EU REGULATIONS RELATED TO ONLINE SERVICES

I. CHARTER OF FUNDAMENTAL RIGHTS OF THE

EUROPEAN UNION

Article 8, Title II (FREEDOMS)

PROTECTION OF PERSONAL DATA

1. Everyone has the right to the protection of personal data concerning him
or her.

2. Such data must be processed fairly for specified purposes and on

the basis of the consent of the person concerned or some other
legitimate basis laid down by law. Everyone has the right of access to data
which has been collected concerning him or her, and the right to have it
rectified.

3. Compliance with these rules shall be subject to control by an independent

authority.1

II. General Data Protection Regulation of 2016

The General Data Protection Regulation (GDPR) which is designed to

enable individuals to better control their personal data. It is hoped that these
modernised and unified rules will allow businesses to make the most of the
opportunities of the Digital Single Market by reducing regulation and
benefiting from reinforced consumer trust.2

Article 1, Title I

SUBJECT-MATTER AND OBJECTIVES

1. This Regulation lays down rules relating to the protection of natural

persons with regard to the processing of personal data and rules
relating to the free movement of personal data.

2. This Regulation protects fundamental rights and freedoms of natural

persons and in particular their right to the protection of personal data.

1
CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION. http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:12012P/TXT
2
P. GALDIES. A SUMMARY OF THE EU GENERAL DATA PROTECTION REGULATION.
https://www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
3. The free movement of personal data within the Union shall be neither
restricted nor prohibited for reasons connected with the protection of natural
persons with regard to the processing of personal data.3

WHO IS SUBJECT TO GDPR COMPLIANCE?

The purpose of the GDPR is to impose a uniform data security law on

all EU members, so that each member state no longer needs to write its own
data protection laws and laws are consistent across the entire EU. In addition
to EU members, it is important to note that any company that markets goods
or services to EU residents, regardless of its location, is subject to the
regulation. As a result, GDPR will have an impact on data protection
requirements globally.4

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in

April 2016. The regulation will take effect after a two-year transition
period and, unlike a Directive it does not require any enabling
legislation to be passed by government; meaning it will be in force May
2018.5

What types of privacy data does the GDPR protect?

1. Basic identity information such as name, address and ID numbers

2. Web data such as location, IP address, cookie data and RFID tags
3. Health and genetic data
4. Biometric data
5. Racial or ethnic data
6. Political opinions
7. Sexual orientation6

3
GENERAL DATA PROTECTION REGULATION. http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG&toc=OJ%3AL%3A2016%3A119%3ATOC
4
WHAT IS GDPR (GENERAL DATA PROTECTION REGULATION)? UNDERSTANDING AND COMPLYING WITH GDPR
DATA PROTECTION REQUIREMENTS. https://digitalguardian.com/blog/what-gdpr-general-data-protection-
regulation-understanding-and-complying-gdpr-data-protection
5
GDPR FAQs. https://www.eugdpr.org/gdpr-faqs.html
6
WHAT IS GDPR (GENERAL DATA PROTECTION REGULATION)? UNDERSTANDING AND COMPLYING WITH GDPR
DATA PROTECTION REQUIREMENTS. Supra note 2 at 1.
REQUIREMENTS OF GENERAL DATA PROTECTION
REGULATION

The GDPR itself contains 11 chapters and 91 articles. The following are
some of the chapters and articles that have the greatest potential impact on
security operations:

 Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects

more control over personal data that is processed automatically. The
result is that data subjects may transfer their personal data between
service providers more easily (also called the “right to portability”), and
they may direct a controller to erase their personal data under certain
circumstances (also called the “right to erasure”).

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that

can be used to directly or indirectly identify the person. It can be
anything from a name, a photo, an email address, bank details, posts
on social networking websites, medical information, or a computer IP
address.7

 Articles 23 & 30 – Articles 23 and 30 require companies to

implement reasonable data protection measures to protect consumers’
personal data and privacy against loss or exposure.

