There has been much literature written on the subject of clickstream data. However, very little has been discussed over the extent to which clickstream data is considered as “personal data” under European and U.S. law. This Article considers the current European Union (EU) regulations governing clickstream data by examining the European Data Protection Directive 95/46/EC (DPD)3 and the Directive on Privacy and Electronic Communications 2002/58/EC (DPEC), comparing these laws with the U.S. legal framework. In particular, this Article discusses the broad application of the DPD under Article 4 and the notion of “personal data” as defined under Article 2(a). The implications of the DPD should not be underestimated because the DPD can have overreaching effects by applying to companies or organizations operating outside the European Economic Area (“EEA”), principally through Article 4(1)(c). In addition, this Article surveys the applicable clickstream statutory regulatory frameworks by reviewing Title III of the 1968 Omnibus Crime Control and Safe Streets Act (“Wiretap Act”) and its progeny. This Article takes a critical approach to clickstream data by considering the current EU and U.S. regulatory frameworks for clickstream
data and by analyzing the extent to which such data is protected.

To read the full article, go to Emory International Law Review.