Megan Muir

Amendments to the European Union E-Privacy Directive, which was to be implemented by all EU member states by May 25, 2011, imposed a requirement to obtain user consent to the use of cookies, with such consent on an ‘opt-in’ basis, rather than an ‘opt-out’ process. Over the past two years, EU member states have been implementing the directive. In this publication, our colleagues Cameron Craig and Paul McCormack summarize the status of the E-Privacy Directive and include a table containing detailed updates as to the manner in which various countries have implemented the law as of March 2012.

Additionally, the publication contains the following recommendations for conducting a “Cookie Audit”:

Step 1 Cookies Audit: Businesses should begin identifying the cookies (and similar technology) which are used by their website. A “cookie audit” should be undertaken with the assistance of your IT department/specialist legal advisors. Cookie audits should include a review of the types of cookies used by the website; the life-span of such cookies; and how intrusive the cookies are.

Step 2 Map out compliance options: Once the company understands the cookies which its website(s) use, they must then consider the options available to them in order to comply. These might include the options set out in the ICO’s Preliminary Guidance, for example: Pop ups; Terms and conditions; Settings-led consent; Feature-led consent; and Browser Settings. The “strictly necessary” exemption available under the rules should also be considered.

Step 3 Implementation: In order to ensure that enforcement action is not taken against you by the applicable EU privacy regulator, you need to check when your compliance method must be in place. For example, in the UK implementation must be in place no later than May 25, 2012. Failure in the UK to implement changes by May 25, 2012 could lead to the ICO imposing fines upon organizations up to £500,000.

Step 4 Additional Considerations and Steps: When conducting a cookie audit, you should also consider and undertake the following:

  • Due Diligence: conduct due diligence of ad network/metrics partners and vendors before contracting;
  • Click-wrap agreements: make sure your business never signs click-wrap agreements without legal review;
  • Effective contracts: bind your partner to: a) comply with applicable laws; b) clear and conspicuous disclosure; c) opt-in/opt-out; d) flow-through terms to vendors; and e) audit rights;
  • Post-contract monitoring: is your partner fulfilling its contractual promises?
  • Test/Evaluation Agreements: Always check/test agreements against legal requirements and your Privacy Policy.

Find information regarding specific EU member states and the cookie requirements here.