eu cookie alert updated july 2012

www.dlapiper.com | 01

How tHe eU Has implemented tHe new law on CookiesUpdated July 2012

02 | How the EU has implemented the new law on Cookies

sUmmaRY oF eU implementation oF aRt 5(3) e pRiVaCY diReCtiVe (diReCtiVe 2002/58/eC)

eU member state

implemented into local law?

Regulator guidance published?

does local regulator interpret the law as requiring prior opt-in?

Can website operators rely upon implied1 consent?

Austria Yes No Yes No

Belgium Yes No Not clear Not clear

Bulgaria Yes No Yes Unknown

Cyprus Yes No Yes No

Czech Republic Yes No No N/A. Opt-out principle applies

Denmark Yes Yes No Yes

Estonia Yes No Unknown Unknown

Finland Yes No No Yes

France Yes Yes Yes No

Germany No No Unknown Unknown

Greece Yes No Yes No

Hungary Yes No No Currently yes

Ireland Yes Yes No Yes

Italy Yes No No Unknown

1 IntheUK,theICOhasdeemedimpliedconsentasamethodtoobtainconsent.Thiswillonlyworkwheretheuserisgivenspecificandcomprehensiveinformationabouttheuseofcookies,andtheusergivesanindicationofhiswishestoconsent(e.g.continuestobrowseanddoesn’tdisablecookies).

2 NorwayisnotanEUMemberbutasaconsequenceofitsmembershipintheEEA(EuropeanEconomicArea(Nw:EØS)),NorwayisunderanobligationtoadoptEUDirectives.

eU member state

implemented into local law?

Regulator guidance published?

does local regulator interpret the law as requiring prior opt-in?

Can website operators rely upon implied1 consent?

Latvia Yes No Yes No

Lithuania Yes Yes Yes Unknown

Luxembourg Yes No Yes No

Malta Yes, but not yet inforce

No Unknown Unknown

Netherlands Yes Yes Yes No

Norway2 No No No N/A

Poland No No Yes Yes

Portugal Yes No No N/A

Romania No No Unknown Unknown

SlovakRepublic Yes No Yes No

Slovenia No No Unknown Unknown

Spain Yes No Yes No

Sweden Yes No Yes Yes

United Kingdom Yes Yes Yes Yes


Austria �� 04

Belgium �� 05

Bulgaria�� 06

Cyprus �� 06

Czech Republic ��07

Denmark �� 08

Estonia �� 09

Finland ��10

France ��11

Germany ��13

Greece��13

Hungary ��14

Ireland��15

Italy ��16

Latvia ��17

Lithuania ��17

Luxembourg ��18

Malta ��19

Netherlands ��19

Norway ��21

Poland ��21

Portugal �� 22

Romania �� 23

Slovak Republic �� 23

Slovenia ��24

Spain ��24

Sweden �� 25

United Kingdom ��27

Contents


eU member state e-privacy directive implemented into local law?

Regulatory Guidance issued?

Current position (legal, enforcement and regulatory position)

meaning of Consent does local regulator interpret the law as requiring prior opt-in?

a) applicable legislationb) Regulatory Guidancec) authority Responsible for implementation

aUstRia

DLA Piper Contact:wolfgang Freundt +43 1 531 78 1401 wolfgang�freund@dlapiper�com

Yes No The E Privacy Directive was ■

implemented in Austria by amendmentoftherelevantprovisionsoftheAustrianTelecommunicationsAct(Telekommunikationsgesetz2003,“TKG”).ThechangestotheTKGhavecomeintoeffecton 22November2011.

TherelevantsectionoftheTKGnow ■

statesthatausermustgiveinformedconsentforthestorageofpersonaldata.

UnderAustrianlaw“informed ■

consent” is required prior to theprocessingofpersonaldata. The user has to be aware ofthefactthatconsentforthestorageorprocessingofpersonal data is given, as well asthedetailsofthedatatobestored or processed, and has toagreeactively.Thereforeobtaining consent via some formofpopuporclickthroughagreement seems advisable.

Consentbywayofbrowser ■

settings, or a pre-selected check-boxetc.isnotsufficientin this respect.

Furthermoreincaseofconsent ■

bywayofbrowsersettingstherequiredinformationregardingthestorageofpersonaldatamust be made available to the user as is required by the TKG.

Yes a) Telekommunikationsgesetz2003asamendedbyBGBlINr.102/2011;

b) N/A;and

c) AustrianRegulatoryAuthorityforBroadcastingand Telecommunications (RTR)/AustrianDataProtection Authority (DSK).







BelGiUm

DLA Piper Contact:patrick Van eecket +32 (0)2 500 1630 patrick�van�eecke@dlapiper�com

Yes No Article5(3)oftheE-PrivacyDirective ■

was implemented into Belgian Lawbymeansofamendmentofarticle129oftheBelgianElectronicCommunication Act. The amendment followsthewordingoftheE-PrivacyDirective closely. As a result, the amendedarticle129oftheBelgianElectronic Communication Act requirespriorinformedconsent.

Theamendedarticle129ofthe ■

Belgian Electronic Communication Actdoesnotallowfortheuser’sconsent to be expressed by usage oftheappropriatesettingsofabrowser or other application as suggested by the European legislator inconsideration66oftheCookieDirective.

Thereisnospecificregulation ■

onconsentinthecontextofcookies. The general rules on data protection must be complied with, meaning that consentmustbeprior,free,specificandinformed.

The law does not foreseeinstricterwording than that determined in article 5(3)oftheE-PrivacyDirective.

The Belgian authorities(PrivacyCommission/Telecommunications Regulator)mayhowever chose to issue regulatory guidance on applying the rules and distinguishing betweentypesofcookies.

a) Article129oftheElectronic Commerce Act

b) Notissuedyet

c) TheBelgianInstituteforPostalServicesandTelecommunications and the Belgian Privacy Commission

express opt-in Consent Required (if so, required by law or regulatory guidance)?







BUlGaRia

Firm:wolf theiss

Website:www�wolftheiss�com

Contact:anna Rizovat +359 2 861 3703 anna�rizova@wolftheiss�com

Yes No Art.5(3)ofEPrivacyDirective ■

was implemented into Bulgarian legislationon29December2011.It now states that users should be provided with clear and comprehensiveinformationaboutthepurposesofdataprocessingandthey must be given the opportunity torefusestoringoraccessingsuchinformation.

Consentmeansanyfreely ■

given,explicitandinformedstatementofthedatasubjectbywhichthedatasubjectunambiguously gives their consent to their personal data being processed.

Yes a) ElectronicCommerceAct;

b) N/A;and

c) ConsumersProtectionCommission.

