Safe Harbour and Cookie Compliance

As almost everybody with an interest in privacy will know by now, the European Court of Justice has recently declared the EU-US Safe Harbour mechanism invalid.  This has been widely used to manage the transfer of personal data from the EU to the US in the last 15 years.  Right now there is a huge uncertainty about what it means for business, and there is a lot of coverage both in the privacy world and mainstream media about the issue.

However, I don’t think anyone has given much thought to the impact on cookie compliance – until now.

Cookies are nothing more than a mechanism for transferring data between the client (end user device) and host server. If the website visitor is in the EU, and the cookie host server is based in the US, then there is a de facto transfer of data to the US. 

Of course, you might think you are hosting your website in the EU, so you are fine.  However, we know that most cookies on websites are actually third party (80% on average according to Cookiepedia).  These are the result of integrating software services and functionality into the site from a multitude of providers.  The vast majority of these services come from US based companies, and therefore most of the data transfer happening in an EU website, it likely to be to the US.

With cookies being read by servers every second, there are billions of these data transfers happening every single day.  So the bottom line is – any business with a website is potentially impacted by the Safe Harbour ruling.