New European Union Internet Regulations Will Affect U.S. E-Commerce
The European Union (EU) is moving closer to restricting the use of "cookies" and unsolicited commercial e-mail, or "spam," on the Web. These proposed restrictions, which are not found in U.S. law, will have an impact on foreign companies conducting business in Europe.
"Cookies" are small data files that are saved on the hard drives of Internet users who access Web sites. The cookies are used to store useful information, such as usernames, passwords and preferences, making it easier to access and utilize the Web site in the future. Cookies also are commonly used to collect information that many Internet users consider to be private, such as names, e-mail addresses, home addresses, telephone numbers and Internet sites visited.1
Although the U.S. Federal Trade Commission (FTC) is planning to increase the resources that it devotes to privacy issues, it is the EU that is asserting a leading role in its protection of Internet users' privacy rights. In fact, the EU's Privacy Directive treats privacy as a fundamental human right. See, Directive No. 95/46/EC (October 24, 1995).
The United States has been comparatively hesitant to restrict commercial Internet usage and to protect the privacy of Internet users. The issue of Internet privacy has been gaining more attention in the United States. However, legislation has generally been limited to laws that require online providers to post privacy policies on their Web sites. These laws are generally restricted to financial institutions and companies that collect information relating to health or children. 15 U.S.C. §§ 6501 and 6801 and 42 U.S.C. §1320(d).
The EU's proposed ban on spam would require the recipient's explicit consent for the receipt of commercial e-mail. This "opt-in" requirement is to be contrasted with U.S. law, which allows unsolicited e-mail with few restrictions. For example, California, one of only a few states to enact laws regulating unsolicited, commercial e-mail, allows such e-mail, provided that the recipient is given a toll-free telephone number or return e-mail address allowing notification to the sender not to e-mail further unsolicited documents. California Bus. & Prof. Code 17538.4. California's "opt-out" method was rejected by the EU in favor of the "opt-in" approach.
Similarly, the EU proposes to prohibit the use of cookies, which it refers to as "hidden identifiers," unless Internet users opt-in by providing explicit consent. Otherwise, the use of cookies would be banned as an invasion of consumer privacy.
U.S. advertisers and commercial Web site operators should beware. U.S. Web site operators commonly use cookies to identify the habits of potential and existing customers. Similarly, unsolicited e-mail is as common as dinner-time sales calls2. The EU's far-reaching privacy laws may now force American businesses to revise their worldwide advertising campaigns to comply with the stringent regulations applicable in Europe.
Both EU laws are draft directives that require the passage of enforcement laws by individual EU member states. This process may take several years. In the meantime, U.S. businesses should begin evaluating possible changes in their approach to EU customers.
1. See In Re Doubleclick, Inc. Privacy Litig. (S.D.N.Y. 2001) 154 F. Supp. 2d. 497 for a detailed description of the use of cookies.
2. The current Telemarketing Sales Rule prohibits sales calls once a consumer instructs a telemarketer not to call again. The FTC is considering a national "do not call" registry, which will allow consumers a more efficient way to prevent all unwanted calls from telemarketers.