CYpRUs

Firm:pamboridis & associates

Website:www�pamboridis�com

Contact:Yiota kythreotou theodorout +357 22 753 100 kythreotou@pamboridis�com

Yes No Directive2009/136/EChasbeen ■

implemented in Cyprus on the 18May2012,throughLawNo.51(I)/2012amendingtheRegulationofElectronicCommunicationsandPostalServicesLaw.

Theamendmentsfollowthewording ■

oftheE-PrivacyDirectiveclosely,and leave the detailed compliance requirementstobeclarifiedbytheCyprusOfficeoftheCommissionerforPersonalDataProtection.

Priorinformedconsentisrequired ■

inaccordancewiththeprovisionsoftheProcessingofData(ProtectionoftheIndividual)Lawof2001anditsamendmentLawNo.37(I)/2003.

Consentmeansconsentofthe ■

datasubject,anyfreelygiven,expressandspecificindicationofhiswishes,clearlyexpressedandinformed,bywhichthedatasubject,havingbeenpreviouslyinformed,consentstotheprocessingofpersonaldata concerning him.

Yes, required by law a) TheElectronicCommunications and Postal ServicesLawof2004andits amendment Law No. 51(I)/2012;

b) N/A;and

c) OfficeoftheCommissionerofElectronicCommunications and Postal RegulationandtheOfficeoftheCommissionerforPersonal Data Protection.







CZeCH RepUBliC

DLA Piper Contacts:peter Valertt +420 222 817 250 peter�valert@dlapiper�com

eva spurkovat +420 222 817 802 eva�spurkova@dlapiper�com

Yes No On1January2011,theCzech ■

Republic implemented the E Privacy Directive. The E Privacy Directive was implemented into Czech law byActNo.468/2011Coll.,whichamendedActNo.127/2005Coll.,on Electronic Communications, as amended. The amendment went intoeffectonJanuary1,2011andintroduces the opt out principle.

TheEPrivacyDirectivewasreflected ■

intoSection89par.3oftheActonElectronic Communications which states:“Anyone who intends to use or uses electronic communications networks to store data or to gain access to data already stored in the terminal equipment of the participants or users, is required to inform such participants or users in advance and provably about the scope and purpose of the processing of data and is obliged to offer them to refuse the possibility of the processing.”

The Czech legislator derived ■

themeaningofconsentfromthepurposeofthedirective,which is not to overload a userwithaconfirmationofhis consent at every website visit, but to provide him with aneasyopportunitytorefusestoringofpersonaldata.

No a) TheActNo.127/2005Coll., on Electronic Communications as applicablelaw;

b) OfficeforPersonalDataProtection(“OPDP”);and

c) MinistryofIndustryandTradeoftheCzechRepublic.







denmaRk

Firm:Horten

Website:www�horten�dk

Contact:egil Husumt +45 3334 4224 EHU@horten�dk

Yes Yes Directive2009/136/ECwas ■

implemented in the new Danish Act on Electronic Communications ServicesandNetworkswhichcameintoforceon25May2011inaccordance with the implementation deadline in the Directive. However, theActdidnotimplementthespecificprovisionsconcerningtheuseofcookies, but instead provided an authorisation to the Danish Minister ofBusinessandGrowthtoexecuteanexecutive order on this matter.

The“ExecutiveOrderonInformation ■

andConsentRequiredinCaseofStoringandAccessingInformationinEnd-user Terminal Equipment” came intoforceon14December2011.

PursuanttotheOrdertheuseof ■

cookies requires consent. The consent mustbefreelygivenandspecific.

Theconsentmustbefreely ■

givenandspecificandtheusermust be given an option.

However, this does not imply ■

that consent must be obtained each time a cookie is used but a user must be given an option. Furthermore, the consentmustbeinformedwhich implies that a user must receiveinformationabouttheconsequencesofconsenting.Finally, the consent must be aninformedindicationoftheuser’swishes.Normally,consent is obtained through tick-the-box but also the useofahomepageafterhaving received the relevant informationconcerningcookies can constitute consent. Yet,consentbyuseofahomepage must be used with caution.

No, but consent by useofahomepagemust be used with caution.

a) (i)ActNo169of3March2011onElectronicCommunicationsServicesandNetworksand(ii)ExecutiveOrderNo1148of9December2011onInformationandConsentRequiredinCaseofStoringandAccessingInformationin End-user Terminal Equipment;

b) GuidancenotesNo9018to the new rules on storing ofcookiesandsimilartechnologies;and

c) TheDanishBusinessAuthority.







Inadditiontothistheinformation ■

totheusermustfulfilthefollowingrequirements:(i)Theinformationmustbeclearandeasytounderstand;(ii)thepurposeoftheuseofcookiesmustappear;(iii)theidentityoftheperson or entity which is responsible fortheuseofcookiesmustappear;(iv)thepossibilityofwithdrawalofconsent must be easily accessible and bedescribedintheinformation;and(v)thisinformationmustbeeasilyaccessiblefortheuseratalltimes.”

estonia

Firm:lawin

Website:www�lawin�com

Contact:pirkko liis Harkmaat +372 6306460 pirkko�liis�harkmaa@lawin�ee

Yes No The Ministry has concluded that ■

thenewlawisalreadysatisfiedbyArt102oftheEstonianElectronicsCommunications Act and as a result nofurtherimplementationmeasuresare necessary.

Thereisnospecificregulation ■

on consent in the context of“cookies”.Itishoweverrecommended to apply general rules on personal data protection also in case ofcookies,butthelawisabitvague in this respect.

Whether or not explicit opt-in consent is required is still unclear as no respective practice has developed yet.

a) EstonianElectronicCommunicationsAct(RTI2004,87,593,asamendedfromtimetotime)andEstonian Personal Data ProtectionAct(RTI2007,24,127,asamendedfromtimetotime);

b) N/A;and

c) MinistryofEconomicAffairsandCommunications and Data Protection Inspectorate.







Finland

Firm:Hannes snellman attorneys

Website:www�hannessnellman�com

Contacts:erkko korhonent +358 9 22884308 erkko�korhonen@hannessnellman�com

kaisa Fahllundt +358 9 2288 4209 kaisa�fahllund@hannessnellman�com

Yes No Legislation has been adopted by ■

the Finnish Parliament adopting the newlaw,whichenteredintoforceon25May2011.ThenewFinnishlawrecognisesthepossibilityofobtaining consent via browser/other application settings. However, the user needs to be given comprehensible andcompleteinformationonthepurposesofsavingorusingsuchdata. The legal requirement written in law is “consent” that is however interpreted in the preliminary works ofthenewlawsothattheusermaygive the consent via browser or other application settings. The saving and useofdataisallowedonlytotheextentrequiredfortheservice,andit may not limit the protection or privacy any more than is necessary.

