Cookie monster: New EU privacy law applies to US firms with European operations

Amendments to the EU e-Privacy Directive, set to take effect May 25, require companies to receive explicit “opt-in” permission from individuals before installing cookies or other devices on computers to track online behavior.

However, most EU countries have not put in place national laws implementing the amendments, according to a report by The Register. A full 19 of the 27 EU countries missed the May 25 deadline for implementing the amendments, the report noted.

The UK, for example, informed the European Commission that it had partially implemented the measures. At the same time, the Information Commissioner’s Office decided to give companies a year to fully implement the requirements.

“We’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules”, Information Commissioner Christopher Graham said in announcing the extension.

At some point, all EU countries will have to implement the directive, and US companies with operations there will have to comply, Dayman told Infosecurity. “If you are a multinational company headquartered in the US, you should be doing something to comply with this directive,” he said.

The Eloqua chief privacy officer said many US companies are using multiple websites – one for EU citizens to fill out a form giving explicit permission for the company to place cookies on their machines and another for US citizens to opt out of cookie placement.

“The directive talks about getting explicit consent, either through a check box or through transparency in the websites. By filling out the form and clicking the submit button, you are agreeing to the terms and conditions. What is interesting is that the directive indicates that browser security controls enabling users to accept or block cookies can be deemed to be consent. If you accept cookies, that would be deemed consent, and company wouldn’t have to use a check box”, Dayman explained.

“Some countries, like the UK and the Netherlands, which are still working on implementing the law, have stated that they would accept browser control settings as an indication of permission, as newer browser technologies come out”, he added.

In announcing the one-year extension, Commissioner Graham said that “browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren’t there yet.”

Dayman noted that Eloqua is offering a product that helps marketers comply with the EU directive by automating the process of requesting opt-in consent from online visitors and automatically updating customers' databases with a visitor's opt-in status.

What’s Hot on Infosecurity Magazine?