DLA Piper Data Protection Alert: How Much Has the Cookie Crumbled Across the EU?

By Paul McCormack

What's new?

Since our publication in March 2012, there has a been a number of updates in relation to the following jurisdictions:

  • * Belgium
  • * Cyprus
  • * France
  • * Greece
  • * Italy
  • * Malta
  • * The Netherlands, and
  • * Spain.


Furthermore, on 7 June 2012, Article 29 Working Party adopted an opinion addressing the meaning of 'cookie consent exemption' (WP 194). This opinion addresses and aims to clarify the types of cookies which would fall within the exemption set out under the E-Privacy Directive. A summary of the opinion is set out in the updated alert.

Finally, for those organisations who have business or otherwise are engaged in online activities in the United States of America, we have provided a general overview of considerations which organisations should bear in mind in the context of cookie compliance.

What does the law say?

The amended E-Privacy Directive1 which was to be implemented by all EU member states by 25 May 2011, requires the user to consent to the use of cookies. A copy of the 2009 E-Privacy Directive is available here. Please refer to Article 2(5) (at page 30), which amends Article 5(3) of Directive 2002/58/EC.

Article 5(3) of the E-Privacy Directive provides that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with the Data Protection Directive2 about the purposes of the processing"3.

This change requires that consent to the use of cookies must be 'opt-in' (rather than 'opt-out'). However, there has been some uncertainty as to how the measures would be implemented into national law by the different EU member states and whether the law would, in practice, require additional measures to be taken to ensure the lawful use of cookies.

Download the PDF file to access the table which illustrates how Article 5(3) of the E-Privacy Directive has been implemented into the law of the applicable EU member state, together with a summary of the current position regarding the implementation of the E-Privacy Directive generally.

Previous DLA Piper cookie alerts:

1 UK Alert - updated July 2011

2 EU Wide Alert - as at June 2011

3 EU Cookie table - as at 5 December 2011

EU Cookie table - as at 1 March 2012

What should businesses do?

Businesses are advised to start assessing their cookie use now and developing their IT systems to make sure that they can properly comply. In essence, the more the use of a cookie relates to the personal information of a user, the more robust the procedures to obtain consent will have to be.

DLA Piper's EU Information Law team have developed a robust methodology to assist organisations through the complex rules relating to compliance with cookies and can assist organisations by undertaking a cookies audit, suggest compliance options and assist in the implementation of the most effective option.

This information is intended as a general overview and discussion of the subjects dealt with. The information provided here was accurate as of the day it was posted; however, the law may have changed since that date. This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper is not responsible for any actions taken or not taken on the basis of this information. Please refer to the full terms and conditions on our website.

Copyright © 2012 DLA Piper. All rights reserved.

For more information about LexisNexis products and solutions, connect with us through our corporate site.