Happy "Cookie Sweep Day"! : The impact for US businesses
Published on 9th Sep 2014
What is the “Cookie Sweep Day”?
Why do EU cookie rules affect US businesses?
US companies can be
caught by EU data privacy rules in several scenarios: This will definitely be
the case where the US company has a subsidiary within the EU which processes
personal data. Thus, when expanding the business into the EU by opening up a subsidiary
(no matter what legal form), US companies definitely need take the EU data
privacy laws, including cookie rules, into consideration.
But there are further
situations in which EU cookie rules might apply. According to a very recent verdict
by the European Court of Justice in the case Google/Gonzales (C-131/12), EU laws
also apply to foreign businesses if they have another group company on the
ground that just promotes the commercial activities of the US entity, (i.e. even if the affiliated company is merely involved in marketing activities, EU
data privacy laws will, according to the ECJ, still apply). Finally, the
use of equipment within the EU for purposes of processing personal data also triggers
application of EU data privacy rules. Most EU DPAs argue in this respect that
a cookie on the computer of an EU citizen must already be considered equipment in
What will European data protection authorities investigate?
- What types of cookies are used on the website?
- What is the purpose of the cookies (i.e. do the cookies serve the functions of the website or do they enable web tracking or online behavioral advertising)?
- If so, how is this consent obtained (implied vs. explicit consent)?
- Can users still use the website even though they have refused to give their consent? Do the users have the option to deny their consent only with regards to specific cookies (e.g. cookies used for purposes of online behavioral advertising while still using the cookies which support the functions of the website)?
- Can users withdraw their consent at any time?
- What is the duration of cookies?
- Determine whether European data protection law applies.
- Check which kinds of cookies are used on the websites and which purposes they serve.
- Assess whether consent is required (opt-in vs. opt-out) and how it must be obtained (implicit vs. explicit consent).
- Adjust the website according to the legal requirement, e.g. by updating the in-formation on the website or by implementing a correct opt-in mechanism.
In contrast to the situation in France, Germany has not implemented the opt-in requirement stemming from Sec. 5 of Directive 2009/136/EC into national law. Rather, the German government takes the view that the existing opt-out regime already complies with the requirements under the Directive. This has caused some legal uncertainty because several legal scholars in Germany (and also some DPAs) argue that the national law must be interpreted in the light of Directive 2009/136/EC and that, therefore, an opt-in would be required also in Germany.
In the Netherlands, clear and complete information on the use and purpose of cookies as well as prior opt-in consent is required before placing cookies on the equipment of an internet user. In addition, the Dutch cookie legislation contains a legal presumption that tracking cookies constitute the processing of personal data. Based on this legal presumption the Dutch DPA has enforced the cookie legislation twice over the last six months, making the enforcement of the cookie legislation a top priority in the Netherlands at the moment.