Further, under the new law the ■

provisions regarding consent do notapplytoanysavingoruseofdatawhichisintendedsolelyforthepurposeofenablingthetransmissionofmessagesincommunicationsnetworksorwhichisnecessaryfortheserviceproviderforthepurposeofproviding a service that the subscriber oruserhasspecificallyrequested.

At present, “opt out” consent ■

wouldbesufficientinFinland. The Finnish Act governing the cookies sets two conditions on placing cookiesonusers’computers:i)theuserhasgivenconsentandii)comprehensibleandcompleteinformationonthepurposesofsavingorusingsuch data are given to the user. These two conditions are separate in a way that they both need to be fulfilled.Givingtherequiredinformationtotheuserwillnotreleasefromtherequirementtoobtain a consent.

AsFinlandwasoneofthefirst ■

countries that implemented the Article5(3)oftheEPrivacyDirective it is to be seen whether the interpretation will remainthesameif“optin”becomes prevailing practice elsewhere in the EEA.

No a) TheActontheProtectionofPrivacyinElectronicCommunications(516/2004,inFinnish:Sähköisen viestinnän tietosuojalaki);

b) Noguidancepublished;and

c) TheFinnishCommunications Regulatory Authority (FICORA),theDataProtection Ombudsman.

mailto:[email protected]










FRanCe

DLA Piper Contact:Carol Umhoefert +33 1 40 15 24 34 carol�umhoefer@dlapiper�com

Yes Yes France has implemented the EU ■

Cookies Directive by Order N° 20111012,dated24August2011.The French Order states that any subscriberoruserofelectroniccommunication services must be fullyandclearlyinformedbythedata controller or its representative of(i)thepurposeofanycookie(i.e,anymeansofaccessingorstoringinformationonthesubscriber’s/user’scomputer),and(ii)themeansofrefusingcookies,unlessthesubscriber/user has already been soinformed.Cookiesarelawfullydeployedonlyifthesubscriber/userhasexpressedconsentafterhavingreceivedsuchinformation.

However,theforegoingprovisions ■

donotapply(i)tocookiesthesolepurposeofwhichistoalloworfacilitateelectroniccommunicationbyauser,or(ii)ifthecookieisstrictly necessary to provide on line communicationservicesspecificallyrequested by the user.

InNovember2011,andagaininApril ■

2012,theFrenchDataProtectionAuthority(“CNIL”)issuedguidelinesforcookies.

Consentmustbe(i)freely ■

given(i.e,incircumstanceswhere the user has a choice to refuseconsent),(ii)specific(i.e,relatetoaspecificcookie associated with a clearlydefinedpurpose),and(iii)informed(i.e,theusermustbegiveninformationbeforehand,specifyingthecookie’spurposeaswellasthepossibilitytorevokeconsent).

The Order also provides that ■

consentcanresultfromthesubscriber’s/user’sconnectionsettings(e.g.,browsersettings)or any other means under the subscriber’s/user’scontrol.

Yes. The law copies thetextoftheDirective almost wordforword;guidance is very clear that opt-in consent is required.

a) TheLawn°78-17ofJanuary6,1978–asmodified–oninformationtechnology,datafilesandcivilliberties;

b) http://www.cnil.fr/en-savoir-plus/fiches-pratiques/fiche/article/ce-que-le-paquet-telecom-change-pour-les-cookies/;and

c) CommissionnationaledeL’informatiqueofdeslibertés(“CNIL”).







The CNIL considers that the certain ■

cookies are not covered by the Order.The CNIL considers that the website ■

ownerisliableforallowingathirdpartytoinstallacookieontheuser’scomputer.

TheApril2012guidancealso ■

reaffirmsthattheserulesapplytoallcookies whether containing personal data or not.

TheApril2012guidancealsoreminds ■

operators that non compliance with Frenchlawcantriggerfinancialpenaltiesinamountofupto€150,000forafirstviolationorupto€300,000(forsubsequentviolationswithin5years).HowevertheCNILhasrecognized that compliance may not be immediate, and the CNIL will takeintoconsiderationalleffortsimplemented to reach compliance. The current understanding is that the CNILwillbeginenforcementin June 2012.

However, according to the ■

CNIL, commonly used browsersdonotoffercompliant settings.

The CNIL regards the ■

followingconsentcollectionmechanismsascompliant:

abanneratthetopof –awebpage;

a consent request zone –overprintingonthesite’shomepage;and

boxes to tick when registering –foranonlineservice.







GeRmanY

DLA Piper Contact:dr thomas Jansent +49 89 232 372 110 thomas�jansen@dlapiper�com

No No TheprocessofimplementingtheAct ■

isdelayedasseveraldraftbillsdidnotpasstheGermanParliament.ThefirstbilltoamendtheTelemediaActofMarch2011providedthatstorageofdataontheequipmentoftheuserwillonly be permissible where the user has beeninformedandconsentisgivenbythem.

Unknown/TBC ■

The original exception to the ■

consent requirement remains wherethecookiesisusedforenablinganinformationorcommunication the user has explicitly requested.

It remains to be seen whether ■

itwouldalsobesufficienttolinktheinformationaboutprocessingofpersonaldataand technical measures to the browser settings or whether an active opt-in, e.g, by clicking on a pop-up screen will be required.

TBC Awaiting implementation

GReeCe

Firm:kyriakides Georgopoulos & daniolos issaias

Website:www�kgdi�gr

Contact:konstantinos issaiast +30 210 817 1500 k�issaias@kgdi�gr

Yes No EUDirective2009/136hasbeen ■

implemented into the Greek legal systemwithLaw4070/2012,which has been voted by the Greek Parliamenton6April2012.

InfactthislawamendsLaw ■

3471/2006onProtectionofpersonaldata and privacy in the electronic telecommunications sector.

Accordingtoarticle4par.5ofLaw ■

3471/2006asamendedbyLaw4070/2012,thestorageofinformationortheaccesstoinformationalreadystoredtotheterminalequipmentofasubscriber or user is permitted only ifthisspecificsubscriberoruserhasprovidedhisconsentfollowinganupdating.

Thewaysofexpressionof ■

consent will be regulated followinganActoftheHellenic Data Protection Authority.

Yes a) Law3471/2006,asamendedandinforcetoday;

b) No;and

c) HellenicDataProtectionAuthority.







