how the eu has implemented the new law on cookies

33
www.dlapiper.com | 01 HOW THE EU HAS IMPLEMENTED THE NEW LAW ON COOKIES Updated 8 October 2012

Upload: others

Post on 03-Feb-2022

1 views

Category:

Documents


0 download

TRANSCRIPT

www.dlapiper.com | 01

How tHe eU Has implemented tHe new law on CookiesUpdated 8 October 2012

02 | How the EU has implemented the new law on Cookies

sUmmaRY oF eU implementation oF aRt 5(3) e pRiVaCY diReCtiVe (diReCtiVe 2002/58/eC)

eU member state

implemented into local law?

Regulator guidance published?

does local regulator interpret the law as requiring prior opt-in?

Can website operators rely upon implied1 consent?

Austria Yes No Yes No

Belgium Yes No Not clear Not clear

Bulgaria Yes No Yes Unknown

Cyprus Yes No Yes No

Czech Republic Yes No No N/A. Opt-out principle applies

Denmark Yes Yes No Yes

Estonia Yes No Unknown Unknown

Finland Yes No No Yes

France Yes Yes Yes No

Germany No No Unknown Unknown

Greece Yes No Yes No

Hungary Yes No No Currently yes

Ireland Yes Yes No Yes

Italy Yes No No Unknown

1 IntheUK,theICOhasdeemedimpliedconsentasamethodtoobtainconsent.Thiswillonlyworkwheretheuserisgivenspecificandcomprehensiveinformationabouttheuseofcookies,andtheusergivesanindicationofhiswishestoconsent(e.g.continuestobrowseanddoesn’tdisablecookies).

2 NorwayisnotanEUMemberbutasaconsequenceofitsmembershipintheEEA(EuropeanEconomicArea(Nw:EØS)),NorwayisunderanobligationtoadoptEUDirectives.

eU member state

implemented into local law?

Regulator guidance published?

does local regulator interpret the law as requiring prior opt-in?

Can website operators rely upon implied1 consent?

Latvia Yes No Yes No

Lithuania Yes Yes Yes Unknown

Luxembourg Yes No Yes No

Malta Yes, but not yet inforce

No Unknown Unknown

Netherlands Yes Yes Yes No

Norway2 No No No N/A

Poland No No Yes Yes

Portugal Yes No Yes No

Romania Yes No Yes Yes

SlovakRepublic Yes No Yes No

Slovenia No No Unknown Unknown

Spain Yes No Yes No

Sweden Yes No Yes Not clear

United Kingdom Yes Yes Yes Yes

www.dlapiper.com | 03

Austria ������������������������������������������������������������������������������������ 04

Belgium ����������������������������������������������������������������������������������� 05

Bulgaria����������������������������������������������������������������������������������� 06

Cyprus ������������������������������������������������������������������������������������ 06

Czech Republic ���������������������������������������������������������������������07

Denmark �������������������������������������������������������������������������������� 08

Estonia ������������������������������������������������������������������������������������ 09

Finland �������������������������������������������������������������������������������������10

France ��������������������������������������������������������������������������������������11

Germany ���������������������������������������������������������������������������������13

Greece�������������������������������������������������������������������������������������13

Hungary ����������������������������������������������������������������������������������14

Ireland��������������������������������������������������������������������������������������15

Italy �������������������������������������������������������������������������������������������16

Latvia ���������������������������������������������������������������������������������������17

Lithuania ���������������������������������������������������������������������������������17

Luxembourg ���������������������������������������������������������������������������18

Malta ����������������������������������������������������������������������������������������19

Netherlands ���������������������������������������������������������������������������19

Norway �����������������������������������������������������������������������������������21

Poland ��������������������������������������������������������������������������������������21

Portugal ���������������������������������������������������������������������������������� 22

Romania ����������������������������������������������������������������������������������24

Slovak Republic �������������������������������������������������������������������� 25

Slovenia ���������������������������������������������������������������������������������� 25

Spain �����������������������������������������������������������������������������������������26

Sweden ������������������������������������������������������������������������������������27

United Kingdom �������������������������������������������������������������������29

Contents

04 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

aUstRia

DLA Piper Contact:wolfgang Freundt +43 1 531 78 1401 wolfgang�freund@dlapiper�com

Yes No ■ The E Privacy Directive was implemented in Austria by amendmentoftherelevantprovisionsoftheAustrianTelecommunicationsAct(Telekommunikationsgesetz2003,“TKG”).ThechangestotheTKGhavecomeintoeffecton 22November2011.

■ TherelevantsectionoftheTKGnowstatesthatausermustgiveinformedconsentforthestorageofpersonaldata.

■ UnderAustrianlaw“informedconsent” is required prior to theprocessingofpersonaldata. The user has to be aware ofthefactthatconsentforthestorageorprocessingofpersonal data is given, as well asthedetailsofthedatatobestored or processed, and has toagreeactively.Thereforeobtaining consent via some formofpopuporclickthroughagreement seems advisable.

■ Consentbywayofbrowsersettings, or a pre-selected check-boxetc.isnotsufficientin this respect.

■ Furthermoreincaseofconsentbywayofbrowsersettingstherequiredinformationregardingthestorageofpersonaldatamust be made available to the user as is required by the TKG.

Yes a) Telekommunikationsgesetz2003asamendedbyBGBlINr.102/2011;

b) N/A;and

c) AustrianRegulatoryAuthorityforBroadcastingand Telecommunications (RTR)/AustrianDataProtection Authority (DSK).

www.dlapiper.com | 05

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

BelGiUm

DLA Piper Contact:patrick Van eecket +32 (0)2 500 1630 patrick�van�eecke@dlapiper�com

Yes No ■ Article5(3)oftheE-PrivacyDirectivewas implemented into Belgian Lawbymeansofamendmentofarticle129oftheBelgianElectronicCommunication Act. The amendment followsthewordingoftheE-PrivacyDirective closely. As a result, the amendedarticle129oftheBelgianElectronic Communication Act requirespriorinformedconsent.

■ Theamendedarticle129oftheBelgian Electronic Communication Actdoesnotallowfortheuser’sconsent to be expressed by usage oftheappropriatesettingsofabrowser or other application as suggested by the European legislator inconsideration66oftheCookieDirective.

■ Thereisnospecificregulationonconsentinthecontextofcookies. The general rules on data protection must be complied with, meaning that consentmustbeprior,free,specificandinformed.

The law does not foreseeinstricterwording than that determined in article 5(3)oftheE-PrivacyDirective.

The Belgian authorities(PrivacyCommission/Telecommunications Regulator)mayhowever chose to issue regulatory guidance on applying the rules and distinguishing betweentypesofcookies.

a) Article129oftheElectronic Commerce Act

b) Notissuedyet

c) TheBelgianInstituteforPostalServicesandTelecommunications and the Belgian Privacy Commission

express opt-in Consent Required (if so, required by law or regulatory guidance)?