 Articles 31 & 32 – Data breach notifications play a large role in the

GDPR text. Article 31 specifies requirements for single data breaches:
controllers must notify SAs of a personal data breach within 72 hours
of learning of the breach and must provide specific details of the breach
such as the nature of it and the approximate number of data subjects
affected. Article 32 requires data controllers to notify data subjects as
quickly as possible of breaches when the breaches place their rights
and freedoms at high risk.

 Articles 33 & 33a – Articles 33 and 33a require companies to

perform Data Protection Impact Assessments to identify risks to
consumer data and Data Protection Compliance Reviews to ensure
those risks are addressed.

7
GDPR FAQs. Supra note 4, at 2.
 Article 35 – Article 35 requires that certain companies appoint data
protection officers. Specifically, any company that processes data
revealing a subject’s genetic data, health, racial or ethnic origin,
religious beliefs, etc. must designate a data protection officer; these
officers serve to advise companies about compliance with the
regulation and act as a point of contact with Supervising Authorities
(SAs). Some companies may be subjected to this aspect of the GDPR
simply because they collect personal information about their
employees as part of human resources processes.

 Articles 36 & 37 – Articles 36 and 37 outline the data protection

officer position and its responsibilities in ensuring GDPR compliance
as well as reporting to Supervisory Authorities and data subjects.

Does my business need to appoint a Data Protection Officer

(DPO)?

DPOs must be appointed in the case of:

(a) public authorities

(b) organizations that engage in large scale systematic monitoring, or

(c) organizations that engage in large scale processing of sensitive

personal data (Art. 37).

If your organization doesn’t fall into one of these categories,

then you do not need to appoint a DPO.

The data protection officer’s tasks are also delineated in the

regulation to include:

1. Informing and advising the controller or processor and its

employees of their obligations to comply with the GDPR and
other data protection laws.
2. Monitoring compliance including managing internal data
protection activities, training data processing staff, and
conducting internal audits.
3. Advising with regard to data protection impact assessments
when required under Article 33.
4. Working and cooperating with the controller’s or processor’s
designated supervisory authority and serving as the contact point
for the supervisory authority on issues relating to the processing
of personal data.
5. Being available for inquiries from data subjects on issues relating
to data protection practices, withdrawal of consent, the right to
be forgotten, and related rights.
 6. Data Protection Officers may insist upon company resources to
fulfill their job functions and for their own ongoing training.
7. They must have access to the company’s data processing
personnel and operations, significant independence in the
performance of their roles, and a direct reporting line “to the
highest management level” of the company.
8. Data Protection Officers are expressly granted significant
independence in their job functions and may perform other tasks
and duties provided they do not create conflicts of interest.
9. The regulation expressly prevents dismissal or penalty of the
data protection officer for performance of her tasks and places
no limitation on the length of this tenure.
10. A company with multiple subsidiaries (a “group of
undertakings”) may appoint a single data protection officer so
long as they are “easily accessible from each establishment.”

*The GDPR also allows the data protection officer functions to be

performed by either an employee of the controller or processor or by a
third party service provider.8

 Article 45 – Article 45 extends data protection requirements to

international companies that collect or process EU citizens’ personal
data, subjecting them to the same requirements and penalties as EU-
based companies.

 Article 79 – Article 79 outlines the penalties for GDPR non-

compliance, which can be up to 4% of the violating company’s global
annual revenue depending on the nature of the violation. 9

PENALTIES

Q: What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for

breaching GDPR or €20 Million. This is the maximum fine that can be
imposed for the most serious infringements e.g. not having sufficient
customer consent to process data or violating the core of Privacy by Design
concepts. There is a tiered approach to fines e.g. a company can be fined 2%

8
P. GALDIES. A SUMMARY OF THE EU GENERAL DATA PROTECTION REGULATION.
https://www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
9
N. LORD. WHAT IS GDPR (GENERAL DATA PROTECTION REGULATION)? UNDERSTANDING AND COMPLYING WITH
GDPR DATA PROTECTION REQUIREMENTS. https://digitalguardian.com/blog/what-gdpr-general-data-protection-
regulation-understanding-and-complying-gdpr-data-protection
for not having their records in order (article 28), not notifying the
supervising authority and data subject about a breach or not conducting
impact assessment. It is important to note that these rules apply to both
controllers and processors -- meaning 'clouds' will not be exempt from GDPR
enforcement.10

In light of an uncertain 'Brexit' - I represent a data controller in

the UK and want to know if I should still continue with GDPR
planning and preparation?

