Much has been said about the EU “Cookie” laws introduced by an amendment to the Privacy and Electronic Communications Directive in 2011. Companies with European customers (including those in the US) have grappled with the law’s requirement to obtain informed consent from visitors to their websites before cookies can be used.
Not only being the subject of much academic debate, European regulators have also issued a series of guidance papers on the issue, including recent publications from the UK’s Information Commissioner’s Office and from the Article 29 Working Party, the group made up of representatives from the various EU privacy regulators. These provide layers of at times arguably conflicting commentary on how to comply with the law.
Whilst question marks hang over key issues (e.g.
what constitutes valid consent before cookies can be placed?), with the various EU data protection authorities mooting and often disagreeing on the same, the regulators across the EU appeared to be approaching enforcement actions for breach of the new laws rather gingerly, no doubt a reflection of the wider debates taking place.
Now, four years since the adoption of the Cookie laws, we have now have the first examples of companies being fined by a European regulator for non-compliance. The Spanish regulator fined two companies for failing to provide clear and comprehensive information about the cookies they used. The two decisions can be found here: http://www.agpd.es/portalwebAGPD/resoluciones/procedimientos_sancionadores/ps_2014/common/pdfs/PS-00321-2013_Resolucion-de-fecha-14-01-2014_Art-ii-culo-5.1-LOPD-22.2-LSSI.pdf
Whilst the fines were not exactly earth-shattering (3,500 Euros a piece) the fact that the cookies used were rather commonplace and not particularly intrusive to individuals’ privacy makes these cases more worthy of note and acts as a stark warning to those who have taken a similar relaxed attitude to compliance so far.
Furthermore, it’s not as if the websites in question didn’t take any action after the new law was introduced. To the contrary, they reportedly made attempts to comply with the law, but their measures didn’t go far enough –
which should make those companies who have buried their heads in the sand even more nervous.
The key point for business is not just the fact we are seeing more enforcement now, nor the level of fine, but rather the fact that cookie law breach is a highly visible “marker” that can draw the attention of the regulators and increase the chances of a deeper audit, which can potentially expose wider breaches and more serious enforcement action. This is the greater consequence of these recent developments and more reason to get one’s compliance right
These cases underline how EU member states,
driven by cultural sensitivities, consider the use of cookies to be intrusive. Companies doing business in Europe have had time since the passing of the Cookie law to take action. We expect to see a significant ramp up in enforcement action across the EU; we hear reports of numerous warning letters coming from regulators across the EU. For companies that have not yet reviewed their cookie policies and procedures, compliance should move to the top of the corporate agenda.