Any company doing business in the European Union will be expected to comply with the EU's new cookie law, except it's unclear what that law is.
The European Union's new
data privacy rules requiring companies to obtain explicit customer consent
before displaying targeted Internet advertisements will impact any Web
enterprise that has customers within the EU.
The data privacy rules, an
amendment to the European Union's Privacy and Electronic Communications Directive,
will go into effect May 26. Intended to give Web users more control over their
data online, the e-privacy law will require anyone running a Website to get
user consent before deploying certain types of information-collecting cookies.
The e-Privacy Directive
applies to cookies used to collect information that is not directly related to
the service offered by the site and would be used for advertising purposes. The
sites can continue automatically installing cookies that collect information
such as passwords, language preferences or the contents of an e-commerce
The amendments to the
e-Privacy Directive are intended to keep up with the changes in technology and
privacy to protect consumers from online tracking and the use of profile
information based on that information, Dennis Dayman, chief privacy and
security officer at Eloqua, a marketing-automation company, told eWEEK.
The draft bills currently in
circulation in the United States Congress
"are trying to cover much
of what the EU has already in the past and added" to the e-Privacy Directive,
according to Dayman. The biggest difference between the two regions seems that
the U.S. is looking at permission for only third-party tracking
, while the EU changes will
apply to every Web operator.
The EU's privacy rules are
much broader and cover more ground than what is currently being discussed in
the United States, according to Jim Halpert, a partner at the DLA Piper
international law firm, told eWEEK. Europe has had overarching privacy
legislation that has protected consumers for "decades," Halpert said.
Each member country will be
translating the EU regulations into law, making it likely there will be
variations from country to country. The Netherlands Ministry of Economic
Affairs, Agriculture and Innovation will allow Websites to rely on browser
settings to obtain users' consent to cookies. The Article 29 Data Protection
Working Party, the privacy group within the European Commission, has suggested
implementing the directive in a way that users are required to opt in to every
Any business, wherever it is
located, that places cookies on computers belonging to its customers based in
the European Union would be subject to the e-privacy directive, according to
Chris Saunders, an attorney at Mundays Solicitors, in Surrey, England. It's
still "to be decided" how and where the rules will be enforced for non-EU-based
organizations, Saunders said.
To add to the confusion,
less than a third of the EU member countries have actually complied with the
directive, according to Philippe Gerard, an official working in the EU's
digital and telecommunications department. So far, only Denmark and Estonia
have done so and six or seven more (out of 27) are expected to have something
in place by May 26, according to Gerard. The United Kingdom's Department for
Culture, Media and Sport, which oversees information and communications
technology policy, has indicated they are not likely to meet the deadline.
All businesses using cookies
need to carefully consider the methods they use to obtain computer users'
consent and keep up-to-date on how the laws are defined in the countries where
they do business, Saunders said.
Under the new privacy rules,
Internet and phone providers will also be required to notify data-protection
authorities if they accidentally lost or disclosed personal information such as
names, email addresses or bank details. The companies will also have to inform
the affected consumers directly.
Google and Apple are already
under scrutiny for possible violations under the EU's existing privacy rules
and the new e-Privacy Directive. Data-protection officials in several
countries, including Italy, Germany and France, are investigating reports from
earlier this month that Apple's iPhones
and phones running Google's
Android operating system were collecting location data.
through the combination of a WiFi access point with a mobile device's location
is considered to be personal data and is subject to EU privacy rules, according
to a non-binding opinion issued by the Data Protection Working Party on May 16.
Users must be given "clear,
comprehensive" and understandable information about how, why and for how long
their data is processed, EU privacy officials said in the Working Party
opinion. For example,
mobile devices should continuously warn users that geo-location is "on" by using
a permanently visible icon, according to the Working Party paper.
Customers clicking on
general terms and conditions would not count as consent, according to the
Working Party. People must explicitly consent to the data collection and geo-location
should be used only when necessary, according to the paper. "One of the
great risks is that the owners are unaware they transmit their location, and to
whom," the group wrote.