Beware of the Cookie Monster

By George S. Isaacson

If your company uses cookies — small information files that are downloaded onto a computer or mobile device when a user visits a website which enable the website operator to recognize the user's device and preferences — on its website, and the website is either "designed for the European market" or "provides products or services to customers in Europe," you should be aware of the new European Union (EU) Cookie Directive.

In principle, the Cookie Directive requires that visitors to websites receive an explanation of the specific nature of the cookies used by the website (except for those cookies that are "strictly necessary" as discussed below) and then consent to accept the cookies before the files can be automatically stored on the user's computer.

Many retailers selling products to European customers were understandably concerned that compliance with a strict user consent standard would mandate placement on the homepages of their websites of a pop-up box or header/footer bar requiring users to click on to "accept" cookies from the website after having first been offered the option to read the information page. Such notice and opt-in requirements would undoubtedly unnerve many visitors. In addition, should consumers decide not to permit the use of cookies, their shopping experience would likely be severely compromised, thereby adversely affecting merchant performance.

Such implementation requirements would have presented a dilemma for online retailers. Confronted with an austere notice and opt-in requirement, many visitors would navigate away from their sites rather than accept the cookies. Ironically, the result would likely be to drive traffic to noncompliant websites, which don't disclose their use of cookies. This would put companies that comply with the EU Directive's requirements at a disadvantage to those companies that fail (or refuse) to comply.

Moreover, the risks of noncompliance are considerable. For example, under the United Kingdom (U.K.) law incorporating the EU Directive, penalties of up to £500,000 ($774,500 U.S.) per violation can be imposed. Faced with the prospect of adopting a compliant yet consumer-unfriendly format, electronic merchants in the U.S. might prefer to block European users from buying from their websites altogether.

The UK Relaxes User Consent Requirement
The U.K. has been in the vanguard of jurisdictions proceeding with implementation of the EU Directive. Although initial rules came into force on May 26, 2011, website owners were given a 12-month "grace period" to comply before facing enforcement action. Just as the May 26, 2012 deadline for implementation approached, the U.K. Information Commissioner's Office (ICO) issued a formal "Guidance" regarding the use of cookies on websites. The ICO announced that explicit consent wasn't necessarily required. The ICO Guidance addressed the most controversial and confusing aspect of the EU Directive — what measures will be viewed by regulators as being sufficient to obtain "consent" to the installation of cookies on users' devices. The EU Directive defines "consent" as "any freely given specific and informed indication of … agreement to personal data … being processed."

The ICO Guidance, while welcome in terms of informing website operators that they don't require an affirmative opt in prior to the installation of cookies on visitors' computers, isn't clear in indicating exactly what measures will satisfy the user consent requirements of U.K. law. It would be reasonable to conclude, however, that, at a minimum, the following two actions would be necessary for compliance:

the presence of an information page providing a general explanation of what cookies are and their function on the website; and
providing a link to that information page from the website's homepage.

The essence of the Guidance appears to be that sufficient notice must be provided in plain language to ensure that website visitors understand that the site uses cookies as well as how cookies can be blocked or disabled.

User Consent Isn't Required for Certain Types of Cookies
It should be noted that the EU Directive contains an exception from any consent requirement for cookies that are "strictly necessary." In order for cookies to meet this definition, "such storage of or access to information should be essential rather than reasonably necessary … to provide the service requested by the user." The exception doesn't apply when the cookie is only "'important' rather than 'strictly necessary.'"

Examples of information that's likely to be considered "strictly necessary" include the following: cookies that are used to remember the goods users wish to buy when they proceed to checkout or add goods to their shopping baskets; cookies that are installed to provide the level of security necessary to comply with EU data protection requirements for an activity that the user has requested (e.g., online banking services); and cookies that ensure the content of a web page loads quickly by distributing the workload across numerous computers.

On the other hand, uses that are unlikely to be viewed as "strictly necessary" include cookies used for analytical purposes to count the number of unique visits to a website; first- and third-party advertising cookies; and cookies used to recognize a user when they return to a website so that the greeting they receive can be customized.

Stay Tuned
As other members of the EU incorporate the EU Cookie Directive into their national laws, they may apply stricter or more relaxed interpretations than the rules contained in the U.K.'s ICO Guidance. Also, the ICO may issue amended rules as it reviews the extent of compliance and level of effectiveness of its May 2012 Guidance. If the ICO concludes that current consumer notice and implied consent measures don't result in adequate consumer protection, the requirements may be modified to require greater prominence of the cookie policy on a website's homepage and more affirmative action on the part of visitors to accept the placement of cookies on their computers and mobile devices.

George S. Isaacson is a senior partner at Brann & Isaacson, a direct marketing law firm. George can be reached at gisaacson@brannlaw.com.