06 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

BUlGaRia

Firm:wolf theiss

Website:www�wolftheiss�com

Contact:anna Rizovat +359 2 861 3703 anna�rizova@wolftheiss�com

Yes No ■ Art.5(3)ofEPrivacyDirectivewas implemented into Bulgarian legislationon29December2011.It now states that users should be provided with clear and comprehensiveinformationaboutthepurposesofdataprocessingandthey must be given the opportunity torefusestoringoraccessingsuchinformation.

■ Consentmeansanyfreelygiven,explicitandinformedstatementofthedatasubjectbywhichthedatasubjectunambiguously gives their consent to their personal data being processed.

Yes a) ElectronicCommerceAct;

b) N/A;and

c) ConsumersProtectionCommission.

CYpRUs

Firm:pamboridis & associates

Website:www�pamboridis�com

Contact:Yiota kythreotou theodorout +357 22 753 100 kythreotou@pamboridis�com

Yes No ■ Directive2009/136/EChasbeenimplemented in Cyprus on the 18May2012,throughLawNo.51(I)/2012amendingtheRegulationofElectronicCommunicationsandPostalServicesLaw.

■ TheamendmentsfollowthewordingoftheE-PrivacyDirectiveclosely,and leave the detailed compliance requirementstobeclarifiedbytheCyprusOfficeoftheCommissionerforPersonalDataProtection.

■ PriorinformedconsentisrequiredinaccordancewiththeprovisionsoftheProcessingofData(ProtectionoftheIndividual)Lawof2001anditsamendmentLawNo.37(I)/2003.

■ Consentmeansconsentofthedatasubject,anyfreelygiven,expressandspecificindicationofhiswishes,clearlyexpressedandinformed,bywhichthedatasubject,havingbeenpreviouslyinformed,consentstotheprocessingofpersonaldata concerning him.

Yes, required by law a) TheElectronicCommunications and Postal ServicesLawof2004andits amendment Law No. 51(I)/2012;

b) N/A;and

c) OfficeoftheCommissionerofElectronicCommunications and Postal RegulationandtheOfficeoftheCommissionerforPersonal Data Protection.

www.dlapiper.com | 07

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

CZeCH RepUBliC

DLA Piper Contacts:peter Valertt +420 222 817 250 peter�valert@dlapiper�com

eva spurkovat +420 222 817 802 eva�spurkova@dlapiper�com

Yes No ■ On1January2011,theCzechRepublic implemented the E Privacy Directive. The E Privacy Directive was implemented into Czech law byActNo.468/2011Coll.,whichamendedActNo.127/2005Coll.,on Electronic Communications, as amended. The amendment went intoeffectonJanuary1,2011andintroduces the opt out principle.

■ TheEPrivacyDirectivewasreflectedintoSection89par.3oftheActonElectronic Communications which states:“Anyone who intends to use or uses electronic communications networks to store data or to gain access to data already stored in the terminal equipment of the participants or users, is required to inform such participants or users in advance and provably about the scope and purpose of the processing of data and is obliged to offer them to refuse the possibility of the processing.”

■ The Czech legislator derived themeaningofconsentfromthepurposeofthedirective,which is not to overload a userwithaconfirmationofhis consent at every website visit, but to provide him with aneasyopportunitytorefusestoringofpersonaldata.

No a) TheActNo.127/2005Coll., on Electronic Communications as applicablelaw;

b) OfficeforPersonalDataProtection(“OPDP”);and

c) MinistryofIndustryandTradeoftheCzechRepublic.

08 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

denmaRk

Firm:Horten

Website:www�horten�dk

Contact:egil Husumt +45 3334 4224 EHU@horten�dk

Yes Yes ■ Directive2009/136/ECwasimplemented in the new Danish Act on Electronic Communications ServicesandNetworkswhichcameintoforceon25May2011inaccordance with the implementation deadline in the Directive. However, theActdidnotimplementthespecificprovisionsconcerningtheuseofcookies, but instead provided an authorisation to the Danish Minister ofBusinessandGrowthtoexecuteanexecutive order on this matter.

■ The“ExecutiveOrderonInformationandConsentRequiredinCaseofStoringandAccessingInformationinEnd-user Terminal Equipment” came intoforceon14December2011.

■ PursuanttotheOrdertheuseofcookies requires consent. The consent mustbefreelygivenandspecific.

■ Theconsentmustbefreelygivenandspecificandtheusermust be given an option.

■ However, this does not imply that consent must be obtained each time a cookie is used but a user must be given an option. Furthermore, the consentmustbeinformedwhich implies that a user must receiveinformationabouttheconsequencesofconsenting.Finally, the consent must be aninformedindicationoftheuser’swishes.Normally,consent is obtained through tick-the-box but also the useofahomepageafterhaving received the relevant informationconcerningcookies can constitute consent. Yet,consentbyuseofahomepage must be used with caution.

No, but consent by useofahomepagemust be used with caution.

a) (i)ActNo169of3March2011onElectronicCommunicationsServicesandNetworksand(ii)ExecutiveOrderNo1148of9December2011onInformationandConsentRequiredinCaseofStoringandAccessingInformationin End-user Terminal Equipment;

b) GuidancenotesNo9018to the new rules on storing ofcookiesandsimilartechnologies;and

c) TheDanishBusinessAuthority.

www.dlapiper.com | 09

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

■ Inadditiontothistheinformationtotheusermustfulfilthefollowingrequirements:(i)Theinformationmustbeclearandeasytounderstand;(ii)thepurposeoftheuseofcookiesmustappear;(iii)theidentityoftheperson or entity which is responsible fortheuseofcookiesmustappear;(iv)thepossibilityofwithdrawalofconsent must be easily accessible and bedescribedintheinformation;and(v)thisinformationmustbeeasilyaccessiblefortheuseratalltimes.”

estonia

Firm:lawin

Website:www�lawin�com

Contact:pirkko liis Harkmaat +372 6306460 pirkko�liis�harkmaa@lawin�ee

Yes No ■ The Ministry has concluded that thenewlawisalreadysatisfiedbyArt102oftheEstonianElectronicsCommunications Act and as a result nofurtherimplementationmeasuresare necessary.

■ Thereisnospecificregulationon consent in the context of“cookies”.Itishoweverrecommended to apply general rules on personal data protection also in case ofcookies,butthelawisabitvague in this respect.

Whether or not explicit opt-in consent is required is still unclear as no respective practice has developed yet.

a) EstonianElectronicCommunicationsAct(RTI2004,87,593,asamendedfromtimetotime)andEstonian Personal Data ProtectionAct(RTI2007,24,127,asamendedfromtimetotime);

b) N/A;and

c) MinistryofEconomicAffairsandCommunications and Data Protection Inspectorate.