HUnGaRY

DLA Piper Contacts:monika Harvatht +36 1 510 1110 monika�horvath@dlapiper�com

Zoltán kozmat +36 1 510 1100 zoltan�kozma@dlapiper�com

Yes No BeforeimplementingArticle5 ■

(3)oftheEPrivacyDirectiveintoHungarianlaw,section155(4)oftheHungarianActCof2003onElectronicCommunications(“ActCof2003”)alreadyprovidedthat“the storing of information, or the gaining of access to information on the electronic terminal equipment of a subscriber or user obtained via electronic communications networks is only allowed on the condition that the subscriber or the user concerned has given his or her consent, after having been provided with clear and comprehensive information”. Accordingly,Article5(3)oftheE Privacy Directive did not result in a significantchangeinHungarianlaw.

Irrespectiveoftheforegoing,the ■

Hungarian Parliament issued a draftbilltotheParliamentwhichimplements the E Privacy Directive into Hungarian law. This entered intoforceinAugust2011.ThisActmodifiesActCof2003,andalmostprovidesthesamewordingasreferredto above.

Thereisnospecificguidance ■

or regulation in relation to themeaningofconsent.OnthebasisofthewordingoftherelevantAct,however,it is clear that it must be prior consent,afterthesubscriberhas been provided with clear and comprehensive information,whichinformationinteraliaincludesthepurposeofprocessing.

Serviceprovidersshallbe ■

authorized to obtain and store communications transmitted on their network only to the extentstrictlynecessaryfortheprovisionsofservicesfortechnicalreasons.

General practice is that ■

consent can be obtained via browser settings, however, asmentionedsofarthishasnotbeenconfirmedbytheopinionortheguidanceofthe Authorities yet.

No a) Section155(4)ofthe Hungarian Act (2003onelectronicCommunications);

b) No;and

c) NationalMediaandInfocommunicationsAuthority.







iReland

Firm:mason, Hayes and Curran

Website:www�mhc�ie

Contact:philip nolant +353 1 614 5000 pnolan@mhc�ie

Yes Yes Implemented into Irish law by ■

StatutoryInstrumentNo.336/2011,the European Communities (ElectronicCommunicationsNetworksandServices)(PrivacyandElectronicCommunications)Regulations2011,witheffectfrom 1July2011.

Users must be provided with “clear ■

andcomprehensive”information,includingastothepurposeofthecookie.Suchinformationmustbe“prominently displayed and easily accessible”andbeas“userfriendlyaspossible”.

The Regulations do not apply to ■

cookies which are “strictly necessary inordertoprovideaninformationsociety service explicitly requested” by the user.

Thereisnoformal“leadinperiod” ■

ofthesortadoptedintheUK.Businesses must be immediately compliant with the new rules.

The Regulations do not ■

specifyhowconsentshouldbe given beyond stating thatthemethodsofgivingconsent should be as “user friendlyaspossible”.Whereit is technically possible and effectiveconsentmaybegivenby browser settings.

Theuser’sconsentmaybe ■

givenbytheuseofappropriatebrowser settings where it is technically possible and effective.Suchsettingswouldrequire, as a minimum, clear communication to the user as to what he or she was being asked to consent to and a meansofgivingorrefusingconsenttoanyinformationbeing stored or retrieved.

Consent can be obtained ■

by other technological applicationsbymeansofwhichthe user can be considered to have given his or her consent.

No. Implied consent could be relied upon in certain circumstances.

a) EuropeanCommunities(ElectronicCommunications NetworksandServices)(PrivacyandElectronicCommunications)Regulations2011(SI336of2011);

b) GuidanceNoteonDataProtection in the Electronic CommunicationsSector;and

c) DataProtectionCommissioner.







italY

DLA Piper Contacts:Giangiacomo olivit +39 02 80 618 515 giangiacomo�olivi@dlapiper�com

marco leonet +39 06 688 801 1 marco�leone@dlapiper�com

Yes No Implemented into Italian law with ■

effectfromJune2012.

The new provisions are a very close ■

reflectionofthewordingofRecital66ofDirective2009/136/ECandSection5(3)ofDirective2002/58/EC(asamendedbyDirective2009/136/EC).Assuch,theyposeexactlythesame interpretation problems as these provisionsofEUlaw,especiallywithregardtothenatureofconsentrequiredforcompliance.Theonlysignificantnotice,takingintoaccounttheproposalsdifferenceisthatthedecree requires the Italian data protection Authority to determine certainsimplifiedmethodsofproviding subscribers or users with aninformationmadebybusinessandconsumer associations.

Business may have to wait ■

forageneraldecisionbythe Italian data protection Authoritybeforetheycanassessthetrueimpactofthe change. However, in an opinion submitted to the government in relation to the draftdecree,theAuthorityhasalready stated that the new provisions on cookies should be interpreted as establishing an opt-in regime in Italy.

No a) LegislativeDecreen.69of28May2012,amendingthe Italian Privacy Code (LegislativeDecreen.196of30June2003);

b) TBC;and

c) Garanteperlaprotezionedeidatipersonali(www.garanteprivacy.it).







latVia

Firm:lawin


Contact:sarmis spilbergs t +371 67814848sarmis�spilbergs@lawin�lv

Yes No Latvia has implemented the new ■

law through amends to the Law on InformationSocietyServices.TheimplementationoftheDirectivedoesnotexpresslyaddresstheuseofbrowsersettingstoobtainconsent;instead, it requires that the consent is obtained in accordance with Personal Data Protection Law.

Noofficialguidancehasbeenissued ■

byDataStateInspectoratetocurrentdateregardingcollectionofconsentforuseofcookies.Therearenosignsofrelaxationofgeneralruleswithrespecttoconsentsforcookies.

SincePersonalData ■

Protection Law implements Directive95/46/EC,theconsentforcookiesmustbe“unambiguously given”.

Yes a) LawonInformationSocietyServices,art.71;

b) No;and

c) DataStateInspectorate(http://www.dvi.gov.lv/eng/).

litHUania

Firm:lawin


Contacts:Jaunius Gumbist +370 52681830 jaunius�gumbis@lawin�lt

Julius ZaleskisT +370 52191934 julius�zaleskis@lawin�lt

Yes Yes(inDecember 2011)

Lithuania has implemented the new ■

EU law through amendments to the Law on Electronic Communications whichcameintoeffecton 1August2011.

Theamendmentsmirrorthetextofthe ■

new EU law and require that consent to theuseofcookiesmustbe“optin”.

LithuanianStateDataProtection ■

Inspectorate has published recommendationsaboutthemethodofconsenttotheuseforcookies. Theguidanceconfirmedthatconsentcan be obtained through pop ups, banners or website registration while relevant settings contained within current browsers are not likely to formavalidconsent.

