The company I work for is a multinational company with ties to Europe. As such, we worked to comply with the new laws regarding the EU, cookies, and privacy. I think we did a good job, and did it on time as well – a lot more than many other companies actually in Europe can say.
Unfortunately, today we discovered that the service we were using to determine user location broke. As a result, we couldn’t check where people were from and show them the cookie acceptance tool accordingly. As I start to consider repairs, the following question comes to mind:
Exactly how is the acceptance policy supposed to be applied?
We were literally detecting if a user came from a country in the EU, and giving them options accordingly. But the statute is actually very vague and unclear (shocking). From the ICO’s guide:
An organisation based in the UK is likely to be subject to the requirements of the Regulations even if their website is technically hosted overseas. Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided.
Here’s what I’m thinking. Tell me if you agree or know better. I’m thinking that ultimately, where the user comes from is irrelevant. What matters is basis of operations. If we have offices there, then we must comply. HOWEVER, we also have country specific domains: .co.uk, .nl, .fr, etc. What I’m thinking is rather than doing any location detection, it’s just assumed that those sites are for their respective EU audiences, so we just enable it on the domain. A US visitor going to our .fr would be asked if they want cookies. A French visitor going to our .com would first be redirected to .fr (where they would be asked about cookies), then if they specifically requested the .com, they would NOT be asked about cookies.
Does that seam reasonable?