Google recently sent out a letter to users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products. It looked like this:

Dear Publisher,

We want to let you know about a new policy about obtaining EU end-users’ consent. It clarifies your duty to obtain end-user consent when you use products like Google AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange. … Please ensure that you comply with this policy as soon as possible, and not later than September 30th, 2015. …

The message is that Google is getting compliant with the EU cookie law (presumably as part of a renewed focus on privacy after a recent decision allowed plaintiff suits to proceed against Google for its use of cookies in the EU a few years ago) and is requiring the users of its products to do so as well. If you use these Google products, you now have about 60 days to become compliant. Even if you don’t, this is a good reminder to review how you use cookies and to assess whether you are placing cookies on EU users’ devices and therefore should be complying with the law.

Cookies

Cookies are pieces of data that a website stores on a user’s device, generally to provide what we have come to expect as basic site security and functionality: username and password prompts, language preferences, etc. They also allow companies to figure out general details about site visitors: content viewed, duration of visits, ads accessed, browser used, etc.

There are two kinds of cookies. The first are “first party” cookies. They are placed on the user’s device by the operator of the visited website. The other kind of cookie is a “third party” cookie. Those are placed on a user’s device by operators of websites other than the ones the user is currently visiting. If one website, say taftlaw.com, has a Facebook “like” button on its site, that “like” button will place a cookie on the user’s device that can be read by Facebook. That’s a third party cookie.

There are also things called super- or perma-cookies. These are cookies that last for extended periods of time, and a user may not be able to remove them. A website’s use of these cookies raises significant privacy concerns because they collect and store a lot of information, much of it potentially personal. That is great for online targeted advertising, but it is often not so great for security and publicity.

The major web browsers do allow users to block or delete cookies from their devices. In online privacy policies, there will usually be language that states, “To learn more about your ability to manage cookies, please consult the settings in your browser. Note that by disabling cookies you may not be able to access certain features of our website.” Therefore, users generally do have some control over the use of cookies.

EU Law

EU law requires more than such control. The primary EU cookie law is found in Directive 2002/58/EC, which is commonly known as the e-Privacy Directive. That law was amended in 2009 by the European Parliament. The key change with regard to cookies came in Article 5(3). The law previously permitted websites to use cookies so long as there was clear advance notice to the user. That law was somewhat comparable to the common, though not required by national legislation, U.S. approach of providing information about a website’s use of cookies in a privacy policy. The 2009 change to Article 5(3) made it so that the storing of information in a cookie could only be done after a user has given consent.

U.S. Companies

You might be thinking, "I am a U.S. company. Why do I need to care about the EU cookie law?" The short answer is that if you are a user of Google’s advertising products mentioned above, Google is requiring it. The long answer is that if users of your website are from the EU, the Data Protection Directive (the EU’s main privacy law) and the Article 29 Working Party (an advisory board made up primarily of the data protection authorities of each EU member state that gives advisory opinions on issues of data protection law) say that you do.

The Article 29 Working Party has opined that the Data Protection Directive applies to non-EU website operators, including those from the U.S., because the placing of a cookie on an EU user’s device “make(s) use of equipment” that is located in the EU. Where the sending of “a text file installed on a hard drive of a computer” will “receive, store, and send back information to a server situated in another country,” the Article 29 Working Party has said that the national law of the computer user — i.e., the EU Directive — applies. While the Article 29 Working Party’s opinions are not controlling, they are worthy of very serious consideration.

Getting Compliant

Complying with the EU cookie law is not especially difficult. It may require tweaking your privacy policy to provide more detailed information about your use of cookies than you currently provide. It will require some form of website banner or pop-up notice that seeks and obtains a user’s consent. The good news (for your web designers) is that such notices can be configured to show up only for EU users, and they don’t look as bad as you might expect. The International Association of Privacy Professionals, for example, uses a relatively subtle notice on its website.

There are also many tools, including free ones, that you can use to create the notice, so you don’t have to start from scratch. For example, the European Commission offers a “cookie consent kit” that is easy to deploy.

The bottom line is that if users of your website are based in the EU and you use cookies, you should, like Google and users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products, get compliant with the EU cookie law.