10 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

Finland

Firm:Hannes snellman attorneys

Website:www�hannessnellman�com

Contacts:erkko korhonent +358 9 22884308 erkko�korhonen@hannessnellman�com

kaisa Fahllundt +358 9 2288 4209 kaisa�fahllund@hannessnellman�com

Yes No ■ Legislation has been adopted by the Finnish Parliament adopting the newlaw,whichenteredintoforceon25May2011.ThenewFinnishlawrecognisesthepossibilityofobtaining consent via browser/other application settings. However, the user needs to be given comprehensible andcompleteinformationonthepurposesofsavingorusingsuchdata. The legal requirement written in law is “consent” that is however interpreted in the preliminary works ofthenewlawsothattheusermaygive the consent via browser or other application settings. The saving and useofdataisallowedonlytotheextentrequiredfortheservice,andit may not limit the protection or privacy any more than is necessary.

■ Further, under the new law the provisions regarding consent do notapplytoanysavingoruseofdatawhichisintendedsolelyforthepurposeofenablingthetransmissionofmessagesincommunicationsnetworksorwhichisnecessaryfortheserviceproviderforthepurposeofproviding a service that the subscriber oruserhasspecificallyrequested.

■ At present, “opt out” consent wouldbesufficientinFinland. The Finnish Act governing the cookies sets two conditions on placing cookiesonusers’computers:i)theuserhasgivenconsentandii)comprehensibleandcompleteinformationonthepurposesofsavingorusingsuch data are given to the user. These two conditions are separate in a way that they both need to be fulfilled.Givingtherequiredinformationtotheuserwillnotreleasefromtherequirementtoobtain a consent.

■ AsFinlandwasoneofthefirstcountries that implemented the Article5(3)oftheEPrivacyDirective it is to be seen whether the interpretation will remainthesameif“optin”becomes prevailing practice elsewhere in the EEA.

No a) TheActontheProtectionofPrivacyinElectronicCommunications(516/2004,inFinnish:Sähköisen viestinnän tietosuojalaki);

b) Noguidancepublished;and

c) TheFinnishCommunications Regulatory Authority (FICORA),theDataProtection Ombudsman.

www.dlapiper.com | 11

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

FRanCe

DLA Piper Contact:Carol Umhoefert +33 1 40 15 24 34 carol�umhoefer@dlapiper�com

Yes Yes ■ France has implemented the EU Cookies Directive in the Law n° 78-17ofJanuary6,1978.Thelawstatesthatanysubscriberoruserofelectroniccommunication services must be fullyandclearlyinformedbythedata controller or its representative of(i)thepurposeofanycookie(i.e,anymeansofaccessingorstoringinformationonthesubscriber’s/user’scomputer),and(ii)themeansofrefusingcookies,unlessthesubscriber/user has already been soinformed.Cookiesarelawfullydeployedonlyifthesubscriber/userhasexpressedconsentafterhavingreceivedsuchinformation.

■ However,theforegoingprovisionsdonotapply(i)tocookiesthesolepurposeofwhichistoalloworfacilitateelectroniccommunicationbyauser,or(ii)ifthecookieisstrictly necessary to provide on line communicationservicesspecificallyrequested by the user.

■ InNovember2011,andagaininApril2012,theFrenchDataProtectionAuthority(“CNIL”)issuedguidanceforcookies.

■ Consentmustbe(i)freelygiven(i.e,incircumstanceswhere the user has a choice to refuseconsent),(ii)specific(i.e,relatetoaspecificcookie associated with a clearlydefinedpurpose),and(iii)informed(i.e,theusermustbegiveninformationbeforehand,specifyingthecookie’spurposeaswellasthepossibilitytorevokeconsent).

■ The law also provides that consentcanresultfromthesubscriber’s/user’sconnectionsettings(e.g.,browsersettings)or any other means under the subscriber’s/user’scontrol.

Yes. The law copies thetextoftheDirective almost wordforword;guidance is very clear that opt-in consent is required.

a) TheLawn°78-17ofJanuary6,1978–asmodified–oninformationtechnology,datafilesandcivilliberties;

b) http://www.cnil.fr/en-savoir-plus/fiches-pratiques/fiche/article/ce-que-le-paquet-telecom-change-pour-les-cookies/;and

c) CommissionnationaledeL’informatiqueofdeslibertés(“CNIL”).

12 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

■ The CNIL considers that certain cookies are not covered by the law (e.g.,cookie,usedtoconstitutea“basket”onane-commerceplatform,sessionIDcookie.)

■ The CNIL considers that the website ownerisliableforallowingathirdpartytoinstallacookieontheuser’scomputer.

■ TheApril2012guidancealsoreaffirmsthattheserulesapplytoallcookies whether containing personal data or not.

■ TheApril2012guidancealsoremindsoperators that non compliance with Frenchlawcantriggerfinancialpenaltiesinamountofupto€150,000forafirstviolationorupto€300,000(forsubsequentviolationswithin5years).HowevertheCNILhasrecognized that compliance may not be immediate, and the CNIL will takeintoconsiderationalleffortsimplemented to reach compliance. Preenforcementmeasureshavebegun.

■ However, according to the CNIL, commonly used browsersdonotoffercompliant settings.

■ The CNIL regards the followingconsentcollectionmechanismsascompliant:

– abanneratthetopofawebpage;

– a consent request zone overprintingonthesite’shomepage;and

– boxes to tick when registering foranonlineservice.

www.dlapiper.com | 13

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

GeRmanY

DLA Piper Contact:dr thomas Jansent +49 89 232 372 110 thomas�jansen@dlapiper�com

No No ■ TheprocessofimplementingtheActisdelayedasseveraldraftbillsdidnotpasstheGermanParliament.ThefirstbilltoamendtheTelemediaActofMarch2011providedthatstorageofdataontheequipmentoftheuserwillonly be permissible where the user has beeninformedandconsentisgivenbythem.

■ Unknown/TBC

■ The original exception to the consent requirement remains wherethecookiesisusedforenablinganinformationorcommunication the user has explicitly requested.

■ It remains to be seen whether itwouldalsobesufficienttolinktheinformationaboutprocessingofpersonaldataand technical measures to the browser settings or whether an active opt-in, e.g, by clicking on a pop-up screen will be required.

TBC Awaiting implementation

GReeCe

Firm:kyriakides Georgopoulos & daniolos issaias

Website:www�kgdi�gr

Contact:konstantinos issaiast +30 210 817 1500 k�issaias@kgdi�gr

Yes No ■ EUDirective2009/136hasbeenimplemented into the Greek legal systemwithLaw4070/2012,which has been voted by the Greek Parliamenton6April2012.

■ InfactthislawamendsLaw3471/2006onProtectionofpersonaldata and privacy in the electronic telecommunications sector.

■ Accordingtoarticle4par.5ofLaw3471/2006asamendedbyLaw4070/2012,thestorageofinformationortheaccesstoinformationalreadystoredtotheterminalequipmentofasubscriber or user is permitted only ifthisspecificsubscriberoruserhasprovidedhisconsentfollowinganupdating.

■ Thewaysofexpressionofconsent will be regulated followinganActoftheHellenic Data Protection Authority.

Yes a) Law3471/2006,asamendedandinforcetoday;

b) No;and

c) HellenicDataProtectionAuthority.