If you process data about individuals in the context of selling goods or

services to citizens in other EU countries then you will need to comply with
the GDPR, irrespective as to whether or not you the UK retains the GDPR
post-Brexit. If your activities are limited to the UK, then the position (after
the initial exit period) is much less clear. The UK Government has indicated
it will implement an equivalent or alternative legal mechanisms. Our
expectation is that any such legislation will largely follow the GDPR, given
the support previously provided to the GDPR by the ICO and UK
Government as an effective privacy standard, together with the fact that the
GDPR provides a clear baseline against which UK business can seek
continued access to the EU digital market. (Ref:
http://www.lexology.com/library/detail.aspx?g=07a6d19f-19ae-4648-
9f69-44ea289726a0)11

III. TREATY ON THE FUNCTIONING OF THE EUROPEAN

UNION (TITLE XV, Article 169)

CONSUMER PROTECTION

1. In order to promote the interests of consumers and to ensure a high

level of consumer protection, the Union shall contribute to protecting
the health, safety and economic interests of consumers, as well as to
promoting their right to information, education and to organise
themselves in order to safeguard their interests.12

10
GDPR FAQs. Supra note 4 at 2.
11
GDPR FAQs. Supra note 4 at 2.
12
Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European
Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12012E%2FTXT
 IV. Directive 2000/31/EC of the European Parliament and of
the Council of 8 June 2000 (the E-Commerce Directive)

Directive 2000/31/EC covers the liability of providers (established in

the EU) of online services (between enterprises, between enterprises and
consumers, and those provided free to the recipient which are financed,
for example, by advertising income or sponsoring), online electronic
transactions (interactive telesales of goods and services and, in particular,
online purchasing centres), and other online activities, such as the
provision of news, database and financial services, professional services
(e.g. those of solicitors, doctors, accountants and estate agents),
entertainment services (video on demand), direct marketing and
advertising services and internet access.13

WHAT DOES THE DIRECTIVE DO?

It establishes standard rules in the EU on various issues related to

electronic commerce.

KEY POINTS

Online services covered by the Directive include:

1. news services (such as news websites)

2. selling (books, financial services, travel services, etc.)
3. advertising
4. professional services (lawyers, doctors, estate agents)
5. entertainment services
6. basic intermediary services (internet access, transmission and
hosting of information)
7. free services funded by advertising, sponsorship, etc.

Online contracts

In every EU country, electronic contracts must be given equivalent legal

status to paper contracts.

These contracts must also spell out the following, in clear and
understandable terms:

1. the technical steps consumers must follow to conclude the contract

2. whether or not the contract will be filed by the service provider and
whether consumers can view it at a later stage

13
http://www.europarl.europa.eu/atyourservice/en/displayFtu.html?ftuId=FTU_2.2.2.html
 3. how consumers can identify and correct typing errors before placing
their order
4. the languages in which the contract can be signed.

Consumers must be able to save and print out contracts and general
conditions.14

V. DIRECTIVE 2005/29/EC OF THE EUROPEAN PARLIAMENT

AND OF THE COUNCIL of 11 May 2005 (‘Unfair Commercial
Practices Directive’)

Directive 2005/29/EC on unfair commercial (business-to-consumer)

practices prohibits misleading and aggressive practices, ‘sharp practices’
(such as pressure selling, misleading marketing and unfair advertising)
and practices which use coercion as a means of selling (irrespective of the
place of purchase or sale). It includes criteria for determining aggressive
commercial practices (harassment, coercion and undue influence) and a
‘blacklist’ of unfair commercial practices.15

WHAT IS THE AIM OF THE DIRECTIVE?

It defines the unfair business-to-consumer commercial practices which

are prohibited in the European Union. It applies to any act or omission
directly related to the promotion, sale or supply of a product by a trader
to consumers. It thus protects the economic interests of consumers
before, during and after a commercial transaction has taken place.

It ensures the same level of protection to all consumers irrespective of the

place of purchase or sale in the EU.

