Written by Lindsey Powers
EU businesses have been abuzz about tighter EU privacy rules that affect use of web cookies with little notice in the U.S. Changes to EU laws may have effects even on US-based companies. In addition, proposed bi-partisan privacy legislation in the US reveals a possible trend toward stricter privacy controls stateside. The recent suit filed against an online analytics firm and its customers, including Hulu, Spotify and Spokeo, reveals that even under the current US privacy regime, certain tracking practices can lead to headaches  It’s important be aware of these developments and to consider how they might affect the online presence of your business. Online privacy is a moving target and counsel with expertise in internet privacy can help develop a strategy tailored to your business.
In 2009, the EU released its e-Privacy Directive tightening existing law on online privacy and data protection . Perhaps the most crucial provision in the Directive for online businesses is the requirement of informed consent by the user for collection of data via cookies. Businesses are concerned about the cost of implementing new requirements, but they can’t even be sure what the exact requirements will be. Is affirmative opt-in consent required before collecting data? What kind of opt-in is required? Pop-up? Screenwrap? Splash page? These questions lead many critics to accuse the Directive of being half-baked.
What are Cookies?
EU Guidance on Consent
Consent is a contentious aspect of the Directive, and the lack of clear guidance is troubling to many online commerce proponents. EU law prior to the new Directive required an opt-out, but the new directive appears to require an opt-in. It is unclear what exactly is required in order to show that informed consent was gathered. Would a pop-up window suffice? Should the site take users to an entry page where they must consent prior to accessing any content? How often must one gain consent? On July 14, 2011, an EU Working Party on Data Protection released anticipated guidance on consent . However, even the EU’s data protection supervisor admits that current advice is unclear . The Working Party states that “all necessary information must be given at the moment the consent is requested,” and that consent is required before the data processing begins . Regarding how consent may be manifested, the Working Party doesn’t really answer the most common concerns regarding how to achieve compliance. This guidance doesn’t give a clear stamp of approval to any specific method of gathering consent—the question most bothersome to many website administrators.
The Directive is not actually binding upon companies or individuals until Member States codify it into their national laws . Member States were required to codify and implement the e-Privacy Directive by May 25, 2011, , but this date passed with only a handful of Member States meeting the deadline . Perhaps the most notable State to comply so far is the UK, which has not only codified the directive into national law,  but has also released guidance from the Information Commissioner (ICO) as to how the new rules are to be enforced. . The ICO has established a one-year grace period for enforcement of the rules, ending in late May 2012, but indicates that companies must begin taking steps towards compliance as soon as possible 
Member State Policies on Consent
Because the EU Directive is not specific about the actual requirements imposed upon businesses, there are a multiple flavors of interpretations across the Member States. For example, Ireland  and the Netherlands  will allow browser settings to suffice as consent. That is, if a user’s browser settings allow cookies, that sufficiently signifies consent. Other Member States, including the UK, have said that while the use of browser settings may one day be a viable option for obtaining consent, current browser settings lack the specificity of settings regarding different types of cookies required to serve as consent. The UK situation is especially interesting because while their actual law says that browser settings are okay for consent, the guidance provided by the regulator says they currently are not .
Effect on Non-EU Business
Recent Privacy Bills in the U.S.
The U.S. has a much less rigid consumer data protection structure than most developed nations. The laws regarding data privacy are piecemeal and tend to relate to specific types of data, such as medical information or financial details, but there is no overarching e-privacy data protection scheme .
There are at least two pieces of proposed legislation that seek to change this. In April 2011, Senators John Kerry and John McCain introduced the “Commercial Privacy Bill of Rights.” This bill creates rights related to information gathering and use. Importantly, part of the proposed legislation includes an opt-out requirement for information “unauthorized by the Act,” and an actual opt-in consent requirement for “sensitive personally identifiable information.” 
A similar bill was introduced by Representatives Cliff Stearns and Jim Matheson in the House .
While these proposals don’t go nearly as far as the EU e-Privacy Directive, they do increase restrictions on gathering and use of data for US companies. Groups such as the Direct Marketing Association oppose the proposed laws, citing cost of compliance and effect on a robust information economy. Surprisingly, supporters of the proposed privacy reforms include AT&T, Microsoft, HP, Intel, and eBay. These companies believe the complexity of the current system costs more in compliance than an overarching scheme would  [22a].
This week, a group of lawyers filed a class action complaint against the analytics firm KISSMetrics and many of its customers, including high-profile names such as Spotify, Hulu, Etsy, Slideshare.net, and AOL’s About.me, alleging that the companies “circumvented… browser privacy controls,” and tracked users in an “unreasonable and unexpected way…”  violating the Electronic Communications Privacy Act . While it is too early to gauge whether the plaintiffs will prevail because it is unclear whether the ECPA applies to cookies-type tracking, such suits may lead to stronger privacy protection requirements being imposed on online businesses.
Costs of Noncompliance
While most EU States have yet to implement the Directive, one can look to the UK as an example of potential penalties. The ICO reserves the right to audit and to impose monetary penalties on businesses found not to comply with privacy laws, potentially of up to £500,000 . Such penalties may render it extremely costly to be caught with your hand in the cookie jar.
Potential Outcomes for Business