Directive 2002/58 on Privacy and Electronic Communications, otherwise known as E-Privacy Directive, is an European Union directive on data protection and privacy in the digital age, which has been recently updated to require informed consent for non-essential cookies.
Many of our clients transact business internationally and have websites that target European users. The European Union’s E-Privacy Directive (the “Directive”), implemented in May 2012, requires that websites obtain informed consent from users prior to storing cookies on a device. The Financial Times recently reported that the Information Commissioner’s Office (ICO) is beginning to crack down on non-compliant companies. If a website is found to be non-compliant, the ICO can issue fines of up to £500,000 ($807,450). Cookies are small data files sent from a website and stored in a user’s web browser while a user is browsing a website, and are commonly used for remembering preferences and tracking user activity. Although the Directive exempts some cookies from the informed consent requirement, most commonly found cookies, such as third-party analytics, personalization and other persistent cookies are not exempt. Generally speaking, if your website uses technology to track users, you need their consent to do so.
There are a few basic steps to take in order to comply with the Directive. First, audit your tracking technologies to determine what cookies, if any, your website places. You may be surprised at what is going on behind the scenes. Categorize your cookies into groups (i.e., necessary service/function cookies, analytical cookies, advertising cookies, etc.) so that you can better explain the types of cookies used on your site. Next, update your privacy policy to ensure that it accurately reflects what is actually going on under the hood of your website. Once your privacy policy is up-to-date and accurate, you should consider how you want to inform your users of your cookie policies. Simply relying that users might have read your privacy policy is no longer considered sufficient. Instead, many websites are implementing banners, headers, footers or splash screens that are designed to ensure informed consent. According to the Financial Times, the European Union has been aggressively enforcing compliance with the Directive and recently increased the size of its enforcement team by 60 percent to investigate infringements. All companies that use cookies on their websites and are subject to European Union jurisdiction should ensure that their site is updated to comply with the Directive.
