Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

The reports of the Internet’s demise were greatly exaggerated. On May 25, 2012, the United Kingdom Information Privacy Office (the “IPO”)  ended its one-year moratorium on the enforcement of the <a href="http://www.legislation.gov.uk/uksi/2011/1208/contents/made">European Directive</a> governing the use of cookies (the “Cookie Directive”) and, contrary to the <a href="http://techcrunch.com/2011/03/09/stupid-eu-cookie-law-will-hand-the-advantage-to-the-us-kill-our-startups-stone-dead/">doomsayers</a>, the Internet continues to function (as I assume it still is if you are reading this blog).

Enforcement has begun softly, with regulators sending letters to selected companies asking for explanations as to how these companies are complying with the Cookie Directive. As of yet, no major enforcement actions have been announced.

Earlier this month, the IPO eased the concerns of many by issuing a <a href="http://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2012/05/cookies_guidance_v3.pdf">Guidance</a> that affirmed the use of “implied consent” to cookies in many contexts. This Guidance indicates that disclosing cookie use through the Terms of Use in a website will be sufficient disclosure for many cookies which are commonly used by websites simply to improve the website’s functioning.

But uncertainties remain—the IPO has declined to state “bright line rules” of acceptable and unacceptable practices, and instead has emphasized that each web operator must adopt disclosure practices appropriate for its users in light of the manner in which it uses cookies.  Accordingly, it is critically important to pay attention to what peer websites are doing and not fail to adopt disclosure practices that become industry standard.

US-based web sites should not assume that they are immune from concerns about the Cookie Directive. Even U.S. websites that do not have a physical presence in Europe may be subject to enforcement actions from European privacy authorities.   In a tour of Silicon Valley this Spring, Jacob Kohnstamm, a European privacy regulator, warned that <a href="http://www.npr.org/2012/04/30/151688976/europe-pressures-u-s-tech-on-internet-privacy-laws">enforcement action</a> would be taken against US companies which place cookies on browsers in Europe and disregard European cookie regulation.

Accordingly, every website operator, with a significant user base in Europe, should be prepared to respond to European privacy regulators asking what steps have been taken to comply with the Cookie Directive.  At a minimum, that answer should include the following:
<ol>
	<li>an audit of every cookie employed on the website to determine its use and function;</li>
	<li>a review of current disclosures of cookies, and a revision of those disclosures, where necessary, to clearly communicate the use and function of cookies employed on the site; and</li>
	<li>consideration, and where appropriate, implementation of new procedures to more effectively demonstrate user consent to cookies employed on the site.</li>
</ol>

UK Privacy Office Commences Enforcement of Cookie Rules