14 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

HUnGaRY

DLA Piper Contacts:monika Horvatht +36 1 510 1110 monika�horvath@dlapiper�com

Zoltán kozmat +36 1 510 1100 zoltan�kozma@dlapiper�com

Yes No ■ BeforeimplementingArticle5(3)oftheEPrivacyDirectiveintoHungarianlaw,section155(4)oftheHungarianActCof2003onElectronicCommunications(“ActCof2003”)alreadyprovidedthat“the storing of information, or the gaining of access to information on the electronic terminal equipment of a subscriber or user obtained via electronic communications networks is only allowed on the condition that the subscriber or the user concerned has given his or her consent, after having been provided with clear and comprehensive information”. Accordingly,Article5(3)oftheE Privacy Directive did not result in a significantchangeinHungarianlaw.

■ Irrespectiveoftheforegoing,theHungarian Parliament issued a draftbilltotheParliamentwhichimplements the E Privacy Directive into Hungarian law. This entered intoforceinAugust2011.ThisActmodifiesActCof2003,andalmostprovidesthesamewordingasreferredto above.

■ Thereisnospecificguidanceor regulation in relation to themeaningofconsent.OnthebasisofthewordingoftherelevantAct,however,it is clear that it must be prior consent,afterthesubscriberhas been provided with clear and comprehensive information,whichinformationinteraliaincludesthepurposeofprocessing.

■ Serviceprovidersshallbeauthorized to obtain and store communications transmitted on their network only to the extentstrictlynecessaryfortheprovisionsofservicesfortechnicalreasons.

■ General practice is that consent can be obtained via browser settings, however, asmentionedsofarthishasnotbeenconfirmedbytheopinionortheguidanceofthe Authorities yet.

No a) Section155(4)ofthe Hungarian Act (2003onelectronicCommunications);

b) No;and

c) NationalMediaandInfocommunicationsAuthority.

www.dlapiper.com | 15

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

iReland

Firm:mason, Hayes and Curran

Website:www�mhc�ie

Contact:philip nolant +353 1 614 5000 pnolan@mhc�ie

Yes Yes ■ Implemented into Irish law by StatutoryInstrumentNo.336/2011,the European Communities (ElectronicCommunicationsNetworksandServices)(PrivacyandElectronicCommunications)Regulations2011,witheffectfrom 1July2011.

■ Users must be provided with “clear andcomprehensive”information,includingastothepurposeofthecookie.Suchinformationmustbe“prominently displayed and easily accessible”andbeas“userfriendlyaspossible”.

■ The Regulations do not apply to cookies which are “strictly necessary inordertoprovideaninformationsociety service explicitly requested” by the user.

■ Thereisnoformal“leadinperiod”ofthesortadoptedintheUK.Businesses must be immediately compliant with the new rules.

■ The Regulations do not specifyhowconsentshouldbe given beyond stating thatthemethodsofgivingconsent should be as “user friendlyaspossible”.Whereit is technically possible and effectiveconsentmaybegivenby browser settings.

■ Theuser’sconsentmaybegivenbytheuseofappropriatebrowser settings where it is technically possible and effective.Suchsettingswouldrequire, as a minimum, clear communication to the user as to what he or she was being asked to consent to and a meansofgivingorrefusingconsenttoanyinformationbeing stored or retrieved.

■ Consent can be obtained by other technological applicationsbymeansofwhichthe user can be considered to have given his or her consent.

No. Implied consent could be relied upon in certain circumstances.

a) EuropeanCommunities(ElectronicCommunications NetworksandServices)(PrivacyandElectronicCommunications)Regulations2011(SI336of2011);

b) GuidanceNoteonDataProtection in the Electronic CommunicationsSector;and

c) DataProtectionCommissioner.

16 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

italY

DLA Piper Contacts:Giangiacomo olivit +39 02 80 618 515 giangiacomo�olivi@dlapiper�com

stefania Baldazzit +39 02 80 618 616 stefania�baldazzi@dlapiper�com

Yes No ■ Implemented into Italian law with effectfromJune2012.

■ The new provisions are a very close reflectionofthewordingofRecital66ofDirective2009/136/ECandSection5(3)ofDirective2002/58/EC(asamendedbyDirective2009/136/EC).Assuch,theyposeexactlythesame interpretation problems as these provisionsofEUlaw,especiallywithregardtothenatureofconsentrequiredforcompliance.Theonlysignificantnotice,takingintoaccounttheproposalsdifferenceisthatthedecree requires the Italian data protection Authority to determine certainsimplifiedmethodsofproviding subscribers or users with aninformationmadebybusinessandconsumer associations.

■ Business may have to wait forageneraldecisionbythe Italian data protection Authoritybeforetheycanassessthetrueimpactofthe change. However, in an opinion submitted to the government in relation to the draftdecree,theAuthorityhasalready stated that the new provisions on cookies should be interpreted as establishing an opt-in regime in Italy.

No a) LegislativeDecreen.69of 28May2012,amendingthe Italian Privacy Code (LegislativeDecreen.196of 30June2003);

b) TBC;and

c) Garanteperlaprotezionedeidatipersonali(www.garanteprivacy.it).

www.dlapiper.com | 17

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

latVia

Firm:lawin

Website:www�lawin�com

Contact:sarmis spilbergs t +371 67814848sarmis�spilbergs@lawin�lv

Yes No ■ Latvia has implemented the new law through amends to the Law onInformationSocietyServices.TheimplementationoftheDirectivedoesnotexpresslyaddresstheuseofbrowser settings to obtain consent. It provides that cookies may be stored onlyaftertheuserhasconsented,whichshalloccuronlyafterinformationregardingintendedpurposeofdataprocessing is provided in accordance with Personal Data Protection Law.

■ NoofficialguidancehasbeenissuedbyDataStateInspectoratetocurrentdateregardingcollectionofconsentforuseofcookies.Therearenosignsofrelaxationofgeneralruleswithrespecttoconsentsforcookies.

■ SincePersonalDataProtection Law implements Directive95/46/EC,theconsentforcookiesmustbe“unambiguously given”.

Yes a) LawonInformationSocietyServices,art.71;

b) No;and

c) DataStateInspectorate(http://www.dvi.gov.lv/eng/).

litHUania

Firm:lawin

Website:www�lawin�com

Contacts:Jaunius Gumbist +370 52681830 jaunius�gumbis@lawin�lt

Julius ZaleskisT +370 52191934 julius�zaleskis@lawin�lt

Yes Yes(inDecember 2011)

■ Lithuania has implemented the new EU law through amendments to the Law on Electronic Communications whichcameintoeffecton 1August2011.

■ Theamendmentsmirrorthetextofthenew EU law and require that consent to theuseofcookiesmustbe“optin”.

■ LithuanianStateDataProtectionInspectorate has published recommendationsaboutthemethodofconsenttotheuseforcookies. Theguidanceconfirmedthatconsentcan be obtained through pop ups, banners or website registration while relevant settings contained within current browsers are not likely to formavalidconsent.

■ ‘Prior’explicitconsentisrequired.

