Google recently sent out a letter to users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products.  It looked like this:

Dear Publisher,

We want to let you know about a new policy about obtaining EU end-users’ consent.
It clarifies your duty to obtain end-user consent when you use products like Google
AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange . . .
Please ensure that you comply with this policy as soon as possible, and
not later than September 30th, 2015 . . . 

The message is that Google is getting compliant with the EU cookie law (presumably as part of a renewed focus on privacy after a recent decision allowed plaintiff suits to proceed against Google for its use of cookies in the EU a few years ago), and requiring the users of its products to do so as well.  If you use these Google products, you now have about sixty days to become compliant.  Even if you don’t, this is a good reminder to review how you use cookies, and to assess whether you are placing cookies on EU users’ devices and therefore should be complying with the law.

Cookies are pieces of data that a website stores on a user’s device, generally to provide what we’ve come to expect as basic site security and functionality: username and password prompts, language preferences, etc.  They also allow companies to figure out general details about site visitors: content viewed, duration of visits, ads accessed, browser used, etc.

There are two kinds of cookies.  The first are “first party” cookies.  They are placed on the user’s device by the operator of the visited website.  The other kind of cookie is a “third party” cookie.  Those are placed on a user’s device by operators of websites other than the ones the user is currently visiting.  If one website, say, has a Facebook “like” button on its site, that “like” button will place a cookie on the user’s device that can be read by Facebook. That’s a third party cookie.

There are also things called super- or perma- cookies.  These are cookies that last for extended periods of time and may not be removable by a user.  A website’s use of these cookies raises significant privacy concerns because they collect and store a lot of information, much of it potentially personal.  That’s great for online targeted advertising, but it is often not so great for a security and publicity.

The major web browsers do allow users to block or delete cookies from their devices. So, in online privacy policies, there will usually be language that says something like: “To learn more about your ability to manage cookies, please consult the settings in your browser.  Note that by disabling cookies you may not be able to access certain features of our website.”  So users generally do have some control over the use of cookies.

EU Law

EU law requires more than such control.  The primary EU cookie law is found in Directive 2002/58/EC, which is commonly known as the e-Privacy Directive.  That law was amended in 2009 by the European Parliament.  The key change with regard to cookies came in Article 5(3).  The law previously permitted websites to use cookies so long as there was clear advance notice to the user.  This was somewhat comparable to the common, though not required by national legislation, U.S. approach of providing information about a website’s use of cookies in a privacy policy.  But the 2009 change to Article 5(3) made it so that the storing of information in a cookie could only be done after a user has given consent.
U.S. Companies

You might be thinking: I’m a U.S. company, why do I need to care about the EU cookie law?  The short answer is that if you are a user of Google’s advertising products mentioned above, Google is requiring it.  The longer answer is that if users of your website are from the EU, the Data Protection Directive (the EU’s main privacy law) and the Article 29 Working Party (an advisory board made up primarily of the data protection authorities of each EU member state that gives advisory opinions on issues of data protection law) say that you do.

The Article 29 Working Party has opined that the Data Protection Directive applies to non-EU website operators, including those from the U.S., because the placing of a cookie on an EU user’s device “make(s) use of equipment” that is located in the EU.  Where the sending of “a text file installed on a hard drive of a computer” will “receive, store, and send back information to a server situated in another country,” the Article 29 Working Party has said, the national law of the computer user – i.e., the EU Directives – applies.  While the Article 29 Working Party’s opinions are not controlling, they are worthy of very serious consideration.

Getting Compliant
Complying with the EU cookie law is not especially difficult.  It may require tweaking your privacy policy to provide more detailed information about your use of cookies than you currently provide.  And it will also require some form of website banner or pop-up notice that seeks and obtain a user’s consent.  The good news (for your web designers) is that such notices can be configured to show up only for EU users, and they don’t look as bad as you might expect. The International Association of Privacy Professionals, for example, uses a relatively subtle notice on its website.

There are also many tools, including free ones, that you can use to create the notice, so you don’t have to start from scratch. For example, the European Commission offers a “cookie consent kit”, which is easy to deploy.

The bottom line is that if users of your website are based in the EU, and you use cookies, you should like Google and users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products get compliant with the EU cookie law.