‘Prior’explicitconsentis ■

required.

Users must be given a genuine ■

opportunity not to consent.

There is no clear guidance on ■

possibility to obtain an implied consent.

Yes, required by law and regulatory guidance.

a) TheLawonElectronicCommunicationsoftheRepublicofLithuaniaNoIX2135(inLithuanian–Lietuvos Respublikos elektroninių ryšių įstatymas);

b) http://www.ada.lt/images/cms/File/naujienu/slapuk_DV.pdf;and

c) StateDataProtectionInspectorate(inLithuanian–Valstybinė duomenų apsaugos inspekcija).







lUXemBoURG

Firm:Bonn & schmitt

Website:www�bonnschmitt�net

Contacts:Guy arendtt +352 27 855 garendt@bonnschmitt�net

alain Grosjeant +352 27 855 agrosjean@bonnschmitt�net

Julia seniort +352 27 855 jsenior@bonnschmitt�net

Yes No Luxembourg implemented ■

Directive2009/136/ECbyalawof28July2011whichmodifiedthelawof30May2005andcameintoeffecton1September2011.

Priorinformedconsentofa ■

subscriber/user is required. Other requirementsinclude:themethodofprovidinginformationandrighttorefuseshouldbeasuserfriendlyaspossibleandwhereitistechnicallypossibleandeffective,the users consent may be expressed by appropriate browser/application settings.

“Consent”meansanyfreely ■

givenspecificandinformedindicationofhiswishesbywhich the person concerned or hislegal,judicialorstatutoryrepresentativesignifieshisagreement to personal data relating to him being processed (Art2(b)lawof30May2005asmodified).

Yes, required by law. a) Lawof30May2005asmodifiedlayingdownspecificprovisionsfortheprotectionofpersonswithregard to the processing ofpersonaldataintheelectronic communications sector;

b) No;and

c) Commission Nationale pour la protection des données.







malta

Firm:mamo tCV advocates

Website:www�mamotcv�com

Contacts:antoine Camillerit (+356) 21231345 antoine�camilleri@ mamotcv�com

Claude micallef-Grimaudt (+356) 21231345 claude�micallefgrimaud@mamotcv�com

Amendments foundinArticle2(5)ofDirective2009/136/EChave not yet comeintoforcein Malta.

No LegalNotice239of2011or‘The ■

ProcessingofPersonalData(ElectronicCommunicationsSector)(Amendment)Regulations,2011’,(whichhasnotyetbeenbroughtintoforce)willamendRegulation5ofthePrincipal Regulations to implement theamendmentsfoundinArticle2(5)ofDirective2009/136/EC.Theamending regulations shall come into forceonsuchdateastheMinisterresponsiblefordataprotectionmayestablish by notice in the Malta GovernmentGazette.TheDPC’sownwebsite states that a “commencement dateforthebringingintoforceofsuchlegal notice needs to be established”.

Wehavenoindicationofwhensuch ■

date may be although we expect that thiswilloccurinthenearfuture.

The situation is unclear in ■

Malta. Further comments may onlybemadewhen(andif)the amending legislation is broughtintoforce.

The situation is unclear in Malta. Further comments may only be made when(andif)theamending legislation isbroughtintoforce.

a) ProcessingofPersonalData(ElectronicCommunicationsSector)Amendment)Regulations,published in the GovernmentGazetteon24June2011;

b) None;and

c) OfficeoftheDataProtection Commissioner (“DPC”):

[email protected] –

www.dataprotection. –gov.mt

netHeRlands

DLA Piper Contacts:Richard Van schaikt +31 20 541 9828 richard�vanschaik@dlapiper�com

marèl Van’t Roodt +31 20 541 9367 marvel�vantrood@dlapiper�com

Yes Yes, the regulator has provided a Q&A

The Dutch Telecommunications Act ■

(“Act”)wasamendedwitheffectfrom5June2012.Amongotherthings,thatamendment introduced stricter rules forplacingandaccessingcookies.

Witheffectfrom5June2012cookies ■

may only be placed and accessed afterwebsitevisitorshavebeenclearlyinformedaboutthesecookies(purpose,typeofcookies,etc.)andhave granted their permission to that effect.

Consentmustbefreely ■

given,specificandinformed:itshouldreferclearlyandprecisely to the scope and the consequencesofthecookieprocessing.

In case personal data will be ■

processed, the consent must beunambiguouslygiven:thismeans that there may be no doubtthatthedatasubjecthasgiven consent to the processing ofitspersonaldata.

Prior explicit consent is required.

Please note that granting consent can beaconditionforusing a website.

a) Article11.7aDutchTelecommunicationsAct;

b) AQ&Aprovidedbythethe regulatory body can be foundatwww.opta.nl;and

c) TheIndependentPostand Telecommunications Authority(OPTA)isresponsibleformonitoringandenforcementoftheTelecommunications Act (www.opta.nl).











Informationandconsentmaynotor ■

no longer be provided or obtained granted,respectively,bymeansofdefaultstandardbrowsersettings.

The new rules in the ■

Telecommunications Act also prescribethatasper1January2013cookiesorsimilardatafilesplacedor accessed, are considered to be personal data, unless the party placing suchcookiesorinformationcanproveotherwise.

Rules regarding the required prior ■

consent do not apply to ‘necessary cookies’.

Providinginformationand ■

obtaining consent can be done in various ways. Examples include using a header bar, a pop-up or an alternative start page which provides informationaboutthecookiesto be placed and accessed where website visitors can tick a box granting permission fortherelevantacts.TheActrequires that users are given clear and complete information.Thisinformationmust in any case explain who will place the cookies and forwhatpurposetheywillbe used. Permission to use cookiesmustbegrantedbeforethey are used.

Pleasenotethatifacustomer does not give consent, either access to the website must be denied, or cookies cannot be placed.







noRwaY

DLA Piper Contact:nils arne Gronliet +47 2413 1542 nils�arne�gronlie@dlapiper�com

No No The amended E Privacy Directive ■

requiringoptinforcookieshasnotbeen implemented into Norwegian lawyet.TheMinistryofTransportandCommunications(theMinistry)has commenced a public consulting procedure on the changes. The public consulting procedure commenced 23June2010andthehearingdeadlinewas23September2010.TheMinistryreports that there has been a delay in the matter and that they are currently working on a proposition to be put beforetheNorwegianParliament. The proposed amendment to Norwegian law seems to be in line with the amended E Privacy Directive regarding theuseofcookies,ierequiringoptin.

