Web cookies, EU Privacy Directive, Stringent Penalties

Web cookies, EU Privacy Directive, Stringent Penalties

The ePrivacy Directive, known informally as the EU Cookies Directive or EU Cookie Law, is a data privacy directive that covers all members of the EU and was adopted in 2011. The Cookie Law gives EU members the right to refuse the use of cookies when using online websites, as these cookies can impact and effectively reduce a user’s online privacy.  Virtually all websites use some form of cookies, otherwise known as little data files, to store pertinent information in an online user’s web browser. As such, the Cookies Law was passed to make EU consumers aware of how their personal information relating to cookies is collected and used online, and to provide EU consumers the choice to allow the use of cookies or deny said use.

What are website cookies?

Cookies are a form of short-term memory in the context of the world wide web, and are stored in an online user’s browser to enable a particular site to remember small pieces of information concerning a user’s website or page visits. Cookies are widely used to make the online web experience more personal for users, as this saved data allows consumers to navigate online websites with a greater level of convenience. For instance, cookies can be used to save login information on a particular website so that a user does not have to enter such information every time they log on.

However, cookies that are collected in relation to an online user can also be used to create a “behavioral profile” of said user. This behavioral profile can then be used to determine what content or advertisements an online user may be exposed to when surfing the web. This use of online cookies for the purposes of targeted advertising and marketing is specifically what the Cookie Law was created to highlight. By requiring websites to first both inform and obtain consent from visitors to their website, the law seeks to give EU members more control over their online privacy..

How do websites that interact with EU consumers comply with the Cookie Law?

When interacting with users online, the Cookie Law requires the following 4 actions of website owners when collecting cookies from users online:

Conversely, some online cookies do not require consent from users of online websites. As some online cookies are integral to the function of a particular website, the Cookie Law makes exceptions in relation to cookies that are deemed to be “strictly necessary” to fulfill the services required by users and visitors of a given online website. To give an example of cookies that are included in the exemptions of the Cookie Law, online retailers rely on cookies to ensure that users have a comfortable and streamlined shopping experience.

For instance, when shopping for clothes via an online store or marketplace, users expect items that they have added to their shopping cart to still be in the said shopping cart after they are done shopping and looking to checkout. These online functions can only be completed via the use of cookie data or information, as without the use of cookies users would not be able to add multiple items to their shopping cart and purchase them all at once via the checkout feature. Alternatively, cookies that provide security features for websites where a high level of security is to be expected, such as online banking and stock trading websites, are also deemed to be “strictly necessary”

When determining whether an online website’s cookies are considered “strictly necessary”, the Cookie Law outlines the following definition. An online cookie “shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” Additionally, the Cookie Law does not solely apply to online cookies, but instead covers all forms and means in which an online website can go about storing the personal data and information of EU consumers.

As there are many methods outside of online cookies that can be used to push files to a user’s computer, cellphone, or tablet, the Cookie Law avoids naming any form of technology explicitly. For example, online tools such as Flash and HTML5 Local Storage can also be used to store user information on an online website. As such, the Cookie Law was written in such a way to include all methods that can be used to collect a user’s information on an online website, including methods or technologies that have yet to be created.

What are the penalties for violating the Cookie Law?

As the EU Cookie Law is a legal directive as opposed to a legislative statute or law, it does not set forth any specific penalties in relation to violations. Instead, the Cookie Law requires that the local governments within the jurisdiction of the EU establish their own laws and penalties for non-compliance. As such, penalties for non-compliance with the Cookie Law can vary depending on location. Despite this, local regulators will typically adhere to the following levels of escalated action:

In accordance with the GDPR, the Cookie Law was passed to protect the privacy of consumers living within the EU. As online cookies can also be used to collect personal information related to online users, legislation such as the EU’s Cookie Law is growing increasingly necessary around the world. Moreover, as there are so many means and methods by which online websites can collect and store personal information related to online users, it is also important that future legislation also covers methods and approaches for data collection techniques that may be invented in the future, just as the EU’s Cookie Law has done.

Related Reads