While the European Union’s deadline for implementing new cookie rules has passed, substantial uncertainty remains about what organizations should do to make their online activities compliant. In this advisory we offer six practical tips for dealing with the uncertainty.

Background

The EU adopted the Citizens’ Rights Directive (“Directive”) in 2009 as part of a package of changes to update communications regulation. The Directive imposes new consent requirements on websites that use cookies, including potential limits on the use of online tracking for behavioral advertising. While the Directive’s implementation deadline was May 25, 2011, only a handful of European countries have completed their transposition of the new rules into national law.

EU member states have significant discretion to determine how they will implement the new rules, and many governments have delegated the interpretation and application of these rules to their national or regional data protection authorities. Consequently, even where legislation has been adopted, detailed implementation guidance will be needed. Given the broad scope of possible obligations under the Directive and the potential for a variety of interpretations of its rules, organizations operating websites or providing services over the Internet will need to assess their potential compliance obligations and monitor how key jurisdictions are interpreting the requirements.

The Directive amends the EU’s earlier e-Privacy Directive, which was adopted in 2002. One of the significant implications of the new rules is the requirement that a website user give consent to the use of cookies after having been provided information about cookie use. Under the old rules, providing the ability to opt out of cookies was sufficient, and notification of such a policy could be incorporated into a website’s main privacy statement. If opt-out is no longer allowed, what form of an “opt-in” consent is required? Can Web browser settings satisfy the requirement for consent?

A single interpretation of the new cookie consent requirement has not emerged. The coordinating group for European data protection regulators, the Article 29 Working Party, issued an opinion in June 2010 that advocates a strict interpretation of an opt-in requirement. Under the most rigorous application of an opt-in cookie system, a website visitor would be required to affirmatively accept the cookie through a pop-up screen or similar splash page before entering a website. This type of application would have significant implications for European website operators.