Legal Matters: Beware of the Cookie Monster

If your company uses cookies — small information files that are downloaded onto a computer or mobile device when a user visits a website which enable the website operator to recognize the user's device and preferences — on its website, and the website is either "designed for the European market" or "provides products or services to customers in Europe," you should be aware of the new European Union (EU) Cookie Directive.

In principle, the Cookie Directive requires that visitors to websites receive an explanation of the specific nature of the cookies used by the website (except for those cookies that are "strictly necessary" as discussed below) and then consent to accept the cookies before the files can be automatically stored on the user's computer.

Many retailers selling products to European customers were understandably concerned that compliance with a strict user consent standard would mandate placement on the homepages of their websites of a pop-up box or header/footer bar requiring users to click on to "accept" cookies from the website after having first been offered the option to read the information page. Such notice and opt-in requirements would undoubtedly unnerve many visitors. In addition, should consumers decide not to permit the use of cookies, their shopping experience would likely be severely compromised, thereby adversely affecting merchant performance.

Such implementation requirements would have presented a dilemma for online retailers. Confronted with an austere notice and opt-in requirement, many visitors would navigate away from their sites rather than accept the cookies. Ironically, the result would likely be to drive traffic to noncompliant websites, which don't disclose their use of cookies. This would put companies that comply with the EU Directive's requirements at a disadvantage to those companies that fail (or refuse) to comply.

Moreover, the risks of noncompliance are considerable. For example, under the United Kingdom (U.K.) law incorporating the EU Directive, penalties of up to £500,000 ($774,500 U.S.) per violation can be imposed. Faced with the prospect of adopting a compliant yet consumer-unfriendly format, electronic merchants in the U.S. might prefer to block European users from buying from their websites altogether.