Got Compliance? The EU Cookie Law & What You Need to Do

The European Union’s “Cookie Directive” went into effect on May 26, 2012.

The new law requires EU-owned websites, as well as those merely accessible to EU users, to tell visitors about cookies that track traffic on their sites. In addition, websites must obtain “informed consent” from users before saving cookies to their computers.

For the time being, the implications of the directive for US companies appear to be limited. But businesses with globally focused websites – and in particular those that target EU users – should consider following the recommendations of three recent advisories aimed at UK companies:

1. Conduct a “cookie audit”

“Check what type of cookies and similar technologies you use and how you use them. Depending on your use of cookies, this exercise will range from a comprehensive website audit to a simple review of what data files are sent to users and why. An assessment of cookie use will also likely identify cookies no longer needed or in use.” (‘What Cookies Are In Your Jar?’ – ICO’s guidance on compliance with new EU cookie law leaves industry something to chew on (and few crumbs of comfort!) by Reed Smith)

2. Update or add a cookie policy:

“[The policy should] inform users:

  • what cookies are and the way they operate
  • the types/categories of cookies used on the website, the purpose for which they are used, the length of time they are stored on a user’s device
  • the effect of accepting or declining cookies
  • how to control and delete cookies using the user’s browser; and
  • ‘strictly necessary’ cookies can not be declined”
    (Cookie Crunch: Time to Comply by Orrick, Herrington & Sutcliffe LLP)

3. Develop a plan for complying with the law:

“The [Information Commissioner's Office (ICO)] will expect companies to have taken steps to comply with the rules … and have a realistic plan in place for complying with the rules by a date certain. According to the ICO, using the monetary penalties built into the law as an enforcement option has not been ruled out, but formal ‘undertakings’ and enforcement notices are likely to be more useful in achieving compliance.” (UK Cookie Law “Grace Period” Expires — Enforcement to Begin by Mintz Levin)

See also:

For more on European Union legal news and developments, follow our new @EULaws Twitter feed>>