None. No–thecurrentrequirement status is opt out.

a) Ekomforskriften§73;

b) N/A;and

c) TheMinistryofTransportandCommunications(Nw:Samferdselsdepartementet).

poland

DLA Piper Contacts:kysyna szczepanowska kozlowskat +48 22 540 74 02 krystyna�szczepanowska@ dlapiper�com

dagmara Jaskulakt +48 22 540 74 57 dagmara�jaskulak@dlapiper�com

No No E Privacy Directive has not been yet ■

implemented in Poland. The Polish MinistryofInfrastructurepreparedtheamendment to Telecommunication Act toreflecttheamendedDirectivesandinparticulararticle5(3)oftheEPrivacyDirective.TheamendmentissubjecttoconsultationsbytheStandingCommitteeattheCouncilofMinistersandthenitwillbeforwardedtotheParliamentforfurtherdevelopment.Pursuanttothepress release published by the Ministry ofAdministrationandDigitalization,whichtookoverresponsibilitiesoftheMinistryofInfrastructurewithrespectto telecommunication and digitalization matters, the amendment should be passedtotheParliamentbeforesummerholidays.

Prior explicit consent is ■

required.

However, implied consent will ■

alsobeavalidformofconsentunder certain circumstances. It is deemed that a user gave consentiftheuserisgivenclearandrelevantinformationrequired by law about the cookies that are used, and on that basis decides to click through.

Yes.Explicitopt–inconsent is required by law, but can also rely upon implied consent.

a) TelecommunicationAct;

b) No;and

c) TheMinistryofAdministration and Digitalization.









poRtUGal

Firm:aBBC & associados

Website:www�abbc�pt

Contact:João Costa Quintat +351 213 583 620 j�quinta@abbc�pt

Yes No Directive2009/136/ECwas ■

transposedbyLawno.51/2011of 13September2011,whichamendedthe Electronic Communications Law. However, this law does not address “cookies”, and the said art.º 5(3)oftheDirectivehasnotyetbeentransposed into National law. Hence previous existing rules apply.

TheECommerceLaw(L7/2004) ■

only determines the “opt in” rule fornonrequestedcommunicationsbyelectronicmeans(emails)withmarketingpurposes(spam).Oncethis is not applicable to “cookies” the “opt in” rule is not applicable, and consent remains not required under national law.

Lawno.L41/2004,onProtection ■

andprocessingofpersonaldataine-communications determines that the useofelectroniccommunicationsnetworkstostoreinformationortogainaccesstoinformationstoredintheterminalequipmentofasubscriberorofanyusershallonlybeallowedwherethefollowingconditionshavebeenmet: (a)thesubscriberoruserconcernedhas been provided with clear and comprehensiveinformation,namelyaboutthepurposesoftheprocessing,in accordance with the provisions laid down in the Law on the Protection ofPersonalData;and(b)therighttorefusesuchprocessinghasbeenofferedto the subscriber or user “opt out”.

N/A No ■

There is no ■

informationfromthe regulatory Authority on the possible implementationofthe “opt in” rule.

a) L41/2004,of18ofAugust;

b) N/A;and

c) CPND(localDPA)/ANACOM.







Romania

DLA Piper Contacts:marian dinut +40 372 155 881 marian�dinu@dlapiper�com

Cosmina simiont +40 372 155 816 cosmina�simion@dlapiper�com

No No The E Privacy Directive has not been ■

implemented yet in Romania. There was a legislative procedure which was however inexplicably abandoned. The legislative procedure had been initiatedinMarch2011aimingtoimplement the E Privacy Directive in order to observe the transposition deadline. The procedure was stopped inOctober2011beforebeingpassedbytheDeputy’sChamberfurthertoits withdrawal by the initiator.

TBC TBC Awaiting implementation

sloVak RepUBliC

DLA Piper Contact:michaela stesslt +421 2 59202 142 michaela�stessl@dlapiper�com

Yes No InSlovakia,former“informed ■

consent” is required prior to the storageofdataor theacquisitionoftheaccesstodata already stored in the terminal equipmentoftheparticipantsorusers. It has to be proven that the user was provided with exact and preciseinformationregardingthepurposeofsuchprocessingofdata.Theconsentoftheusershallbegivenactively,thereforeobtainingtheconsentthroughthemeansofpop-upagreements and/or similar means shall besufficient.

InSlovakia,“informed ■

consent” is required prior tothestorageofdataortheacquisitionoftheaccesstodata already stored in the terminalequipmentoftheparticipants or users. It has to be proven that the user was provided with exact and preciseinformationregardingthepurposeofsuchprocessingofdata.Theconsentoftheuser shall be given actively, thereforeobtainingtheconsentthroughthemeansofpop-upagreements and/or similar meansshallbesufficient.

Yes, required by law. a) Act.No.351/2011Coll.onelectroniccommunications;

b) N/A;and

c) MinistryofTransport,Construction and Regional DevelopmentoftheSlovakRepublic.







sloVenia

Firm:DLA Piper (Vienna office)

DLA Piper Contacts:wolfgang Freundt +43 1 531 78 1401 wolfgang�freund@dlapiper�com

dr. Jasna Zwitter-tehovnikt +43 1 531 78 1042 jasna�zwitter-tehovnik@dlapiper�com

No No Presently,Sloveniahasnot ■

implemented the E-Privacy Directive andnodraftimplementinglegislationisbeingconsideredforadoption.Also,noofficialpositionhasbeentaken by the competent regulatory body.

Onaccountoftheabove,infringement ■

proceedings have allegedly been initiatedagainstSloveniabytheEuropean Commission.

N/A N/A a) N/A;

b) N/A;and

c) InformationCommissioner(Informacijski pooblaščenec).

spain

DLA Piper Contact:diego Ramost +34 91 790 1658 diego�ramos@dlapiper�com

Yes No TheSpanishInformationSociety ■

ServicesandElectronicCommerceLaw was recently amended in order to implement the changes required by Directive2009/136/EC.

Although no guidance has ■

been issued on this point, strictly speaking, prior explicit consent is required.

Yes, by law, but this may be general bywayofbrowsersettings.

a) TheSpanishInformationSocietyServicesandElectronic Commerce Law 34/2002;

b) Noneasatthetimeofwriting;and

c) TheSpanishTelecommunications and OnlineServicesAuthorityand,forprivacyfeatures,the Data Protection Agency.









Web site service providers are now ■

requiredtoobtaintheinformedconsentofuserstothedeploymentofcookies and similar devices on web sites.Theinformationabouttheuseofcookies must be “clear and complete”, specifyingthereasonswhydataisbeing collected via such devices, and must comply with existing informationrequirementsunderSpanishdataprotectionlaw.Thenewprovisions allow such consent to be obtained via adequate browser or application settings, provided that the userisrequiredtoconfigurethesesettings, either during the installation orsoftwareupdateprocess,bywayofan “express action”.

In the rush to introduce the changes, ■

nospecificsanctionsfornon-compliance were stipulated in the legislation, leaving some uncertainty astotheconsequencesofbreach.

sweden

DLA Piper Contact:Johan sundbergt +46 (0)8701 7824 johan�sundberg@dlanordic�se

Yes No Swedenhasimplementedthenew ■

EU law through amendments to the Electronic Communications Act (2003:389)whichcameintoeffecton1July2011.

In relation to legitimate techniques, ■

theSwedishGovernmenthasconcludedthatforpracticalreasons,the amendments shall not be regarded as a change in substance.

Consentisdefinedasany ■

voluntary, specific and unambiguous expression of will. There may not be any doubts that the user provides his/her consent to the processing. Hypothetical or silent consent is thus notsufficientasitmaynot be required by the user to actively undertake measures toavoidtheprocessingofthepersonal data.

Yes a) ElectronicCommunicationsAct(Sw.lag2003:389om elektronisk kommunikation);

b) N/A;and

c) SwedishPostandTelecomAgency.







Inaddition,theSwedishData ■

InspectionBoardisoftheopinionthatit should be distinguished between differenttypesofcookies.Whenusingcookiesforpurposesotherthantoadjustsettingsonasitefortheuser’spreviousrequestsandsimilar,informedconsentwouldberequired.According to the Data Inspection Board’sview,itiswhatacookiewillbeusedforthatdetermineswhetherconsent is required or not.

Ontheotherhand,theSwedishPost ■

andTelecomAgency(“the Agency”)(the regulatory body in relation to cookies)doesnotseemtoagree.TheAgency cannot see that the required consent can be waived without the possibilityofexemptionexpressly stated in the provision.

TheSwedishpartoftheEuropean ■

TradeAssociationoftheDigitaland Interactive Marketing Industry (“IAB Sweden”)hascreatedaselfregulating committee in response to theintroductionofthenewconsentforcookies.Theselfregulatingcommittee has assembled a group withrepresentativesfromtheindustry and other organizations. The committee was set up with a view to producing best practice guidance fortheuseofcookiesandafirstrecommendation has been published.

However, ■ implicit behavior mayformavalidconsent (aslongasthereisnosensitivepersonaldatainvolved).Implicit behavior means in this context that the user provides dataafterhavingreceivedclearinformationaboutboththeintendedprocessingofthedata,thefactthatitisoptionalto provide the data, and also that submitting the data would be considered as providing a consent to the processing.

TheSwedishgovernmenthas ■

also indicated that the rules on consent should not be seen as achangefromtheoldregimeandthereforewebbrowsersettings would probably be regarded to indicate consent.







United kinGdom

DLA Piper Contacts:Cameron Craigt +44 20 7796 6574 cameron�craig@dlapiper�com

paul mcCormackt +44 20 7796 6140 paul�mccormack@dlapiper�com

Yes Yes(inMay2011,December 2011andMay2012)

ImplementedintoUKlawwitheffectfrom26May2011.

Amendmentsfollowsthewording ■

oftheEPrivacyDirectivecloselyand leaves the detailed compliance requirementstobeclarifiedbytheInformationCommissioner’sOffice(“ICO”).

It had been widely anticipated that the ■

ICO would indicate in its guidance that browser settings could be used to obtain the necessary consent. The ICO has made it clear that businessesshouldnotrelyonusers’browserssettingsasawayofobtaining consent to comply with the newlaw–oratleastnotyet.

Website operators were given a ■

12 month “lead in period” to develop the ways in which they use cookies to complywiththenewrules(thereforecommencingon26May2011andexpiredon25May2012).

On25May2012,theICOissued ■

revisedguidancetoclarifyandreaffirmthatimpliedconsentcanberelieduponasavalidformofconsent(ratherthanexplicitopt-inconsent).

Strictlyspeaking,‘prior’ ■

explicit consent is required.

However, implied consent will ■

alsobeavalidformofconsentunder certain circumstances.

Implied consent means consent ■

which“specificandinformed”andan“indicationofwishes”.This means that consent can beinferredbyauser’sactions(e.g.theuserisgivenclearandrelevantinformationaboutthe cookies that are used, and on that basis decides to click through and continue to use thesite).

Yes, but can also rely upon implied consent(whichmeans not necessary to obtain an explicit acknowledgment)(e.g.tickboxorclickaccept).

It is possible to rely on continued useofthewebsiteasanindicationofimplicit consent, subjectalwaystothe requirement to provide relevant, clear and comprehensive information.

a) ThePrivacyandElectronicCommunications(ECDirective)Regulations2003,asamendedbythePrivacy and Electronic Communications(ECDirective)(Amendment)Regulations2011;

b) http://www.ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx; and

c) InformationCommissioner’sOffice.

http://www.ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx;







TheArticle29WorkingParty(“WP29”)wasestablishedundertheEUDataProtectionDirective(Directive95/46/EC)andisanindependentadvisorybodywhichadvisesonissuesofdataprotectionand privacy. The WP29 publishes various opinions on data protection and privacy law. Their opinions supplement the law and relate to its interpretation and although not legally binding, are generally likely to be persuasive.

On7June2012,WP29adoptedopinion4of2012addressingthemeaningofthe“cookie consent exemption”(WP194)(“Opinion”).Thecruxofthecookielawistheprovisionofclearinformationandobtainingconsentfromusersorsubscribers.TheOpinionaimstoclarifythetypesofcookies(orsimilartechnologies)whichwouldfallwithintheexemptionssetoutundertheE-PrivacyDirectiveandprovidesexamplesofhowvariouscircumstanceswouldbetreatedunderthenewlaw.

eXemptions a and B

TheOpinionconfirmsthattherearetwokeyexemptions(referredtoas“criterion”)underwhichtherequirementofinformedconsenttotheuseorstorageofcookies(orsimilartechnologies)maybewaived.TheseCriterionare:

Criterion A ■ :thecookieisused“forthesolepurposeofcarryingoutthetransmissionofacommunicationoveranelectroniccommunicationsnetwork”;and

Criterion B ■ :thecookieis“strictlynecessaryinorderfortheproviderofaninformationsocietyservice [“ISS”] explicitly requested by the subscriber or user to provide the service”.