KEY POINTS

Unfair commercial practices are those which are contrary to the

requirements of professional diligence and; are likely to materially distort
the economic behaviour of the average consumer.

Professional diligence: the standard of special skill and care which a

trader may reasonably be expected to exercise towards consumers
corresponding to honest market practice and/or the general principle of
good faith in the trader’s field of activity.

14
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=LEGISSUM%3Al24204
15
http://www.europarl.europa.eu/atyourservice/en/displayFtu.html?ftuId=FTU_2.2.2.html
Certain consumers enjoy a higher level of protection due to their
particular vulnerability to the practice or the product, their age (children
or the elderly), their naivety or their mental or physical infirmity.

The directive defines 2 specific categories of commercial practice as

particularly unfair: misleading commercial practices (by action or
omission) and aggressive commercial practices.

MISLEADING COMMERCIAL PRACTICES

1. Misleading actions

A practice is misleading if it contains false or untrue information or is

likely to deceive the average consumer, even though the information may
be correct, and cause them to take a transactional decision they would not
have otherwise taken. Examples of such actions include false or deceptive
information regarding:

 the existence or nature of the product;

 the main characteristics of the product (its availability, benefits,
risks, composition, geographical origin, results to be expected from
its use, etc.);
 the extent of the trader’s commitments (in codes of conduct by
which the trader has agreed to be bound);
 the price or the existence of a specific price advantage;
 the need for service or repair.

2. Misleading omissions

A practice is also misleading if material information needed by the

average consumer to take an informed transactional decision is omitted
or provided in an unclear, unintelligible, ambiguous or untimely manner
and is likely to cause them to take a purchase decision that they would not
have otherwise taken.

3. Aggressive commercial practices

Transactional decisions must be made freely by the consumer. A practice

is aggressive and unfair if by harassment, coercion or undue influence* it
significantly impairs the average consumer’s freedom of choice and
causes them to take a transactional decision they would not have
otherwise taken.
 TERMS:

Consumer: an individual who, in commercial practices covered by this

directive, is acting for purposes which are outside their trade, business,
craft or profession.

Undue influence: exploiting a position of power in relation to the

consumer so as to apply pressure, even without using or threatening to
use physical force, in a way which significantly limits the consumer’s
ability to make an informed decision.

It has applied since 12 December 2007. EU countries had to incorporate

it into national law by 12 June 2007.16

What are the penalties for failure to comply and what is the
enforcement picture?

Failing to comply with the Regulations could result in a fine for culpable
traders and/or their "consenting, conniving" or negligent directors and
senior managers of up to £5,000 or, on indictment, a fine and/or up to
two years imprisonment.
Enforcement will be by way of publicly funded consumer protection
authorities such as "Trading Standards" departments of local government
authorities and the "Office of Fair Trading", the closest thing the UK has
to the Federal Trade Commission.

Breach of the Regulations will not of itself give either UK consumers or

UK traders the right to launch civil proceedings or private prosecutions
against marketers whose unfair commercial practices have allegedly
caused them loss or damage.17

VI. REGULATION (EU) No 910/2014 OF THE EUROPEAN

PARLIAMENT AND OF THE COUNCIL of 23 July 2014
(Electronic Identification and Trust Services (eIDAS)
Regulation)

WHAT DOES THIS REGULATION DO?

The Electronic Identification and Trust Services (eIDAS) Regulation

creates a new system for secure electronic interactions across the EU
between businesses, citizens and public authorities.
16
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM%3Al32011
17
E. JONES. Unfair commercial practices law summary. http://marketinglaw.osborneclarke.com/advertising-
regulation/unfair-commercial-practices-law-summary/
 It aims to improve trust in EU-wide electronic transactions and to
increase the effectiveness of public and private online services and e-
commerce. It applies to:
 electronic identification (eID)* schemes notified to the European
Commission by EU countries;
 trust service providers based in the EU.
It removes existing barriers to the use of eID in the EU. For instance, it
would now be straightforward for a Portuguese firm to tender for a public
service contract in Sweden, while EU funding grants can be managed
wholly online.

