Beware If You Sell Online Products Or Services To EU Residents: New EU Rules On Website Cookies And Data Breaches Are In Effect

In November 2009, the European Parliament amended the 2003 Privacy and Electronic Communications ("e-Privacy") Directive. These revisions have caused considerable uncertainty about the obligations of companies that engage in e-commerce, particularly with respect to "cookies." The new provisions were supposed to have been implemented into national law by all EU member states no later than May 25, 2011.

In terms of scope, the e-Privacy Directive applies to the processing of personal data in connection with the "provision of publicly available electronic communication services" within the EU. Thus, there may be an argument that only telecommunications and Internet service providers are covered. The amendments do not target particular types of companies, however, but rather the use of public communications networks for the purpose of providing services via such networks to the public. For this reason, most commentators and EU regulators such as the UK Information Commissioner's Office (UK ICO) have interpreted the new rules to cover all websites that place cookies (small text files sent by a website to a user's web browser that collect information about the user's web usage) on computers located in the EU.

As for the types of technologies covered, the provisions are aimed at cookies. They may also apply, however, to other technologies used to store or access information on a user's computer or other device, such as web beacons, advertisement tags, JavaScript code, or other technologies that are integral to the functioning of websites or used for online advertising.

Cookies and Consent

Among other things, the amended e-Privacy Directive requires website operators to obtain consent from site visitors before storing and retrieving "information" from visitors' computers or otherwise gaining access to a computer located in the EU. There are still questions about how the consent should be obtained. EU Member State laws can — and are expected to — differ in terms of how they implement the consent requirement. Thus, no one knows for sure how this requirement will be implemented in all of the Member States.

For example, in some Member States, consent may be implied by settings on a web browser, system or particular software application. Other Member States, however, have already indicated that implied consent is not sufficient. The EU's article 29 Working Party — an advisory body that interprets EU data protection laws — has advised that users of cookies should "create prior opt-in mechanisms requiring an affirmative action by the data subjects indicating their willingness to receive cookies or similar devices and the subsequent monitoring of their surfing behavior for the purposes...