■ Users must be given a genuine opportunity not to consent.

■ There is no clear guidance on possibility to obtain an implied consent.

Yes, required by law and regulatory guidance.

a) TheLawonElectronicCommunicationsoftheRepublicofLithuaniaNoIX2135(inLithuanian–Lietuvos Respublikos elektroninių ryšių įstatymas);

b) http://www.ada.lt/images/cms/File/naujienu/slapuk_DV.pdf;and

c) StateDataProtectionInspectorate(inLithuanian–Valstybinė duomenų apsaugos inspekcija).

18 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

lUXemBoURG

Firm:Bonn & schmitt

Website:www�bonnschmitt�net

Contacts:Guy arendtt +352 27 855 garendt@bonnschmitt�net

alain Grosjeant +352 27 855 agrosjean@bonnschmitt�net

Julia seniort +352 27 855 jsenior@bonnschmitt�net

Yes No ■ Luxembourg implemented Directive2009/136/ECbyalawof28July2011whichmodifiedthelawof30May2005andcameintoeffecton1September2011.

■ Priorinformedconsentofasubscriber/user is required. Other requirementsinclude:themethodofprovidinginformationandrighttorefuseshouldbeasuserfriendlyaspossibleandwhereitistechnicallypossibleandeffective,the users consent may be expressed by appropriate browser/application settings.

■ “Consent”meansanyfreelygivenspecificandinformedindicationofhiswishesbywhich the person concerned or hislegal,judicialorstatutoryrepresentativesignifieshisagreement to personal data relating to him being processed (Art2(b)lawof30May2005asmodified).

Yes, required by law. a) Lawof30May2005asmodifiedlayingdownspecificprovisionsfortheprotectionofpersonswithregard to the processing ofpersonaldataintheelectronic communications sector;

b) No;and

c) Commission Nationale pour la protection des données.

www.dlapiper.com | 19

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

malta

Firm:mamo tCV advocates

Website:www�mamotcv�com

Contacts:antoine Camillerit (+356) 21231345 antoine�camilleri@ mamotcv�com

Claude micallef-Grimaudt (+356) 21231345 claude�micallefgrimaud@mamotcv�com

Amendments foundinArticle2(5)ofDirective2009/136/EChave not yet comeintoforcein Malta.

No ■ LegalNotice239of2011or‘TheProcessingofPersonalData(ElectronicCommunicationsSector)(Amendment)Regulations,2011’,(whichhasnotyetbeenbroughtintoforce)willamendRegulation5ofthePrincipal Regulations to implement theamendmentsfoundinArticle2(5)ofDirective2009/136/EC.Theamending regulations shall come into forceonsuchdateastheMinisterresponsiblefordataprotectionmayestablish by notice in the Malta GovernmentGazette.TheDPC’sownwebsite states that a “commencement dateforthebringingintoforceofsuchlegal notice needs to be established”.

■ Wehavenoindicationofwhensuchdate may be although we expect that thiswilloccurinthenearfuture.

■ The situation is unclear in Malta. Further comments may onlybemadewhen(andif)the amending legislation is broughtintoforce.

The situation is unclear in Malta. Further comments may only be made when(andif)theamending legislation isbroughtintoforce.

a) ProcessingofPersonalData(ElectronicCommunicationsSector)Amendment)Regulations,published in the Government Gazette on 24June2011;

b) None;and

c) OfficeoftheDataProtection Commissioner (“DPC”):

[email protected]

– www.dataprotection.gov.mt

netHeRlands

DLA Piper Contacts:Richard Van schaikt +31 20 541 9828 richard�vanschaik@dlapiper�com

marloes dankertt +31 20 541 9271 marloes�dankert@dlapiper�com

Yes Yes, the regulator has provided a Q&A

■ The Dutch Telecommunications Act (“Act”)wasamendedwitheffectfrom5June2012.Amongotherthings,thatamendment introduced stricter rules forplacingandaccessingcookies.

■ Witheffectfrom5June2012cookiesmay only be placed and accessed afterwebsitevisitorshavebeenclearlyinformedaboutthesecookies(purpose,typeofcookies,etc.)andhave granted their permission to that effect.

■ Consentmustbefreelygiven,specificandinformed:itshouldreferclearlyandprecisely to the scope and the consequencesofthecookieprocessing.

■ In case personal data will be processed, the consent must beunambiguouslygiven:thismeans that there may be no doubtthatthedatasubjecthasgiven consent to the processing ofitspersonaldata.

Prior explicit consent is required.

Please note that granting consent can beaconditionforusing a website.

a) Article11.7aDutchTelecommunicationsAct;

b) AQ&Aprovidedbythethe regulatory body can be foundatwww.opta.nl;and

c) TheIndependentPostand Telecommunications Authority(OPTA)isresponsibleformonitoringandenforcementoftheTelecommunications Act (www.opta.nl).

20 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

■ Informationandconsentmaynotorno longer be provided or obtained granted,respectively,bymeansofdefaultstandardbrowsersettings.

■ The new rules in the Telecommunications Act also prescribethatasper1January2013cookiesorsimilardatafilesplacedor accessed, are considered to be personal data, unless the party placing suchcookiesorinformationcanproveotherwise.

■ Rules regarding the required prior consent do not apply to ‘necessary cookies’.

■ No sanctions have been imposed yet by the Independent Post and Telecommunications Authority (OPTA),thoughgeneralwarningletters have been circulated.

■ Providinginformationandobtaining consent can be done in various ways. Examples include using a header bar, a pop-up or an alternative start page which provides informationaboutthecookiesto be placed and accessed where website visitors can tick a box granting permission fortherelevantacts.TheActrequires that users are given clear and complete information.Thisinformationmust in any case explain who will place the cookies and forwhatpurposetheywillbe used. Permission to use cookiesmustbegrantedbeforethey are used.

Pleasenotethatifacustomer does not give consent, either access to the website must be denied, or cookies cannot be placed.

www.dlapiper.com | 21

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

noRwaY

DLA Piper Contact:nils arne Gronliet +47 2413 1542 nils�arne�gronlie@dlapiper�com

No No ■ The amended E Privacy Directive requiringoptinforcookieshasnotbeen implemented into Norwegian lawyet.TheMinistryofTransportandCommunications(theMinistry)has commenced a public consulting procedure on the changes. The public consulting procedure commenced 23June2010andthehearingdeadlinewas23September2010.TheMinistryreports that there has been a delay in the matter and that they are currently working on a proposition to be put beforetheNorwegianParliament. The proposed amendment to Norwegian law seems to be in line with the amended E Privacy Directive regarding theuseofcookies,ierequiringoptin.

