The EU Privacy Directive, better known as the “EU cookie law,” is a classic piece of bureaucratic red tape one tends to see in the European Union. But does the EU cookie law apply to US websites? I originally wrote an article in 2012 on this subject, so let’s do an update and see where cookie law stands now.
EU Cookie Laws
Keep in mind we are talking about the European Union when considering the applicability of cookie laws. The EU can take the simplest of subjects and create 500 pages of regulations that would choke a 20-foot great white shark. Such is the case with EU cookie laws.
Getting a headache yet? You aren’t the only one:
And all was good…until May 2018.
GDPR and Cookies
The General Data Protection Regulation [“GDPR”] went into effect on May 25, 2018. The GDPR doesn’t directly address cookies, but the regulation does establish that a business must have a “legal basis” for collecting personal data from individuals located in the EU.
“personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
a. US Websites?
Okay. Great. But you are in the United States, so why should you care about an EU regulation on cookies and privacy? Because the GDPR employs long “territorial” arms that may reach you.
Article 3(2) of the GDPR focuses on the territorial scope of the regulation – who has to comply. The gist is the GDPR applies to websites anywhere in the world that:
- Offer goods or services (even if free) to individuals located in the EU, or
- Are “monitoring the behavior” of individuals on the continent.
While the language appears clear, the analysis is not. For example, are you offering goods or services to a person in the EU on your mailing list when you send out a message to your list promoting an affiliate product? Does using a stats program to analyze the traffic to the website count as “monitoring the behavior” if it includes data from individuals in the EU? The courts in the European Union have yet to establish real-world answers to these questions. We also do not know if courts in the United States will enforce any fines or rulings issued in the EU.
New EU Cookie Law
The EU is considering a new ePrivacy Regulation. The regulation will void the ePrivacy Directive mentioned above and, in theory, replace it with simplified cookie rules. The first draft of the proposed regulation would have done away with cookie consent pop-ups because, get this, an EU study showed nobody reads the pop-ups. [Do you? I don’t.] Instead, the cookie consent process would take place at the browser level. A person would set their cookie preferences in Chrome, Edge, Safari, or whatever browser they are using. The browser software would then issue a command to websites alerting them to the cookie settings, and the regulation would require sites to comply.
And you can imagine the reaction of the browser companies.
Like piranhas closing in on a cow carcass, lobbyist flooded the EU. The lobbied reps caved and changed the language regarding cookies to the following:
[ePrivacy Regulation As Amended]
The responsibility for obtaining consent for the storage of a cookie or similar identifier lies on the entity that makes use of processing and storage capabilities of terminal equipment or collects information from end-users’ terminal equipment, such as an information society service provider or ad network provider.
In short, the party using the cookie must seek consent. How this will work for pass-through services such as email providers and Google Analytics is anyone’s guess. The fight isn’t over on this topic, so expect changes to the language in the future. Whether the modifications will be an improvement or not is something we will have to wait to learn.
The effort to enact the new ePrivacy Regulation has stalled for the most part. The EU’s original timeline called for passage at the same time as the GDPR in May 2018. It now appears the EU will not enact the new regulation until late 2021 due to political disputes and an upcoming election.
US Cookie Laws – CCPA?
Consumer privacy law in the United States has always been lax. We are one of the few first world countries that do not have a general privacy law. However, the situation is beginning to change. While the federal government pays little attention to privacy law, states are taking an entirely different approach. California, in particular, has enacted new legislation that goes into effect on January 1, 2020, that may give rise to cookie requirements.
So, what is the issue?
How does the ad network provide notice “at or before the point of collection” through your site?
We don’t know.
The California Attorney General will be issuing the first draft of proposed regulations for the CCPA in October of 2019. The draft will, hopefully, provide clarity on this issue.
Does The EU Cookie Law Apply To US Websites?
We don’t have a bright line answer to this question. While the GDPR does contain territorial scope provisions, they are murky at best and haven’t been enforced to date. Matters are made all the murkier by the uncertainty surrounding the ePrivacy Regulation and lack of clarity with the CCPA.
Contact me for assistance with developing a defensible policy for your online business.
Richard A. Chapo, Esq.
Other Articles on Europe You Might Be Interested In: