Many U.S. companies overlook the ePrivacy Directive (the "Directive"). They are either not aware of it, or, if they are, they believe that cookies data does not rise to the level of being considered “personal data” under the GDPR. However, the truth is that: (1) the Directive applies to all cookies, regardless of the nature and classification of data they collect, and (2) even if the GDPR’s personal data standard applied, it is actually broad enough to include IP addresses and other device information commonly collected by website cookies.
Another reason for this disparity in compliance by U.S. businesses is the fact that enforcement actions under the Directive against U.S.-based companies have not had the same amount of publicity here as those prosecuting breaches of the GDPR. However, with the passage of an ePrivacy Regulation on the horizon, which will effectively replace the Directive and which, like the GDPR, will have extraterritorial reach and similar sanctions in case of breach, it is safe to say that the regulatory tide in the EU is changing. A number of recent administrative and judicial decisions across the EU2 also support this view.
Therefore, U.S. companies which operate websites accessible by EU-based users and routinely collect the data of such users via cookies should not only familiarize themselves with the Directive and all applicable national cookies laws, but also, add such legislations to the scope of their privacy compliance roadmap.
What is the EU ePrivacy Directive?
Issued in 2002 and amended in 2009, the Directive governs direct electronic marketing messages, cookies and similar tracking technologies. The Directive sets legislative goals, which each individual EU member state must meet through the adoption of its own set of laws. With 28 member states adopting their own cookies standards, the legal landscape is both complex and administratively burdensome for companies who need to comply. The Directive will ultimately be replaced by the ePrivacy Regulation, in the same way the GDPR replaced the 1995 Data Privacy Directive. Until then3, companies can either choose to comply with strictest cookies standards for all business conducted in the EU, or develop different compliance mechanisms for each country of the EU in which they do business.
Basic principles of the EU ePrivacy Directive
The Directive is a completely different piece of legislation from the GDPR; it applies to all cookies, regardless of whether the data collected through their use qualifies as personal data under the GDPR. Specifically, the Directive requires website operators to (1) inform users about each individual cookie being used by the website, (2) obtain consent to the use of any cookies, other than technical cookies4, before they are installed, and (3) allow users to opt-out or withdraw consent previously provided. These requirements are intended to ensure that users are well-informed prior to cookies being installed on their browsers and in control over the decision to consent (or not) to their use.
For consent to be valid under the Directive, it must be given in accordance with the same standards as are mandated by the GDPR. Specifically, it must be “specific, informed and given freely, and evidenced by an affirmative action.” Therefore, pre-checked consent boxes or cookie banners that tell you a cookie has already been installed, yet invites you to accept them anyway, or that deem the user to have accepted the placement of cookies upon visiting the website, are not valid under the Directive.
Ensuring Compliance with EU Cookies Laws
- An online, “just-in-time”, cookies consent mechanism consistent with the terms of the company’s Cookies Policy and the Directive which appears before cookies are installed on the user’s browser.
- Such cookies consent mechanism (ie., a banner or pop-up notification) must describe each and every cookie being used on the site, including its name and the identity of its publisher, its function, its duration, and, in the case of third party cookies, a link to the third party publisher’s website where the user can obtain more information about the cookie. The banner should also allow users to select which individual cookies they approve.
- A record-keeping system to track consent given by website users, including the date of consent and which cookie(s) in particular are being accepted. This system will support the company in honoring requests from users who may wish to withdraw their consent after it has been given.
Fortunately, companies that have taken the necessary steps to comply with the GDPR should have a head start in complying with the requirements of the Directive.
Doing business in the EU is not for the faint of heart, clearly. That said, if you engage with website users that are based in the EU, it is critical that you comply with all applicable laws at both the EU and national, member state levels. The requirements of the GDPR and the ePrivacy Directive can be easily confused, providing companies with a false sense of compliance security. For this reason, it is best to seek advice from counsel with experience navigating the EU’s legal landscape. If you have questions about the Directive, use of website cookies, or the GDPR, please contact Stephan Grynwajc at email@example.com or 347-543-3035.
1 EU ePrivacy Directive (2002/58/EC)
2 In 2019, there was a flurry of legislative and judicial activity regarding cookies across EU member states, most notably in Germany, France, United Kingdom and Spain, as well as at the EU level, including decisions by the European Data Protection Board and the Court of Justice of the European Union.
3 The ePrivacy Regulation was intended to go into effect at the same time as the GDPR; however, lobbying by opponents and disagreement among the various branches of the EU policy makers as to what should be in the final draft of the text to be approved has created obstacles to its passage. It is now expected to be passed by late 2020/early 2021, with a 2-year grace period prior to enforcement action.
4 The Directive makes a distinction between technical cookies that are strictly necessary for the operation of the website (a/k/a “functional” cookies) and other types of cookies which can be broadly categorized as: (1) analytical cookies, which provide anonymized data about website users’ experience; and (2) marketing and advertising cookies, which store previous search history and apply them to advertising opportunities.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. firstname.lastname@example.org