None. No–thecurrentrequirement status is opt out.

a) EcomRegulationssection7-3;

b) N/A;and

c) TheMinistryofTransportandCommunications(Nw:Samferdselsdepartementet).

poland

DLA Piper Contacts:krystyna szczepanowska- kozlowskat +48 22 540 74 02 krystyna�szczepanowska@ dlapiper�com

dagmara Jaskulakt +48 22 540 74 57 dagmara�jaskulak@dlapiper�com

No No ■ E-Privacy Directive has not yet been implemented in Poland. The amendment to the Telecommunication Act which reflectstheamendedDirectivesandinparticulararticle5(3)oftheE-PrivacyDirective is currently being discussed by the Polish Parliament.

■ Prior explicit consent is required.

■ However, based on the explanationsoftheMinistryofAdministrationandDigitization implied consent willalsobeavalidformofconsentundercertaincircumstances. This means thatconsentcanbeinferredbyauser’sactions(e.g.theuser is given clear and relevant informationaboutthecookiesthat are used, and on that basis decides to click through and continuetousethewebsite).

Yes.Explicitopt–inconsent is required by law, but can also rely upon implied consent.

a) TelecommunicationAct;

b) No;and

c) TheMinistryofAdministration and Digitization.

22 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

poRtUGal

Firm:aBBC & associados

Website:www�abbc�pt

Contact:João Costa Quintat +351 213 583 620 j�quinta@abbc�pt

Yes No ■ TheDirective2009/136/EC,inwhatregardsarticleart.º5(3)ofthe Directive addressing “cookies” was recently transposed by Law no.46/2012,of29August,amendingLawno.41/2004,of18ofAugustontheprotectionandprocessingofpersonal data in e communications.

■ Thenewart.º5ºoftheLaw(“storageandaccesstoinformation”)nowdeterminesthatthestoringofinformationandthepossibilitytoaccessinformationstoredinasubscriber/user’sterminalisonlyallowedonthe condition the subscriber/user has provided his or her previous consent, which must be based in clear and comprehensiveinformation,namelyaboutthepurposesoftheprocessing,in accordance with the provisions laid down in the Law on the Protection ofPersonalData.Thisdoesnotprevent technical storage or access forthesolepurposeofcarryingoutthetransmissionofacommunicationover an e-communication network or ifstrictlynecessaryinorderfortheproviderofaninformationsocietyservice to provide a service expressly requested by the subscriber/user. Non compliance with the “Opt in” rule consistsofanadministrativeoffense,punishablewithfinesrangingfromEUR5,000to5,000,000forcompanies.At this point, the local regulatory Authority(CNPD)hasnotyetissuedany guidelines.

N/A ■ Yes

■ The new law does not require “express” consent. However once consent must be prior and based in fullinformation,basing on existing rules and guidelines, we do not think that implied consent shallsuffice.

a) L41/2004,of18ofAugust;

b) Notyetissued

c) CPND(localDPA)/ANACOM.

www.dlapiper.com | 23

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

■ The E Privacy Directive has not been implemented yet in Romania. There was a legislative procedure which was however inexplicably abandoned. The legislative procedure had been initiatedinMarch2011aimingtoimplement the E Privacy Directive in order to observe the transposition deadline. The procedure was stopped inOctober2011beforebeingpassedbytheDeputy’sChamberfurthertoits withdrawal by the initiator.

24 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

Romania

DLA Piper Contacts:marian dinut +40 372 155 881 marian�dinu@dlapiper�com

Cosmina simiont +40 372 155 816 cosmina�simion@dlapiper�com

Yes, through Law No.506/2004onthe processing ofpersonaldata and the protection ofprivacyinthe electronic communications sector, as subsequently amended.

No ThenationalimplementationoftheE-PrivacyDirectivefollowscloselythewordingofthedirective.Thestoringofcookies on users terminals is allowed provided that several conditions are beingmet:

■ Usershaveprovidedtheirconsent;

■ Usershavebeeninformedinaneasilyaccessiblemanneranduser-friendlylanguage about the data processing operation in accordance with Data ProtectionLawno.677/2002

User consent is not required in case the storingofcookiesisnecessarysolelyforthepurposeofensuringtransmissionthrough an electronic communications network and/or such operations are strictly necessary in order to provide an informationsocietyservice,expresslyrequested by the user.

Failure to comply with the legal requirementsisqualifiedasaminoroffencesanctionwithfinesrangingfromapproximatelyEUR1,120to22,230.For companies whose turnover exceeds approximatelyEUR1,120,000theadministrativefinesraiseupto2%oftheturnover.

Users express consent is required. However, an implicit consent may be envisaged in case the user has adjustedthesettingsofitsinternetbrowser to accept cookies.

Yes–althoughnotexpressly stated in an officialdocument.

a)LawNo.506/2004ontheprocessingofpersonaldataandtheprotectionofprivacy in the electronic communications sector, publishedintheOfficialGazetteno.1101/ 25November2004,assubsequently amended (latestamendmentsasof 26April2012)

b)–

C)TheNationalSupervisoryAuthorityforPersonalDataProcessing(ANSPDCP)

www.dlapiper.com | 25

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

sloVak RepUBliC

DLA Piper Contact:michaela stesslt +421 2 59202 142 michaela�stessl@dlapiper�com

Yes No ■ InSlovakia,former“informedconsent” is required prior to the storageofdataor theacquisitionoftheaccesstodata already stored in the terminal equipmentoftheparticipantsorusers. It has to be proven that the user was provided with exact and preciseinformationregardingthepurposeofsuchprocessingofdata.Theconsentoftheusershallbegivenactively,thereforeobtainingtheconsentthroughthemeansofpop-upagreements and/or similar means shall besufficient.

■ InSlovakia,“informedconsent” is required prior tothestorageofdataortheacquisitionoftheaccesstodata already stored in the terminalequipmentoftheparticipants or users. It has to be proven that the user was provided with exact and preciseinformationregardingthepurposeofsuchprocessingofdata.Theconsentoftheuser shall be given actively, thereforeobtainingtheconsentthroughthemeansofpop-upagreements and/or similar meansshallbesufficient.

Yes, required by law. a) Act.No.351/2011Coll.onelectroniccommunications;

b) N/A;and

c) MinistryofTransport,Construction and Regional DevelopmentoftheSlovakRepublic.

sloVenia

Firm:DLA Piper (Vienna office)

DLA Piper Contacts:wolfgang Freundt +43 1 531 78 1401 wolfgang�freund@dlapiper�com

dr. Jasna Zwitter-tehovnikt +43 1 531 78 1042 jasna�zwitter-tehovnik@dlapiper�com

No No ■ Presently,Sloveniahasnotimplemented the E-Privacy Directive andnodraftimplementinglegislationisbeingconsideredforadoption.Also,noofficialpositionhasbeentaken by the competent regulatory body.

■ Onaccountoftheabove,infringementproceedings have allegedly been initiatedagainstSloveniabytheEuropean Commission.

N/A N/A a) N/A;

b) N/A;and

c) InformationCommissioner(Informacijski pooblaščenec).

26 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

spain

DLA Piper Contact:diego Ramost +34 91 790 1658 diego�ramos@dlapiper�com

Yes No ■ TheSpanishInformationSocietyServicesandElectronicCommerceLaw was recently amended in order to implement the changes required by Directive2009/136/EC.

