Enforcement has begun softly, with regulators sending letters to selected companies asking for explanations as to how these companies are complying with the Cookie Directive. As of yet, no major enforcement actions have been announced.
US-based web sites should not assume that they are immune from concerns about the Cookie Directive. Even U.S. websites that do not have a physical presence in Europe may be subject to enforcement actions from European privacy authorities. In a tour of Silicon Valley this Spring, Jacob Kohnstamm, a European privacy regulator, warned that enforcement action would be taken against US companies which place cookies on browsers in Europe and disregard European cookie regulation.
Accordingly, every website operator, with a significant user base in Europe, should be prepared to respond to European privacy regulators asking what steps have been taken to comply with the Cookie Directive. At a minimum, that answer should include the following:
- an audit of every cookie employed on the website to determine its use and function;
- a review of current disclosures of cookies, and a revision of those disclosures, where necessary, to clearly communicate the use and function of cookies employed on the site; and
- consideration, and where appropriate, implementation of new procedures to more effectively demonstrate user consent to cookies employed on the site.