The EU Privacy Directive, better known as the “EU cookie law”, is a classic piece of bureaucratic red tape one tends to see arise in the European Union. So, does the EU cookie law apply to U.S. websites?
Freedom is a concept touted heavily in the United States. This fact would seem to suggest individuals should be free from being tracked to the greatest extent possible. This is not the case. In truth, the privacy laws of the United States are laughable because, frankly, they barely exist. To the extent they do, a business is only required to notify the individual of what they are doing with the data collected.
The European Union has gone the opposite direction on the privacy issue. Many would suggest it has gone too far. While the new “cookie” law is getting a good bit of attention these days, the truth is the first EU directive was passed in 2002. Now, in 2012, we are finally seeing it instituted across the member states of the Union. As can only happen in the EU, however, the implementation is an utter mess.
The EU Privacy Directive is just that – a directive to member states to pass laws on the issue. Most countries are finally getting into the swing of it, but even this process is chaotic. For instance, the UK finally passed their law only to be humorously alerted to the fact most government websites in the country are not in compliance! Other countries are in similar shape.
What Is It?
The basic idea behind the EU cookie law is visitors to websites should be alerted to any tracking being done and given the right to opt-out of being tracked. The specifics are complex. You can see the law in action if you log on to various sites with European designations in their domain names. A pop up typically occurs alerting one to the tracking and the options available.
Applicable to U.S. Websites?
Does the EU cookie law apply to U.S. websites? There are no court cases on the subject as of the date I am writing this post – September 24, 2012. It appears as though there will be a sliding scale approach to the application of the law to such sites. I also suspect the EU will enact a new privacy regulation in the not too distant future since the primary privacy directive hasn’t aged well since it was put in place in the 1990s.
Three issues are critical to the determination of the applicability of the law. The first is the location of the company owning the site. The second is the location of the servers for the site. The third is the intended audience of the site. This third element is the most important, but let’s look at a few examples to see how the determination might play out.
A. Cookie Example
Let’s assume I own a company based in California. I host my site in Texas. U.S. consumers are my target market. Do I need to comply with EU law? While there is no clear court ruling on this as of yet, it seems unlikely the law would apply. There is simply no connection to the European market.
What if we change our example just slightly? What if my business is in California and my servers in Texas, but my site focusses on the English Premier League [soccer]? I am primarily targeting readers in Europe. Under such a scenario, the case for applying the EU laws to my site would be much stronger.
It is important to stress there are few, if any cases, discussing these issues. Until the courts render rulings, there are no definitive answers. If you are concerned about compliance issues with the EU cookie law, contact me for a consultation today.
Richard A. Chapo, Esq.
Other Articles on Europe You Might Be Interested In: