Google recently sent out a letter to users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products. It looked like this:
We want to let you know about a new policy about obtaining EU end-users’ consent. It clarifies your duty to obtain end-user consent when you use products like Google AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange. … Please ensure that you comply with this policy as soon as possible, and not later than September 30th, 2015. …
Cookies are pieces of data that a website stores on a user’s device, generally to provide what we have come to expect as basic site security and functionality: username and password prompts, language preferences, etc. They also allow companies to figure out general details about site visitors: content viewed, duration of visits, ads accessed, browser used, etc.
There are two kinds of cookies. The first are “first party” cookies. They are placed on the user’s device by the operator of the visited website. The other kind of cookie is a “third party” cookie. Those are placed on a user’s device by operators of websites other than the ones the user is currently visiting. If one website, say taftlaw.com, has a Facebook “like” button on its site, that “like” button will place a cookie on the user’s device that can be read by Facebook. That’s a third party cookie.
There are also things called super- or perma-cookies. These are cookies that last for extended periods of time, and a user may not be able to remove them. A website’s use of these cookies raises significant privacy concerns because they collect and store a lot of information, much of it potentially personal. That is great for online targeted advertising, but it is often not so great for security and publicity.
You might be thinking, "I am a U.S. company. Why do I need to care about the EU cookie law?" The short answer is that if you are a user of Google’s advertising products mentioned above, Google is requiring it. The long answer is that if users of your website are from the EU, the Data Protection Directive (the EU’s main privacy law) and the Article 29 Working Party (an advisory board made up primarily of the data protection authorities of each EU member state that gives advisory opinions on issues of data protection law) say that you do.
The Article 29 Working Party has opined that the Data Protection Directive applies to non-EU website operators, including those from the U.S., because the placing of a cookie on an EU user’s device “make(s) use of equipment” that is located in the EU. Where the sending of “a text file installed on a hard drive of a computer” will “receive, store, and send back information to a server situated in another country,” the Article 29 Working Party has said that the national law of the computer user — i.e., the EU Directive — applies. While the Article 29 Working Party’s opinions are not controlling, they are worthy of very serious consideration.
There are also many tools, including free ones, that you can use to create the notice, so you don’t have to start from scratch. For example, the European Commission offers a “cookie consent kit” that is easy to deploy.