require users to check each type of cookie they wish to allow).
With the EU’s new Proposed Data Regulation on the horizon, complying with “consent” under EU law is only getting more difficult. Companies with customers in the EU would be wise to heed the Working Party’s advice and tighten up their cookie policies. Perhaps the better question is, “Hey, want a cookie? It’s chocolate chip, with whole wheat flour, and isn’t organic. I can pick out all the chocolate chips out if you want. In any event, just fill out this form.”
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.