EU e-Privacy Cookie Rules Will Impact Non-European Web Companies

Any company doing business in the European Union will be expected to comply with the EU's new cookie law, except it's unclear what that law is.

The European Union's new data privacy rules requiring companies to obtain explicit customer consent before displaying targeted Internet advertisements will impact any Web enterprise that has customers within the EU.

The data privacy rules, an amendment to the European Union's Privacy and Electronic Communications Directive, will go into effect May 26. Intended to give Web users more control over their data online, the e-privacy law will require anyone running a Website to get user consent before deploying certain types of information-collecting cookies.

The e-Privacy Directive applies to cookies used to collect information that is not directly related to the service offered by the site and would be used for advertising purposes. The sites can continue automatically installing cookies that collect information such as passwords, language preferences or the contents of an e-commerce shopping cart.

The amendments to the e-Privacy Directive are intended to keep up with the changes in technology and privacy to protect consumers from online tracking and the use of profile information based on that information, Dennis Dayman, chief privacy and security officer at Eloqua, a marketing-automation company, told eWEEK.

The draft bills currently in circulation in the United States Congress "are trying to cover much of what the EU has already in the past and added" to the e-Privacy Directive, according to Dayman. The biggest difference between the two regions seems that the U.S. is looking at permission for only third-party tracking, while the EU changes will apply to every Web operator.

The EU's privacy rules are much broader and cover more ground than what is currently being discussed in the United States, according to Jim Halpert, a partner at the DLA Piper international law firm, told eWEEK. Europe has had overarching privacy legislation that has protected consumers for "decades," Halpert said.

Each member country will be translating the EU regulations into law, making it likely there will be variations from country to country. The Netherlands Ministry of Economic Affairs, Agriculture and Innovation will allow Websites to rely on browser settings to obtain users' consent to cookies. The Article 29 Data Protection Working Party, the privacy group within the European Commission, has suggested implementing the directive in a way that users are required to opt in to every individual cookie.

Any business, wherever it is located, that places cookies on computers belonging to its customers based in the European Union would be subject to the e-privacy directive, according to Chris Saunders, an attorney at Mundays Solicitors, in Surrey, England. It's still "to be decided" how and where the rules will be enforced for non-EU-based organizations, Saunders said.

To add to the confusion, less than a third of the EU member countries have actually complied with the directive, according to Philippe Gerard, an official working in the EU's digital and telecommunications department. So far, only Denmark and Estonia have done so and six or seven more (out of 27) are expected to have something in place by May 26, according to Gerard. The United Kingdom's Department for Culture, Media and Sport, which oversees information and communications technology policy, has indicated they are not likely to meet the deadline.

All businesses using cookies need to carefully consider the methods they use to obtain computer users' consent and keep up-to-date on how the laws are defined in the countries where they do business, Saunders said.

Under the new privacy rules, Internet and phone providers will also be required to notify data-protection authorities if they accidentally lost or disclosed personal information such as names, email addresses or bank details. The companies will also have to inform the affected consumers directly.

Google and Apple are already under scrutiny for possible violations under the EU's existing privacy rules and the new e-Privacy Directive. Data-protection officials in several countries, including Italy, Germany and France, are investigating reports from earlier this month that Apple's iPhones and phones running Google's Android operating system were collecting location data.

Information collected through the combination of a WiFi access point with a mobile device's location is considered to be personal data and is subject to EU privacy rules, according to a non-binding opinion issued by the Data Protection Working Party on May 16.

Users must be given "clear, comprehensive" and understandable information about how, why and for how long their data is processed, EU privacy officials said in the Working Party opinion. For example, mobile devices should continuously warn users that geo-location is "on" by using a permanently visible icon, according to the Working Party paper.

Customers clicking on general terms and conditions would not count as consent, according to the Working Party. People must explicitly consent to the data collection and geo-location should be used only when necessary, according to the paper. "One of the great risks is that the owners are unaware they transmit their location, and to whom," the group wrote.