Imagine you are a US based company selling products online. Your customers are mostly from the US, but you regularly get some purchases from European countries even though you are not targeting the EU market. Are there any cookie laws that apply to your website? Or are there regulations that your business needs to take into account when using cookies?
If you are not sure what cookies are, we’ve included a mini guide at the bottom of this post.
EU law requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. Therefore, all companies doing business in the EU need to comply with the regulations, and are bound by those in each individual country. E.g. a US website with UK visitors ought to be asking for consent from their UK visitors according to the UK legislation.
However, the EU cookie law does not apply to cookies that:
- are for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- are strictly necessary to provide a service over the Internet requested by the subscriber or user which must be essential to fulfil their request.
Cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.
EU Cookie Law
These are the three critical issues that you need to consider for the determination of the applicability of the EU cookie law:
- location of the company owning the website
- location of the servers for the site
- intended audience of the site
By not complying with EU cookie laws, website operators can face enforcement actions and the exceptional fine. More importantly, it can create a lower level of trust from their users.
US Cookie Law
US law does not have a specific law around cookies. However, the FTC introduced some rules around Fair Information Practices Principles. On the basis of its deceptive and unfair practices jurisdiction, the FTC has been regulating the industry comprised of commercial websites. The key idea is that within their privacy policies, website should not make any commitment they cannot uphold.
By not complying with the FTC rules the risks undertaken by the website operators are enforcement actions and fines.
What You Need to Consider When Using Cookies
To come back to our scenario, should you abide by EU law if you are a US business? The answer is not that straightforward. You may start by asking yourself:
- What cookies do I have?
- Does the EU law apply to my website?
- What are my competitors doing?
- Am I currently applying best practices?
What we would recommend any business to do is adopt these best practices where cookies do:
- not store unencrypted personal info
- provide adequate notice of their usage
- use a persistent variation only if the need justifies it
- not set long expiration dates
- disclose the involvement of a third party cookie provider (if applicable) as well as an opt-out (or in EU opt-in) mechanism for delivery from that third party.
If you have any additional questions regarding cookies or privacy, feel free to send me an email.
Senior Counsel, International Operations and Privacy Specialist
What Are Cookies?
Cookies are a kind of short-term memory for the web. They are stored in website users’ browsers and enable websites to ‘remember’ little bits of information between pages or visits. There are multiple types of cookies available:
Session-based vs. Persistent Cookies
Session-based cookies are the ones used in e.g. shopping carts and are not subject to any privacy debate as they expire when the browser is closed and do not recognize a device overtime.
Persistent cookies enable personalization as they expire at a later date (which can be in years) and recognizes a device (i.e. a user that has previously visited the website).
First-party vs. Third-party Cookies
Where the former cookies are set and read by the owner of a website, third-party cookies are set and read by someone other than the website owner.
Flash vs. HTML Cookies
Flash cookies are stored outside of an Internet browser and can not be deleted directly through the browser as opposed to HTML cookies.