EU Requires Consent Before Cookies Can Be Placed

Author:Mr Dean Harvey and Ignacio Hirigoyen
Profession:Andrews Kurth LLP

On May 26, 2011, the 2009 amendments1 to the e-Privacy Directive2 (the "Directive") regulating the use of internet cookies in the European Union ("EU") went into effect. The Directive, as amended, requires website operators and advertising companies falling within the legal jurisdiction of the EU to gain explicit consent before placing any cookie on users' machines.

What Is changing?

Before the Directive was amended the EU only required companies to inform users that cookies were utilized and to supply users with information regarding how to "opt out" if the users objected to the cookie being created on their device. Sites often include in their privacy policies information regarding the use of cookies and the ability by users to "opt out" of the placement of such cookies.

Generally, the Directive only permits cookies to be placed after users have given consent (an "opt in" option). However, the Directive would not require consent for certain cookies that are "strictly necessary" to provide the services requested by a user. For example, if a user accesses a website to purchase an item, before proceeding to checkout, the site will be able to "remember" what was chosen on the previous page in order to be able to perform the transaction. These are known as "Session Cookies," and no consent shall be required for the use of this type of cookies.

How Should Companies Prepare for the New Requirements?

The first step in this preparation should be to assess how website(s) of a company under the jurisdiction of the EU work. This can be done by:

  1. Performing a comprehensive audit of the company's website(s) to identify what type of data files and cookies are stored on users' devices when they visit the site, and which of those cookies are necessary to their business and might require consent, and also identify the Session Cookies that will fall outside the legislation.

  2. Cleaning up their web pages and discontinuing the use of cookies that are outdated or that have been rendered obsolete because of changes to the company's website.

  3. Determining if the website displays content from third parties (e.g., from an advertising network or a streaming video service). Such third parties may read and write their own cookies or similar technologies onto a company's users' devices. The process of getting consent for these cookies will be more complex and everyone should make sure that the user is aware of what is being collected and by whom.

    Once a company...

To continue reading