KEY POINTS
Electronic identification
 eID issued in one EU country must be recognized in all others. This applies
only if the eID meets the regulation’s requirements and has been notified
to the Commission and published in a list. Mutual recognition of eIDs
will be mandatory from 28 September 2018 and will facilitate secure
electronic transactions across the EU.

 An eID scheme must specify one of three levels of assurance (low,

substantial and high) for the form of electronic identification issued under
that scheme. Mutual recognition is mandatory only when the relevant
public sector body uses the ‘substantial’ or ‘high’ levels for accessing that
service online.

 Article 25 of the Regulation keeps the principle that all electronic

verification services shall be admissible as evidence in legal proceedings,
including electronic signatures, seals, time stamps, registered delivery
services and certificates for website authentication. It specifically provides
that an electronic signature shall not be denied legal effect and
admissibility as evidence in legal proceedings solely on the fact that it is in
electronic form. However, these electronic verification services have to
meet certain technical requirements to confirm the integrity and
correctness of the data to which they are linked.18

Notification
 When notifying the Commission of eID schemes, EU countries must
provide information on aspects such as:
 the level of assurance and the issuer of eID under that scheme;
 the applicable supervisory and liability systems;
 the body managing the registration of unique personal ID data.

18
MICHEAL MCKEE. New EU regulation for electronic signatures.
https://www.dlapiper.com/en/us/insights/publications/2015/08/new-eu-regulation-for-electronic-signatures/
 In the event of a security breach of the eID scheme or authentication,
the notifying EU country must:
 quickly suspend/revoke the EU-wide authentication or the
compromised parts of the scheme; and
 inform other EU countries and the Commission.

Liability
 In any transaction between EU countries where there is a failure to comply
with the regulation’s obligations, the following parties can be held liable
for any damage caused intentionally or negligently to any person or body:
 a notifying EU country;
 the party issuing the eID;
 the party managing the authentication procedure.

Cooperation and operability among EU countries

 National eID schemes notified must be interoperable. The interoperability
framework must be technology-neutral, not favouring any specific
national technical solutions for eID.

Trust services
 The regulation defines trust services as paid-for services that include:
 the creation, verification and validation of electronic signatures,
electronic seals or electronic time stamps, electronic registered delivery
services and certificates related to those services; or
 the creation, verification and validation of certificates for website
authentication; or
 the preservation of electronic signatures, seals or certificates related to
those services.

 Trust service providers based in the EU are considered ‘qualified’ if they

meet the regulation's applicable requirements. They are legally entitled to
provide qualified trust services (e.g. qualified electronic signatures,
seals or certificates) in all EU countries. Trust services offered by service
providers from non-EU countries can be considered legally equivalent to
qualified ones, but only after an agreement between the EU and the non-
EU country or an international organisation.
Supervision
 EU countries must select one or more bodies for the supervisory activities
under this regulation. These bodies must cooperate with data protection
authorities where appropriate.
 All trust service providers are subject to supervision and to risk
management and security breach notification obligations.
 Non-qualified trust service providers are subject to ‘light-touch’
supervision, i.e. the supervisory body only reacts if the provider is
suspected of misconduct.
 Qualified trust service providers based in the EU are subject to strict
supervision. This includes prior authorisation by supervisory bodies and
auditing at least once every 2 years by an organisation that assesses
whether they meet regulation requirements.

 A new, voluntary EU trust mark will identify the qualified trust services
provided by the relevant providers.

FROM WHEN DOES THIS REGULATION APPLY?

It applies from 17 September 2014.

KEY TERM
*electronic identification (eID): tangible or intangible forms of
identification containing personal ID data as used for authenticating an
online service.
VII. Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 (Directive on privacy and electronic
communications) or “E-PRIVACY DIRECTIVE”

Directive 2002/58 on Privacy and Electronic Communications,

otherwise known as the ePrivacy Directive, safeguards the confidentiality of
electronic communications in the EU. The ePrivacy Directive is a key
instrument to protect privacy and it includes specific rules on data protection
in the area of telecommunication in public electronic networks. The directive
was adopted in 2002 with the aim to address the requirements of new digital
technologies.19

The Directive on Privacy and Electronic Communications, known as

the ePrivacy Directive, sets out rules on how providers of electronic
communication services, such as telecoms companies and Internet Service
Providers, should manage their subscribers' data. It also guarantees rights
for subscribers when they use these services. These are the main
requirements imposed by the Directive:

Confidentiality of communications: EU Member States must ensure

the confidentiality of communications over public networks, in particular by
prohibiting the listening into, tapping and storage of communications
without the consent of the users concerned.