TheWP29hasmadeitclearthatinrelationtotransmittingacommunication,thetypesofprocessingwhichmaybedoneunderCriterionAdoesnotleavemuchroomforinterpretationasthetransmissionofthecommunicationmustbeimpossiblewithouttheuseofthecookie,i.e.absolutelynecessary.TheOpinionmakesitclearthatunderCriterionB,theISSmusthavebeenspecificallyrequested by the user which means that the user provided a positive or explicit action to request the service.

Cookies wHiCH do Fall witHin an eXemption

TheOpinionsaysthatthefollowingcookiesmaybeexemptedfrominformedconsentundercertainconditions:

1. User-input cookies:usedtorememberuser’sinput(e.g.ashoppingcart),forthedurationofasessionorpersistentcookieslimitedtoafewhoursinsomecases(Criterion B);

2. Authentication cookies:usedtoidentifytheuseronceloggedin/authenticationpurposes,whereessentialforthispurposewillbeexempt(Criterion B);

3. User centric security cookies:usedtodetectauthenticationabuses,foralimitedpersistentduration (Criterion B);

4. Multimedia content player session cookies:suchasflashplayercookies,forthedurationofasession,providedthese“flash”orothercookiesdoincludeadditionalinformation(Criterion B);

5. User Interface customization cookies:(e.g.languagepreferencesorresultdisplay),whereusedforthedurationofasession(Criterion B);

6. Third party social plug-in content sharing cookies:(e.g.socialplug-inmodulestointegratesocialnetworkingintothewebsite)for“logged-in”membersofasocialnetwork(buttheexemptionwillnotextendto“logged-out”members)(Criterion B);and

7. Load balancing session cookies:usedtodistributetheprocessofwebserverrequestsofapoolofmachines(insteadofjustone),forthedurationofsessionwherenecessarytocarryoutthecommunication over the network (Criterion A).

opinion on eXemptions to Consent


Cookies wHiCH do not Fall witHin an eXemption

TheOpinionsaysthatthefollowingcookieswill notfallwithinanexemptionfrominformedconsentundercertainconditions:

1. Social plug-in “tracking” cookies:usedtotrackindividualsforadditionalpurposes(otherthanbeing“logged-in”)suchasbehaviouraladvertising,analyticsormarketresearch,willnotfallwithinanexemption;

2. Third party advertising:suchasbehaviouraladvertising,requiresconsent(andwillnot fallwithinanexemption);and

3. First party analytics:usedformeasuringwebsites,although“strictlynecessary”forthe websiteoperator,willnotbestrictlynecessarytoprovidethefunctionalityrequestedby theuser(orsubscriber)andwillthereforenotfallwithinanexemption;

keY ConsideRations wHen applYinG an eXemption

A)The View of the User:WhenapplyingcriterionB(the strictly necessary exemption),theimportant point is to examine what is strictly necessary “from the point of view of the user and not the service provider”.

B)Multiple Purpose Cookies:Cookiesusedforseveralpurposescanonlybenefitfromanexemptiontoinformedconsentif“each distinct purpose individually benefits from such an exemption.”

C)First Party Cookie:Firstpartysessioncookiesarefarmorelikelytobeexemptedfromconsentthan third party persistent cookies.

D)Purpose of the Cookie:thepurposeofthecookieshouldalwaysbethebasisforevaluating iftheexemptioncanbesuccessfullyappliedratherthanatechnicalfeatureofthecookie.


step 1 – Cookies aUdit

Businessesshouldbeginidentifyingthecookies(andsimilartechnology)whichareusedbytheirwebsite.A“cookieaudit”shouldbeundertakenwiththeassistanceofyourITdepartment/specialistlegaladvisors.Cookieauditsshouldincludeareviewofthetypesofcookiesusedbythewebsite;thelifespanofsuchcookies;andhowintrusivethecookiesare.

step 2 – map oUt ComplianCe options

Oncethecompanyunderstandsthecookieswhichitswebsite(s)use,theymustthenconsidertheoptionsavailabletotheminordertocomply.ThesemightincludetheoptionssetoutintheUKregulator’sguidance,forexample:pop-ups;termsandconditions;settingsledconsent;featureledconsent;andbrowsersettings.The“strictlynecessary”exemptionavailableundertherulesshouldalsobeconsidered,andcompaniesshouldlooktolocalregulatorguidanceandalsotheWP29Opinion(asreferredtoabove)whenapplyingthisexemption.

step 3 – implementation

InordertoensurethatenforcementactionisnottakenagainstyoubytheapplicableEUprivacyregulator,youneedtocheckwhenyourcompliancemethodmustbeinplace.ThedeadlineforcompliancehasexpiredinmanyEuropeanjurisdictions,thereforecompaniesmustact nowtoavoidanypossibleenforcementaction.

step 4 – additional ConsideRations and steps

Whenconductingacookieaudit,youshouldalsoconsiderandundertakethefollowing:

Due Diligence ■ :conductduediligenceofadnetwork/metricspartnersandvendorsbeforecontracting;

Click wrap agreements ■ :makesureyourbusinessneversignsclickwrapagreementswithoutlegalreview;

Effective contracts ■ :bindyourpartnerto:a)complywithapplicablelaws;b)clearandconspicuousdisclosure;c)optin/optout;d)flowthroughtermstovendors;ande)auditrights;

Post contract monitoring ■ :isyourpartnerfulfillingitscontractualpromises?

Test/Evaluation Agreements ■ :alwayscheck/testagreementsagainstlegalrequirementsandyourPrivacyPolicy.Reviewsbecomelongtermarrangements.

Cookie aUdits

DLA Piper is a global law firm operating through various separate and distinct legal entities.

Further details of these entities can be found at www.dlapiper.com

Copyright © 2012 DLA Piper. All rights reserved. | JUL12 | 2214007

If you have finished with this document, please pass it on to other interested parties or recycle it, thank you.

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper accepts no responsibility

for any actions taken or not taken on the basis of this publication. If you would like further advice, please speak to your DLA Piper contact.

www�dlapiper�com

PleasenotethatorganisationsthatdobusinessintheUnitedStatesshouldaugmenttheircookieaudittoexaminespecificallytheusethroughtheirwebsitesbytheirownorganisationorthirdpartyadvertisersoradnetworksofFlashcookies(LSOs)orothertrackingmechanismsthatcontinuetofunctionafterauserhassethisorherbrowsertorejecttrackingcookies.Morethan50classactionlawsuitshavebeenfiledintheU.S.targetingthosecookiepractices.

DLAPiperwillprovideafurtheralertdiscussingtheseU.S.specificrisks.

Cookies in tHe United states

eu cookie alert updated july 2012

Documents

eprivacy consent

local law

consent express

implied consent

case of consent

informed obtaining consent

eprivacy directive

implementation law