Happy "Cookie Sweep Day"! : The impact for US businesses

Published on 9th Sep 2014

The use of cookies on websites in Europe raises data privacy concerns. Following an announcement by the CNIL (the French data protection authority), “Cookie Sweep Days” will take place across the EU between 15 and 19 September 2014 during which compliance of website operators with EU cookie rules will be checked by data protection authorities (DPAs) across the EU. On this occasion, we have collected some of the main issues which US companies should be aware of when using cookies on their EU websites.

What is the “Cookie Sweep Day”?

During “Cookie Sweep Day” (which is actually a week) the French CNIL and other European DPAs will conduct online investigations by virtue of which they aim to verify compliance with the legal requirements regarding the use of cookies under EU data protection laws. For this purpose, the DPAs will automatically scan websites. 

Why do EU cookie rules affect US businesses?

US companies can be
caught by EU data privacy rules in several scenarios: This will definitely be
the case where the US company has a subsidiary within the EU which processes
personal data. Thus, when expanding the business into the EU by opening up a subsidiary
(no matter what legal form), US companies definitely need take the EU data
privacy laws, including cookie rules, into consideration.

But there are further
situations in which EU cookie rules might apply. According to a very recent verdict
by the European Court of Justice in the case Google/Gonzales (C-131/12), EU laws
also apply to foreign businesses if they have another group company on the
ground that just promotes the commercial activities of the US entity, (i.e. even if the affiliated company is merely involved in marketing activities, EU
data privacy laws will, according to the ECJ, still apply). Finally, the
use of equipment within the EU for purposes of processing personal data also triggers
application of EU data privacy rules. Most EU DPAs argue in this respect that
a cookie on the computer of an EU citizen must already be considered equipment in
that sense. 

What will European data protection authorities investigate? 

European DPAs will focus on the following aspects of the use of cookies: 

  • What types of cookies are used on the website?
  • What is the purpose of the cookies (i.e. do the cookies serve the functions of the website or do they enable web tracking or online behavioral advertising)?
  • Does the website collect opt-in consents from the users into the use of cookies?
  • If so, how is this consent obtained (implied vs. explicit consent)?
  • What information does the website provide on the use of cookies? Is the information comprehensive and accessible?
  • Can users still use the website even though they have refused to give their consent? Do the users have the option to deny their consent only with regards to specific cookies (e.g. cookies used for purposes of online behavioral advertising while still using the cookies which support the functions of the website)?
  • Can users withdraw their consent at any time?
  • What is the duration of cookies? 

How do you determine whether your use of cookies complies with European data protection laws? 

US companies should take the following steps to determine whether they need to do something about their use of cookies:  

  • Determine whether European data protection law applies.
  • Check which kinds of cookies are used on the websites and which purposes they serve.
  • Assess whether consent is required (opt-in vs. opt-out) and how it must be obtained (implicit vs. explicit consent).
  • Assess the comprehensiveness, clarity and accessibility of the information on cookies provided on the website / in the privacy policy.
  • Adjust the website according to the legal requirement, e.g. by updating the in-formation on the website or by implementing a correct opt-in mechanism

Diverging legal requirements regarding the use of cookies in the EU

Any assessment of the EU’s cookie law regime needs to take into account which EU Member State the website operator is established in or in which the cookie is actually used. This is because, unfortunately, legal requirements regarding the use of cookies on websites still differ across Europe even though an EU directive governs this area of law (Directive 2009/136/EC). The reason for this divergence being that the Directive is not directly applicable but instead is implemented into national law in each EU Member State. The resulting national laws differ considerably. Furthermore, the interpretation by the various national DPAs vary, too. 

By way of example, we have summarized the main requirements regarding the use of cookies for some EU jurisdictions below (please note that the information is not comprehensive and additional requirements might be applicable in the individual case).


In France, the CNIL requires websites to only set cookies after user consent has been obtained. In this regard, the CNIL has taken a two step “soft opt-in” approach to consent requirements: the CNIL recommends posting a dedicated banner on the home page that states that by continuing to use of the website, the user agrees to have cookies set on his/her terminal (the first step). The banner shall also include a link to another page with the practical ways to op-pose such use (opt-out) (e.g. a “more information” link on the banner to the cookie policy) (the second step). The CNIL has recently imposed a fine on Google in part because cookies were already set while the banner informing about the use of cookies was displayed on the website. Furthermore, the CNIL requires web publishers to give users the possibility to only refuse the use of specific cookies (like those for behavioral advertising). Some exceptions apply, (e.g. session cookies; authentication cookies; basket cookies) for which no consent is necessary.


As is the case in France, Belgian law requires websites to only set ‘non-functional’ cookies after user consent has been obtained (no consent must be obtained for the use of so called ‘functional’ cookies, such as session cookies, authentication cookies, basket cookies). The Belgian legislator however failed to clarify what constitutes valid user consent or how it must be obtained. In an effort to tackle the legal uncertainties surrounding the use of cookies under Belgian law, the Belgian Privacy Commission launched a consultation round on 24 April 2014. All the relevant stakeholders have been invited to participate and submit their advice and suggestions before 31 July. The Privacy Commission is expected to publish its report with recommendations later this year.


In contrast to the situation in France, Germany has not implemented the opt-in requirement stemming from Sec. 5 of Directive 2009/136/EC into national law. Rather, the German government takes the view that the existing opt-out regime already complies with the requirements under the Directive. This has caused some legal uncertainty because several legal scholars in Germany (and also some DPAs) argue that the national law must be interpreted in the light of Directive 2009/136/EC and that, therefore, an opt-in would be required also in Germany.

The UK

The ICO in the UK has recently recognized an implied “soft opt-in” consent approach similar to that accepted by the CNIL in France as a valid form allowing the use of cookies. However, as is the case in France, if a company is relying on implied consent, it must be satisfied that users understand that their actions will result in cookies being set. Otherwise, the company would not have their informed consent. For that reason website operators are encouraged to include links to further information via banners and pop up notices.

The Netherlands

In the Netherlands, clear and complete information on the use and purpose of cookies as well as prior opt-in consent is required before placing cookies on the equipment of an internet user. In addition, the Dutch cookie legislation contains a legal presumption that tracking cookies constitute the processing of personal data. Based on this legal presumption the Dutch DPA has enforced the cookie legislation twice over the last six months, making the enforcement of the cookie legislation a top priority in the Netherlands at the moment.


In Italy, a decision by the national DPA on the use of cookies has just been published on 3 June 2014, according to which an implied consent for the use of profiling cookies has been accepted. Yet, as soon as the user accesses the website, a banner of appropriate dimensions must immediately be visualized, informing about the use of cookies. The banner must contain detailed information about the use of cookies, their purposes and how to accept or deny them. Compliance with these requirements must be ensured within 1 year after the publication of the decisions, i.e. by 3 June 2015.


The Spanish DPA also accepts implied consent as a condition to use specific cookies (e.g. analytic and behavioral advertising cookies), provided that users are given clear and accessible information on their purposes, origin (whether these are first or third party cookies) and they are warned that a specific action is considered an acceptance to use them (lack of action cannot be considered valid consent). Moreover, website editors must permanently inform users on how to uninstall said cookies, without this implying the automatic termination of the website service. The Spanish DPA has recently imposed sanctions to small and medium sized enterprises due to the lack of compliance with consent and information requirements on the use of cookies.

Interested in hearing more from Osborne Clarke?

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?