Security of networks and services: a provider of a public electronic

communications service has to take appropriate measures to safeguard the
security of its service.

Data breach notifications: if a provider suffers a breach of security that

leads to personal data being lost or stolen, it has to inform the national
authority and, in certain cases, the subscriber or individual.

Traffic and location data: this data must be erased or made anonymous
when no longer required for communication or billing purposes, except if the
subscriber has given consent for another use.

Spam: subscribers must give their prior consent before unsolicited

commercial communications ("spam") are addressed to them. This also
covers SMS text messages and other electronic messages received on any
fixed or mobile terminal.

Public directories: subscribers' prior consent is required in order for their

telephone numbers, e-mail addresses and postal addresses to appear in
public directories.

Calling-line identification: subscribers must be given the option not to

have their telephone number disclosed when they make a call.20

19
https://epic.org/international/eu_privacy_and_electronic_comm.html
20
https://ec.europa.eu/digital-single-market/news/eprivacy-directive
AMENDMENTS:

DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT

AND OF THE COUNCIL of 25 November 2009 (COOKIE LAW)

xxx

Directive 2002/58/EC (Directive on privacy and electronic

communications) is hereby amended as follows:

xxx

5)Article 5(3) shall be replaced by the following:

‘3. Member States shall ensure that the storing of information, or the
gaining of access to information already stored, in the terminal equipment of
a subscriber or user is only allowed on condition that the subscriber or user
concerned has given his or her consent, having been provided with clear and
comprehensive information, in accordance with Directive 95/46/EC, inter
alia, about the purposes of the processing. This shall not prevent any
technical storage or access for the sole purpose of carrying out the
transmission of a communication over an electronic communications
network, or as strictly necessary in order for the provider of an information
society service explicitly requested by the subscriber or user to provide the
service.’21

What's the cookie law all about?

The intent behind the law is to increase the options available for
consumers to protect their data privacy. Cookies enable websites to gather
data about visitors and users. A lot of this data is gathered without any user
awareness, and more and more companies are learning to exploit the value
of that data.

The law hopes to enable consumers to strike a new bargain with these
businesses - it requires businesses to inform consumers of what is being
gathered, and enables them to choose to participate in this or not.22

21
http://eur-lex.europa.eu/legal-content/EN/TXT/ELI/?eliuri=eli:dir:2009:136:oj
22
https://www.cookielaw.org/faq/
What is a cookie?

A cookie is a file placed on your computer by a website you visit, which

it then also retrieves when you return to the site using the same browser. It
can contain any text based information, but it cannot be used to spread
viruses or other malicious software. It can however be used for a wide variety
of purposes. To find all about cookies, have a look at Cookiepedia - a leading
resource on the subject.

What businesses have to comply?

The laws apply across the EU, although are implemented differently in
each country. All businesses in the EU therefore need to comply with the
regulations, and are be bound by those in their own country. So all UK
businesses have to ensure they at least meet the requirements of the UK
legislation. However, in theory at least any business anywhere that has a
website serving customers within any EU country, is required to comply with
the legislation with respect to those EU visitors, and that country. So a US
website with UK visitors ought to be asking for consent from those UK
visitors according to the UK legislation.

The EU Cookie Legislation requires 4 actions from website owners who use
cookies:

1. When someone visits your website, you need to let them know that
your site uses cookies.
2. You need to provide detailed information regarding how that cookie
data will be utilized.
3. You need to provide visitors with some means of accepting or refusing
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be place on their
machine.

How you handle these requirements is entirely up to you, and we’ll

discuss some of your options later. The important part is that you handle
them.23

Why comply with the EU Cookie Law?

