EU cookie regulations: Advice for firms in the US and other countries

Expert Alan Calder responds to a reader’s question: Must companies outside the EU change their websites to comply with EU cookie regulations?

I know UK companies will need to comply with the EU cookie regulations starting in May, 2012.  But do these new regulations extend to US companies and companies in other countries that are service providers for customers in the UK?

Ask a question

Alan Calder is's resident expert on the intersection of security and compliance, and he is standing by to answer your questions. Send in your questions via email today.

In order to answer this question, it is first necessary to understand how EU directives become enforceable.

EU directives do not, in themselves, have the direct force of law. In order to become enforceable, an EU directive must first be transposed into law in each EU member state. (Member states are the 27 countries of the EU, such as the UK, France, Poland, etc.) As soon as one member state has enacted a law that includes some or all of the provisions of an EU directive, that directive becomes enforceable – but only to the extent that it is enacted by the member state, only by the member state that has enacted it, and only within the jurisdiction of that member state. While EU directives are, in theory, transposed into law in every member state without amendment, the reality is that different states may strengthen, or sometimes weaken, specific provisions of individual directives.

Therefore, the answer to this question is that enforcement depends on the implementation status of the law in each EU member state, as well as the enforcement objectives of the regulatory body in that state. The jurisdiction of EU member states extends primarily to their own citizens, whether private, public or corporate, and only covers non-citizens under specific circumstances, such as when they are alleged to have committed a crime, or when they have voluntarily made themselves subject to the state’s jurisdiction by, for example, visiting the country concerned.

In the EU member states that completely transpose the cookie law, it will apply to all entities that are within that state’s jurisdiction, irrespective of where in the world those entities’ websites might be based. The cookie law will not apply to entities that are physically and legally located outside the jurisdiction of that EU member state, irrespective of whether that organisation is providing services to customers in the UK or elsewhere within the EU.

Guide to EU cookie compliance

This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.

This does present an apparent anomaly: A website operator based in the UK may have to ensure its website serving a US audience is compliant with the EU cookies legislation, but my understanding is a website operator based in the US, which is specifically targeting a UK or EU audience, would not have to comply.

It is possible that a US-owned and operated website that does not comply with EU cookies law but which attempts to solicit EU customers might fall foul of another provision of the directive, which forbids solicitation by email of visitors to non-compliant websites.

It should be noted that regulatory enforcement differs from state to state. Germany enforces its Data Protection Act more stringently than the UK does. With the PECR cookies regulations, it currently appears the UK is the vanguard across the EU of requiring compliance. Most other EU countries are doing little or less about enforcing cookie compliance.

The sensible approach, therefore, for website operators in the US and other countries outside the EU that target EU customers is to take their own legal advice and to keep that advice under review as implementation of the directive progresses.

Read more on Regulatory compliance and standard requirements