Web cookies, EU Privacy Directive, Stringent Penalties

The ePrivacy Directive, known informally as the EU Cookies Directive or EU Cookie Law, is a data privacy directive that covers all members of the EU and was adopted in 2011. The Cookie Law gives EU members the right to refuse the use of cookies when using online websites, as these cookies can impact and effectively reduce a user’s online privacy. Virtually all websites use some form of cookies, otherwise known as little data files, to store pertinent information in an online user’s web browser. As such, the Cookies Law was passed to make EU consumers aware of how their personal information relating to cookies is collected and used online, and to provide EU consumers the choice to allow the use of cookies or deny said use.

What are website cookies?

Cookies are a form of short-term memory in the context of the world wide web, and are stored in an online user’s browser to enable a particular site to remember small pieces of information concerning a user’s website or page visits. Cookies are widely used to make the online web experience more personal for users, as this saved data allows consumers to navigate online websites with a greater level of convenience. For instance, cookies can be used to save login information on a particular website so that a user does not have to enter such information every time they log on.

However, cookies that are collected in relation to an online user can also be used to create a “behavioral profile” of said user. This behavioral profile can then be used to determine what content or advertisements an online user may be exposed to when surfing the web. This use of online cookies for the purposes of targeted advertising and marketing is specifically what the Cookie Law was created to highlight. By requiring websites to first both inform and obtain consent from visitors to their website, the law seeks to give EU members more control over their online privacy.

How do websites that interact with EU consumers comply with the Cookie Law?

When interacting with users online, the Cookie Law requires the following 4 actions of website owners when collecting cookies from users online:

• When a user visits a website, website owners are obliged to let users know that their website uses cookies.
• Website owners are obliged to provide users with detailed information concerning how their cookie data will be utilized.
• Website owners are required to provide users with some means of accepting or rejecting cookies when using their website.
• If users reject the use of cookies when using a particular website, website owners must ensure that cookies are not placed on a said users’ machine.

Conversely, some online cookies do not require consent from users of online websites. As some online cookies are integral to the function of a particular website, the Cookie Law makes exceptions in relation to cookies that are deemed to be “strictly necessary” to fulfill the services required by users and visitors of a given online website. To give an example of cookies that are included in the exemptions of the Cookie Law, online retailers rely on cookies to ensure that users have a comfortable and streamlined shopping experience.

For instance, when shopping for clothes via an online store or marketplace, users expect items that they have added to their shopping cart to still be in the said shopping cart after they are done shopping and looking to checkout. These online functions can only be completed via the use of cookie data or information, as without the use of cookies users would not be able to add multiple items to their shopping cart and purchase them all at once via the checkout feature. Alternatively, cookies that provide security features for websites where a high level of security is to be expected, such as online banking and stock trading websites, are also deemed to be “strictly necessary”

When determining whether an online website’s cookies are considered “strictly necessary”, the Cookie Law outlines the following definition. An online cookie “shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” Additionally, the Cookie Law does not solely apply to online cookies, but instead covers all forms and means in which an online website can go about storing the personal data and information of EU consumers.

As there are many methods outside of online cookies that can be used to push files to a user’s computer, cellphone, or tablet, the Cookie Law avoids naming any form of technology explicitly. For example, online tools such as Flash and HTML5 Local Storage can also be used to store user information on an online website. As such, the Cookie Law was written in such a way to include all methods that can be used to collect a user’s information on an online website, including methods or technologies that have yet to be created.

What are the penalties for violating the Cookie Law?

As the EU Cookie Law is a legal directive as opposed to a legislative statute or law, it does not set forth any specific penalties in relation to violations. Instead, the Cookie Law requires that the local governments within the jurisdiction of the EU establish their own laws and penalties for non-compliance. As such, penalties for non-compliance with the Cookie Law can vary depending on location. Despite this, local regulators will typically adhere to the following levels of escalated action:

• Request for information – Before a local EU regulatory authority starts making requests for changes, they may ask a website owner to provide them with additional information. This additional information can include specifics concerning the types of cookies that a site uses, links to the cookie information of a particular website, as well as any other pertinent information that can be used to determine whether a website is in compliance.
• Request for changes – Once a local EU regulator has made the determination that a particular website has failed to maintain compliance with the Cookie Law, they can then ask that website owner to make changes to the website that would make said website compliant. This is considered a friendly warning.
• Enforcement – After a website owner has failed to adequately respond to both a request for information and a request for changes, A local EU regulatory authority will then give said website owner a list of specific actions that must be taken to make said website compliant within a set amount of time.
• Fines – If a website owner has failed to respond or comply with the three steps stated above, a local regulatory authority can then impose monetary fines and penalties against said website owner. Once again, these fines and penalties will vary based on location. To provide an example of such fines related to online cookies, France’s data protection agency, the CNIL, fined Google 120 million euros and Amazon 42 million euros for Cookie Law violations in 2020 alone.

In accordance with the GDPR, the Cookie Law was passed to protect the privacy of consumers living within the EU. As online cookies can also be used to collect personal information related to online users, legislation such as the EU’s Cookie Law is growing increasingly necessary around the world. Moreover, as there are so many means and methods by which online websites can collect and store personal information related to online users, it is also important that future legislation also covers methods and approaches for data collection techniques that may be invented in the future, just as the EU’s Cookie Law has done.