On May 26, 2011, the 2009 amendments1 to the e-Privacy Directive2 (the "Directive") regulating the use of internet cookies in the European Union ("EU") went into effect. The Directive, as amended, requires website operators and advertising companies falling within the legal jurisdiction of the EU to gain explicit consent before placing any cookie on users' machines.
What Is changing?
Generally, the Directive only permits cookies to be placed after users have given consent (an "opt in" option). However, the Directive would not require consent for certain cookies that are "strictly necessary" to provide the services requested by a user. For example, if a user accesses a website to purchase an item, before proceeding to checkout, the site will be able to "remember" what was chosen on the previous page in order to be able to perform the transaction. These are known as "Session Cookies," and no consent shall be required for the use of this type of cookies.
How Should Companies Prepare for the New Requirements?
The first step in this preparation should be to assess how website(s) of a company under the jurisdiction of the EU work. This can be done by:
Performing a comprehensive audit of the company's website(s) to identify what type of data files and cookies are stored on users' devices when they visit the site, and which of those cookies are necessary to their business and might require consent, and also identify the Session Cookies that will fall outside the legislation.
Determining if the website displays content from third parties (e.g., from an advertising network or a streaming video service). Such third parties may read and write their own cookies or similar technologies onto a company's users' devices. The process of getting consent for these cookies will be more complex and everyone should make sure that the user is aware of what is being collected and by whom.
Once a company...