■ Although no guidance has been issued on this point, strictly speaking, prior explicit consent is required.

Yes, by law, but this may be general bywayofbrowsersettings.

a) TheSpanishInformationSocietyServicesandElectronic Commerce Law 34/2002;

b) Noneasatthetimeofwriting;and

c) TheSpanishTelecommunications and OnlineServicesAuthorityand,forprivacyfeatures,the Data Protection Agency.

■ Web site service providers are now requiredtoobtaintheinformedconsentofuserstothedeploymentofcookies and similar devices on web sites.Theinformationabouttheuseofcookies must be “clear and complete”, specifyingthereasonswhydataisbeing collected via such devices, and must comply with existing informationrequirementsunderSpanishdataprotectionlaw.Thenewprovisions allow such consent to be obtained via adequate browser or application settings, provided that the userisrequiredtoconfigurethesesettings, either during the installation orsoftwareupdateprocess,bywayofan “express action”.

■ In the rush to introduce the changes, nospecificsanctionsfornon-compliance were stipulated in the legislation, leaving some uncertainty astotheconsequencesofbreach.

www.dlapiper.com | 27

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

sweden

DLA Piper Contact:Johan sundbergt +46 (0)8701 7824 johan�sundberg@dlanordic�se

Yes No ■ SwedenhasimplementedthenewEU law through amendments to the Electronic Communications Act (2003:389)whichcameintoeffecton1July2011.

■ In relation to legitimate techniques, theSwedishGovernmenthasconcludedthatforpracticalreasons,the amendments shall not be regarded as a change in substance.

■ Consentisdefinedasanyvoluntary, specific and unambiguous expression of will. There may not be any doubts that the user provides his/her consent to the processing. Hypothetical or silent consent is thus notsufficientasitmaynot be required by the user to actively undertake measures toavoidtheprocessingofthepersonal data.

Yes a) ElectronicCommunicationsAct(Sw.lag2003:389om elektronisk kommunikation);

b) N/A;and

c) SwedishPostandTelecomAgency.

28 | How the EU has implemented the new law on Cookies

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

■ Inaddition,theSwedishDataInspectionBoardisoftheopinionthatit should be distinguished between differenttypesofcookies.Whenusingcookiesforpurposesotherthantoadjustsettingsonasitefortheuser’spreviousrequestsandsimilar,informedconsentwouldberequired.According to the Data Inspection Board’sview,itiswhatacookiewillbeusedforthatdetermineswhetherconsent is required or not.

■ Ontheotherhand,theSwedishPostandTelecomAgency(“the Agency”)(the regulatory body in relation to cookies)doesnotseemtoagree.TheAgency cannot see that the required consent can be waived without the possibilityofexemptionexpressly stated in the provision.

■ TheSwedishpartoftheEuropeanTradeAssociationoftheDigitaland Interactive Marketing Industry (“IAB Sweden”)hascreatedaselfregulating committee in response to theintroductionofthenewconsentforcookies.Theselfregulatingcommittee has assembled a group withrepresentativesfromtheindustry and other organizations. The committee was set up with a view to producing best practice guidance fortheuseofcookiesandafirstrecommendation has been published.

■ However, implicit behavior mayformavalidconsent (aslongasthereisnosensitivepersonaldatainvolved).Implicit behavior means in this context that the user provides dataafterhavingreceivedclearinformationaboutboththeintendedprocessingofthedata,thefactthatitisoptionalto provide the data, and also that submitting the data would be considered as providing a consent to the processing.

■ TheSwedishgovernmenthasalso indicated that the rules on consent should not be seen as achangefromtheoldregimeandthereforewebbrowsersettings would probably be regarded to indicate consent.

www.dlapiper.com | 29

eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

United kinGdom

DLA Piper Contacts:Cameron Craigt +44 20 7796 6574 cameron�craig@dlapiper�com

paul mcCormackt +44 20 7796 6140 paul�mccormack@dlapiper�com

Yes Yes(inMay2011,December 2011andMay2012)

ImplementedintoUKlawwitheffectfrom26May2011.

■ AmendmentsfollowsthewordingoftheEPrivacyDirectivecloselyand leaves the detailed compliance requirementstobeclarifiedbytheInformationCommissioner’sOffice(“ICO”).

■ It had been widely anticipated that the ICO would indicate in its guidance that browser settings could be used to obtain the necessary consent. The ICO has made it clear that businessesshouldnotrelyonusers’browserssettingsasawayofobtaining consent to comply with the newlaw–oratleastnotyet.

■ Website operators were given a 12 month “lead in period” to develop the ways in which they use cookies to complywiththenewrules(thereforecommencingon26May2011andexpiredon25May2012).

■ On25May2012,theICOissuedrevisedguidancetoclarifyandreaffirmthatimpliedconsentcanberelieduponasavalidformofconsent(ratherthanexplicitopt-inconsent).

■ Strictlyspeaking,‘prior’explicit consent is required.

■ However, implied consent will alsobeavalidformofconsentunder certain circumstances.

■ Implied consent means consent which“specificandinformed”andan“indicationofwishes”.This means that consent can beinferredbyauser’sactions(e.g.theuserisgivenclearandrelevantinformationaboutthe cookies that are used, and on that basis decides to click through and continue to use thesite).

Yes, but can also rely upon implied consent(whichmeans not necessary to obtain an explicit acknowledgment)(e.g.tickboxorclickaccept).

It is possible to rely on continued useofthewebsiteasanindicationofimplicit consent, subjectalwaystothe requirement to provide relevant, clear and comprehensive information.

a) ThePrivacyandElectronicCommunications (ECDirective)Regulations2003,asamendedbythePrivacy and Electronic Communications(ECDirective)(Amendment)Regulations2011;

b) http://www.ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx;and

c) InformationCommissioner’sOffice.

30 | How the EU has implemented the new law on Cookies

TheArticle29WorkingParty(“WP29”)wasestablishedundertheEUDataProtectionDirective(Directive95/46/EC)andisanindependentadvisorybodywhichadvisesonissuesofdataprotectionand privacy. The WP29 publishes various opinions on data protection and privacy law. Their opinions supplement the law and relate to its interpretation and although not legally binding, are generally likely to be persuasive.

On7June2012,WP29adoptedopinion4of2012addressingthemeaningofthe“cookie consent exemption”(WP194)(“Opinion”).Thecruxofthecookielawistheprovisionofclearinformationandobtainingconsentfromusersorsubscribers.TheOpinionaimstoclarifythetypesofcookies(orsimilartechnologies)whichwouldfallwithintheexemptionssetoutundertheE-PrivacyDirectiveandprovidesexamplesofhowvariouscircumstanceswouldbetreatedunderthenewlaw.

eXemptions a and B

TheOpinionconfirmsthattherearetwokeyexemptions(referredtoas“criterion”)underwhichtherequirementofinformedconsenttotheuseorstorageofcookies(orsimilartechnologies)maybewaived.TheseCriterionare:

■ Criterion A:thecookieisused“forthesolepurposeofcarryingoutthetransmissionofacommunicationoveranelectroniccommunicationsnetwork”;and

■ Criterion B:thecookieis“strictlynecessaryinorderfortheproviderofaninformationsocietyservice [“ISS”] explicitly requested by the subscriber or user to provide the service”.

