Follow us on

Legal Matters : Beware of the Cookie Monster

Analyzing the EU Cookie Directive and its impact on U.S. internet sellers

December 2012 By George S. Isaacson
Get the Flash Player to see this rotator.

If your company uses cookies — small information files that are downloaded onto a computer or mobile device when a user visits a website which enable the website operator to recognize the user's device and preferences — on its website, and the website is either "designed for the European market" or "provides products or services to customers in Europe," you should be aware of the new European Union (EU) Cookie Directive.

In principle, the Cookie Directive requires that visitors to websites receive an explanation of the specific nature of the cookies used by the website (except for those cookies that are "strictly necessary" as discussed below) and then consent to accept the cookies before the files can be automatically stored on the user's computer.

Many retailers selling products to European customers were understandably concerned that compliance with a strict user consent standard would mandate placement on the homepages of their websites of a pop-up box or header/footer bar requiring users to click on to "accept" cookies from the website after having first been offered the option to read the information page. Such notice and opt-in requirements would undoubtedly unnerve many visitors. In addition, should consumers decide not to permit the use of cookies, their shopping experience would likely be severely compromised, thereby adversely affecting merchant performance.

Such implementation requirements would have presented a dilemma for online retailers. Confronted with an austere notice and opt-in requirement, many visitors would navigate away from their sites rather than accept the cookies. Ironically, the result would likely be to drive traffic to noncompliant websites, which don't disclose their use of cookies. This would put companies that comply with the EU Directive's requirements at a disadvantage to those companies that fail (or refuse) to comply.

Moreover, the risks of noncompliance are considerable. For example, under the United Kingdom (U.K.) law incorporating the EU Directive, penalties of up to £500,000 ($774,500 U.S.) per violation can be imposed. Faced with the prospect of adopting a compliant yet consumer-unfriendly format, electronic merchants in the U.S. might prefer to block European users from buying from their websites altogether.

The UK Relaxes User Consent Requirement
The U.K. has been in the vanguard of jurisdictions proceeding with implementation of the EU Directive. Although initial rules came into force on May 26, 2011, website owners were given a 12-month "grace period" to comply before facing enforcement action. Just as the May 26, 2012 deadline for implementation approached, the U.K. Information Commissioner's Office (ICO) issued a formal "Guidance" regarding the use of cookies on websites. The ICO announced that explicit consent wasn't necessarily required. The ICO Guidance addressed the most controversial and confusing aspect of the EU Directive — what measures will be viewed by regulators as being sufficient to obtain "consent" to the installation of cookies on users' devices. The EU Directive defines "consent" as "any freely given specific and informed indication of … agreement to personal data … being processed."



Click here to leave a comment...
Comment *
Most Recent Comments:

SUBSCRIBE TO Who's Mailing What! Report

Receive our FREE Bi-weekly
     Privacy Policy


Get Your FREE Subscription to Retail Online Integration:
Winter 2015
     Privacy Policy