July 2012 update: How much has the cookie crumbled across the EU?

Data Protection Alert


  Download a copy of our update using the PDF icon.

In December 2011 and March 2012, DLA Piper published a summary of the way in which the law relating to cookies has been implemented the EU member states.
What's new?

Since our publication in March 2012, there has a been a number of updates in relation to the following jurisdictions:

  • Belgium
  • Cyprus
  • France
  • Greece
  • Italy
  • Malta
  • The Netherlands, and
  • Spain.

Furthermore, on 7 June 2012, Article 29 Working Party adopted an opinion addressing the meaning of 'cookie consent exemption' (WP 194). This opinion addresses and aims to clarify the types of cookies which would fall within the exemption set out under the E-Privacy Directive. A summary of the opinion is set out in the updated alert.

Finally, for those organisations who have business or otherwise are engaged in online activities in the United States of America, we have provided a general overview of considerations which organisations should bear in mind in the context of cookie compliance.

What does the law say?

The amended E-Privacy Directive1 which was to be implemented by all EU member states by 25 May 2011, requires the user to consent to the use of cookies. A copy of the 2009 E-Privacy Directive is available here. Please refer to Article 2(5) (at page 30), which amends Article 5(3) of Directive 2002/58/EC.

Article 5(3) of the E-Privacy Directive provides that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with the Data Protection Directive2 about the purposes of the processing"3.

This change requires that consent to the use of cookies must be 'opt-in' (rather than 'opt-out'). However, there has been some uncertainty as to how the measures would be implemented into national law by the different EU member states and whether the law would, in practice, require additional measures to be taken to ensure the lawful use of cookies.

Download the PDF file to access the table which illustrates how Article 5(3) of the E-Privacy Directive has been implemented into the law of the applicable EU member state, together with a summary of the current position regarding the implementation of the E-Privacy Directive generally.

Previous DLA Piper cookie alerts:

1 UK Alert - updated July 2011

2 EU Wide Alert - as at June 2011

3 EU Cookie table - as at 5 December 2011

EU Cookie table - as at 1 March 2012

What should businesses do?

Businesses are advised to start assessing their cookie use now and developing their IT systems to make sure that they can properly comply. In essence, the more the use of a cookie relates to the personal information of a user, the more robust the procedures to obtain consent will have to be.

DLA Piper's EU Information Law team have developed a robust methodology to assist organisations through the complex rules relating to compliance with cookies and can assist organisations by undertaking a cookies audit, suggest compliance options and assist in the implementation of the most effective option.