TheWP29hasmadeitclearthatinrelationtotransmittingacommunication,thetypesofprocessingwhichmaybedoneunderCriterionAdoesnotleavemuchroomforinterpretationasthetransmissionofthecommunicationmustbeimpossiblewithouttheuseofthecookie,i.e.absolutelynecessary.TheOpinionmakesitclearthatunderCriterionB,theISSmusthavebeenspecificallyrequested by the user which means that the user provided a positive or explicit action to request the service.

Cookies wHiCH do Fall witHin an eXemption

TheOpinionsaysthatthefollowingcookiesmaybeexemptedfrominformedconsentundercertainconditions:

1. User-input cookies:usedtorememberuser’sinput(e.g.ashoppingcart),forthedurationofasessionorpersistentcookieslimitedtoafewhoursinsomecases(Criterion B);

2. Authentication cookies:usedtoidentifytheuseronceloggedin/authenticationpurposes,whereessentialforthispurposewillbeexempt(Criterion B);

3. User centric security cookies:usedtodetectauthenticationabuses,foralimitedpersistentduration (Criterion B);

4. Multimedia content player session cookies:suchasflashplayercookies,forthedurationofasession,providedthese“flash”orothercookiesdoincludeadditionalinformation(Criterion B);

5. User Interface customization cookies:(e.g.languagepreferencesorresultdisplay),whereusedforthedurationofasession(Criterion B);

6. Third party social plug-in content sharing cookies:(e.g.socialplug-inmodulestointegratesocialnetworkingintothewebsite)for“logged-in”membersofasocialnetwork(buttheexemptionwillnotextendto“logged-out”members)(Criterion B);and

7. Load balancing session cookies:usedtodistributetheprocessofwebserverrequestsofapoolofmachines(insteadofjustone),forthedurationofsessionwherenecessarytocarryoutthecommunication over the network (Criterion A).

opinion on eXemptions to Consent

www.dlapiper.com | 31

Cookies wHiCH do not Fall witHin an eXemption

TheOpinionsaysthatthefollowingcookieswill notfallwithinanexemptionfrominformedconsentundercertainconditions:

1. Social plug-in “tracking” cookies:usedtotrackindividualsforadditionalpurposes(otherthanbeing“logged-in”)suchasbehaviouraladvertising,analyticsormarketresearch,willnotfallwithinanexemption;

2. Third party advertising:suchasbehaviouraladvertising,requiresconsent(andwillnot fallwithinanexemption);and

3. First party analytics:usedformeasuringwebsites,although“strictlynecessary”forthe websiteoperator,willnotbestrictlynecessarytoprovidethefunctionalityrequestedby theuser(orsubscriber)andwillthereforenotfallwithinanexemption;

keY ConsideRations wHen applYinG an eXemption

A)The View of the User:WhenapplyingcriterionB(the strictly necessary exemption),theimportant point is to examine what is strictly necessary “from the point of view of the user and not the service provider”.

B)Multiple Purpose Cookies:Cookiesusedforseveralpurposescanonlybenefitfromanexemptiontoinformedconsentif“each distinct purpose individually benefits from such an exemption.”

C)First Party Cookie:Firstpartysessioncookiesarefarmorelikelytobeexemptedfromconsentthan third party persistent cookies.

D)Purpose of the Cookie:thepurposeofthecookieshouldalwaysbethebasisforevaluating iftheexemptioncanbesuccessfullyappliedratherthanatechnicalfeatureofthecookie.

32 | How the EU has implemented the new law on Cookies

step 1 – Cookies aUdit

Businessesshouldbeginidentifyingthecookies(andsimilartechnology)whichareusedbytheirwebsite.A“cookieaudit”shouldbeundertakenwiththeassistanceofyourITdepartment/specialistlegaladvisors.Cookieauditsshouldincludeareviewofthetypesofcookiesusedbythewebsite;thelifespanofsuchcookies;andhowintrusivethecookiesare.

step 2 – map oUt ComplianCe options

Oncethecompanyunderstandsthecookieswhichitswebsite(s)use,theymustthenconsidertheoptionsavailabletotheminordertocomply.ThesemightincludetheoptionssetoutintheUKregulator’sguidance,forexample:pop-ups;termsandconditions;settingsledconsent;featureledconsent;andbrowsersettings.The“strictlynecessary”exemptionavailableundertherulesshouldalsobeconsidered,andcompaniesshouldlooktolocalregulatorguidanceandalsotheWP29Opinion(asreferredtoabove)whenapplyingthisexemption.

step 3 – implementation

InordertoensurethatenforcementactionisnottakenagainstyoubytheapplicableEUprivacyregulator,youneedtocheckwhenyourcompliancemethodmustbeinplace.ThedeadlineforcompliancehasexpiredinmanyEuropeanjurisdictions,thereforecompaniesmustact nowtoavoidanypossibleenforcementaction.

step 4 – additional ConsideRations and steps

Whenconductingacookieaudit,youshouldalsoconsiderandundertakethefollowing:

■ Due Diligence:conductduediligenceofadnetwork/metricspartnersandvendorsbeforecontracting;

■ Click wrap agreements:makesureyourbusinessneversignsclickwrapagreementswithoutlegalreview;

■ Effective contracts:bindyourpartnerto:a)complywithapplicablelaws;b)clearandconspicuousdisclosure;c)optin/optout;d)flowthroughtermstovendors;ande)auditrights;

■ Post contract monitoring:isyourpartnerfulfillingitscontractualpromises?

■ Test/Evaluation Agreements:alwayscheck/testagreementsagainstlegalrequirementsandyourPrivacyPolicy.Reviewsbecomelongtermarrangements.

Cookie aUdits

DLA Piper is a global law firm operating through various separate and distinct legal entities.

Further details of these entities can be found at www.dlapiper.com

Copyright © 2012 DLA Piper. All rights reserved. | OCT12 | 2214007

If you have finished with this document, please pass it on to other interested parties or recycle it, thank you.

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper accepts no responsibility

for any actions taken or not taken on the basis of this publication. If you would like further advice, please speak to your DLA Piper contact.

www�dlapiper�com

PleasenotethatorganisationsthatdobusinessintheUnitedStatesshouldaugmenttheircookieaudittoexaminespecificallytheusethroughtheirwebsitesbytheirownorganisationorthirdpartyadvertisersoradnetworksofFlashcookies(LSOs)orothertrackingmechanismsthatcontinuetofunctionafterauserhassethisorherbrowsertorejecttrackingcookies.Morethan50classactionlawsuitshavebeenfiledintheU.S.targetingthosecookiepractices.

DLAPiperwillprovideafurtheralertdiscussingtheseU.S.specificrisks.

Cookies in tHe United states