5%

There are two situations in which the GDPR purports to apply extraterritorially to companies that have no contact to the European Union. The first situation, described in Article 3(2)(a) of the GDPR, occurs when a company that has no contacts with the European Union “offer[s] goods or services” to a person that is located in the European Union.  The second situation, described in Article 3(2)(b) of the GDPR, occurs when a company that has no contacts with the European Union “monitor[s]” the “behaviour” of someone “as far as their behaviour takes place within the Union.”¹

While the regulation implied that merely having an internet website that is accessible to European Union residents is not enough for the GDPR to attach based upon Article 3(2)(a), there is uncertainty about whether a European supervisory authority might attempt to apply the GDPR to a website that is accessible to European Union residents and that deploys behavioral tracking cookies. 

The European Data Protection Board has only added to this uncertainty.  On 16 November 2018, the EDPB issued guidance that stated that the application of Article 3(2)(b) “could . . . encompass a broad range of monitoring activities, including in particular: Behavioural advertisement . . . [or] Online tracking through the use of cookies or other tracking techniques such as fingerprinting.”²  This suggests that a website that does not offer a good or service to Europeans might still be subject to the GDPR if it deploys tracking cookies.  The EDPB went on to say, however, that in order for monitoring jurisdiction to apply, it is “necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.”³  As website operators typically do not have access to the data collected via third party cookies (e.g., behavioural advertising networks) and, therefore, are arguably not controllers with respect to that data (let alone capable of analyzing or profiling data subjects from the data), the EDPB’s guidance suggests that a website operator may not trigger the application of the GDPR by permitting a third party tracking cookie to be deployed.  In connection with first party tracking cookies (i.e., those owned and controlled by the website operator), the guidance suggests that the GDPR would only be triggered if the operator used the information obtained from a cookie in order to conduct behavioral analysis specific to the data subject.  The guidance did not specify, however, the extent to which a company must engage in behavioral analysis before jurisdiction under Article 3(2)(b) would be triggered.  For example, there may be a distinction between a website that deploys a first party cookie which is intended to track a user over time and across multiple websites that are owned by a single company in order to create a long-term profile, and a single session cookie that may profile a user and provide recommendations based upon the users’ behavior over a short period of time (e.g., one session).

One strategy considered by many United States companies for mitigating the risk that a supervisory authority might determine that a United States retailer that deploys behavioral advertising cookies is subject to the GDPR is to deploy a geofenced cookie banner – i.e., one that seeks opt-in consent before the deployment of cookies from website visitors that utilize a European IP address, but does not require opt-in consent before the deployment of cookies from website visitors that utilize a United States IP address. 

In order to help companies understand and benchmark industry practices, BCLP randomly selected a sample of 33% of the Fortune 500 companies identified as being predominantly within the “retailing” sector and then visited their homepages from a server with an IP address in the United States and from a server with an IP address in Europe.⁴  As of January 13, 2020, 5% of Fortune 500 retailers deployed a geofenced cookie banner that required opt-in consent from European visitors, but did not require opt-in consent from United States visitors.⁵

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. GDPR, Article 3(2)(b).

2. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 18.

3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 18.

4. Websites were visited from a server in Paris France with the following IP: 139.28.219.252.

5. Note that some companies in the survey population maintain multiple homepages.  For example, a corporation might own several different retail brands.  The survey focused only on the homepage of the corporate parent (if available) and did not analyze brand-specific practices.  If no corporate homepage was available the survey reviewed the website of the company’s most prevalent brand.

[View source.]