Section 508

March 22nd, 2016

Don’t Get Caught with One Hand in the Cookie Jar

Imagine you are a US based company selling products online. Your customers are mostly from the US, but you regularly get some purchases from European countries even though you are not targeting the EU market. Are there any cookie laws that apply to your website? Or are there regulations that your business needs to take into account when using cookies?

If you are not sure what cookies are, we’ve included a mini guide at the bottom of this post.

EU law requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. Therefore, all companies doing business in the EU need to comply with the regulations, and are bound by those in each individual country. E.g. a US website with UK visitors ought to be asking for consent from their UK visitors according to the UK legislation.

However, the EU cookie law does not apply to cookies that:

  • are for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • are strictly necessary to provide a service over the Internet requested by the subscriber or user which must be essential to fulfil their request.

Cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

EU Cookie Law

These are the three critical issues that you need to consider for the determination of the applicability of the EU cookie law:

  • location of the company owning the website
  • location of the servers for the site
  • intended audience of the site

By not complying with EU cookie laws, website operators can face enforcement actions and the exceptional fine. More importantly, it can create a lower level of trust from their users.

US Cookie Law

US law does not have a specific law around cookies. However, the FTC introduced some rules around Fair Information Practices Principles. On the basis of its deceptive and unfair practices jurisdiction, the FTC has been regulating the industry comprised of commercial websites. The key idea is that within their privacy policies, website should not make any commitment they cannot uphold.

By not complying with the FTC rules the risks undertaken by the website operators are enforcement actions and fines.

In addition to EU and US laws, international best practices have been generally accepted and implemented. They allow for the user to be given at least the option to opt-out of the use of cookies.

What You Need to Consider When Using Cookies

To come back to our scenario, should you abide by EU law if you are a US business? The answer is not that straightforward. You may start by asking yourself:

  • What cookies do I have?
  • Does the EU law apply to my website?
  • What are my competitors doing?
  • Am I currently applying best practices?

What we would recommend any business to do is adopt these best practices where cookies do:

  • not store unencrypted personal info
  • provide adequate notice of their usage
  • use a persistent variation only if the need justifies it
  • not set long expiration dates
  • disclose the involvement of a third party cookie provider (if applicable) as well as an opt-out (or in EU opt-in) mechanism for delivery from that third party.

If you have any additional questions regarding cookies or privacy, feel free to send me an email.

Agathe Caffier,
Senior Counsel, International Operations and Privacy Specialist

What Are Cookies?

Cookies are a kind of short-term memory for the web. They are stored in website users’ browsers and enable websites to ‘remember’ little bits of information between pages or visits. There are multiple types of cookies available:

Session-based vs. Persistent Cookies
Session-based cookies are the ones used in e.g. shopping carts and are not subject to any privacy debate as they expire when the browser is closed and do not recognize a device overtime.

Persistent cookies enable personalization as they expire at a later date (which can be in years) and recognizes a device (i.e. a user that has previously visited the website).

First-party vs. Third-party Cookies
Where the former cookies are set and read by the owner of a website, third-party cookies are set and read by someone other than the website owner.

Flash vs. HTML Cookies
Flash cookies are stored outside of an Internet browser and can not be deleted directly through the browser as opposed to HTML cookies.

Illustration by Surian Soosay (CC BY 2.0)

Tags: privacy security

Connect with us

Job Openings

Want to be part of our growing team?

View More
Work with us

Learn how DMI can help you grow, or launch your business.

Get In Touch

See all of our locations around the world

View Locations