Put simply, it's the law. Any website not compliant is open to
enforcement action from the regulators. In the UK for example the
Information Commissioners Office (ICO) has powers to force websites to
change or it can impose a fine of up to £500,000 in the most serious cases.
However, there is no indication that this is going to happen any time soon.
Compliance is also increasingly a matter of meeting visitor expectations for

23
Ultimate Guide to EU Cookie Laws. https://privacypolicies.com/blog/eu-cookie-law/
respect for pricvay preferences. In fact it is likely that this will quickly
become a key business driver for site owners, as they will otherwise risk
losing visitors.24

How Do I Comply With EU Cookie Law?

The EU regulations do not set out specific compliance requirements. They

simply establish high-level requirements. How you comply with those, is
largely up to you. Here are a few options:

Option 1 – Get rid of your cookies

This seems pretty obvious, but it may not be as easy as you think. If you just
have a simple, static website, getting rid of your cookies should be easy. Use
the Google Chrome method above to figure out where cookies exist, and get
rid of that code. It may be as simple as removing a comments field or that
rarely-used “like” button.

However, if your website has anything more complicated than static HTML,
getting rid of your cookies will be a lot harder, and you have to consider what
you will be sacrificing in the process. If you post a daily blog to your site,
cookies are essential for comments. Do you want to lose comments just to
avoid telling your visitors about cookies? Probably not.

Option 2 – Add a Pop-Up or Similar Technology

There are no specific instructions regarding how users need to be informed,

or precisely what information you need to provide them with. However, there
are some generally accepted approaches.

First, you need to let users know that cookies are being used. This can be
done through a pop up, header bar, or similar technology. The wording does
not need to be complex or even detailed at this point. Details can be provided
elsewhere. The important thing is that the warning exists, and that it includes
the option to opt-out of cookies.

If you’re not sure what that would look like, there’s a great example from
ICO, the UK’s regulation body responsible for enforcing the Cookie
Legislation. When you first access their website, the follow pop-up appears:

 We have placed cookies on your device to help make this website

better.
 You can use this tool to change your cookie settings. Otherwise, we’ll
assume you’re OK to continue.
 The pop up/header bar you use must have a place for users to consent
or opt-out of cookies. If users ignore the warning, you can generally
assume consent.

24
Supra note 22, at 15. https://www.cookielaw.org/faq/
Option 3 – Get Implied Consent

Depending on your country’s interpretation of the law, you may only need to
get a user’s “implied consent.” Rather than forcing every user to click
“accept” before they can access your site, you can instead display a short
message informing them that cookies are being used, typically through a
header bar or some other non-obstructive method. After a predefined period
of time, which may be as short as a few seconds, the announcement can
disappear. If the user remains on your site, consent is implied.

This is the method the UK government uses; however, before you decide to
take this route, you should check with your local regulator to ensure it meets
your country’s requirements.

Option 4 – Add It to Your Terms and Conditions

Including a pop up may not provide the best user experience, so some
companies have opted for including the cookie disclosure within their terms
and conditions. This can be a very effective and non-intrusive method, but
there are a couple of caveats.

First, users have to agree to the use of cookies, so if you include the
information in your T&Cs, you need a way for users to approve your T&Cs.
This is usually done as part of a sign-up or registration process. If your
website does not require users to sign up, this option probably won’t work
for you.

Second, you cannot simply add the cookie language to your existing terms
and conditions, because you need to gain consent specifically for the use of
cookies. This means, if you already have users who have agreed to your T&Cs,
after adding the cookie language you will need to prompt them to review and
agree to the new T&Cs.

Option 5 – Get a program to do it for you

There are plenty of applications and plugins available that can help you
comply with cookie laws. Depending on the program, they may be able to
assist you with such tasks as identifying cookies on your website, creating a
detailed list of how your cookies are used, informing users about cookie use,
and obtaining their consent. Some programs will even adjust settings and
information as cookies change.

Programs like Cookie Consent and Cookie Control can help you automate the
consent process. If you’re running WordPress, there are a number of plugins
available, such as Cookie Law Info. Many of these programs are available for
free or low cost, and can make the entire process much simpler.25

25
Supra note 23, at 16. https://privacypolicies.com/blog/eu-cookie-law/