Out-Law News 4 min. read

Consent will be required for cookies in Europe

EDITORIAL: A law that demands consent to internet cookies has been approved and will be in force across the EU within 18 months. It is so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point.

The fate of Europe's cookie law became improbably entwined with a debate over file-sharing. To cut a long story short, it broke free. On 26th October, it was voted through by the Council of the EU. It cannot be stopped and awaits only the rubber-stamp formalities of signature and publication.

The vote's result was announced by way of a whisper. It featured at the tail end of an 18-page Council press release (PDF) that first had to address fishing quotas, train driving licences and a maritime treaty with China. I'm afraid we missed it.

There was no attempt to bury this news – but the hushed tones of its reporting were consistent with the media attention it has received to date. There has been almost no fuss about this little law, despite the harm it could do to advertising, the lifeblood of online publishing. It also threatens to irritate all web users by appearing at every new destination like an over-zealous security guard.

Here's what's coming. The now-finalised text says that a cookie can be stored on a user's computer, or accessed from that computer, only if the user "has given his or her consent, having been provided with clear and comprehensive information".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

So almost every site that carries advertising should be seeking its visitors' consent to the serving of cookies. It also catches sites that count visitors – so if your site uses Google Analytics or WebTrends, you’re caught.

You could seek consent with pop-ups, if you’re happy to ignore accessibility guidelines that discourage pop-ups – though users' browsers may block pop-ups by default, which risks confusion. Or you could do it with a landing page that contains a load of information and some choices. The choices for users could be:

  • Give me a load of cookies, now and in future visits, and let me get where I wanted to go in the first place – and please don't interrupt me like this again.
  • Cookies sound evil. I'm going to use American sites instead, because they don’t scare me with this cookie nonsense.
  • I don't want cookies from your advertising partners, but I'll gladly pay for an ad-free version of your site. What's that you say? I need cookies for that too? OK, but just a few please.

You need to ask each new visitor just once, of course – until the visitor deletes his 'consent' cookie. Like a blow to the head, that action will cause your site to forget that you've actually met before and you'll welcome the visitor like a stranger.

Between now and 26th April 2011, the date this law must come into force across the EU's 27 member states, two things will happen. The Directive will be transposed into national laws; and we'll get guidance from regulatory bodies. Each of these steps is an opportunity to mitigate the impact of this misguided law.

Our Government could take a bullet for Digital Britain. It could interpret the Directive creatively or, to be pedantic, wrongly. Doing that allows businesses to comply with UK law while putting the UK Government in breach of European law. The European Commission then makes threatening noises before hauling the UK before the European Court of Justice for a shoeing, a process that generally takes a few years to resolve. (The UK is mired in such a battle right now over the original version of the cookie law – it's just that it's not the cookie provisions in dispute.)

I doubt this will happen. The new law amends an existing Directive, passed in 2002. The UK's implementation of that Directive was faithful and, given some MPs are pleading to make all behavioural advertising opt-in, there may be political will for an opt-in approach to all cookies.

Perhaps that was the motive in the EU passing this law – I really don’t know. If it was, behavioural advertising could be managed without wielding a sledgehammer that cracks almost all cookies. Lawmakers should identify any harms they see in today’s practices and legislate against the harms. To legislate against the technology is unnecessary, short-sighted and destined to fail.

The 2002 Directive is not so different from the new law at first sight: it said that cookies should come with a "right to refuse". The UK implementation reproduced these words precisely. But the Information Commissioner's Office took a pragmatic view, saying that the right to refuse could be given after the delivery of the cookie. Compliance was easy: you just had to put some information in your privacy policy. The new law turns that upside down.

So a better prospect than a faulty implementation of the revised law is that our Information Commissioner's Office (ICO) publishes pragmatic guidance again. The ICO might be motivated to do that: the cookie law is likely to be as irritating for consumers as it is for business. This won't be easy, though: the new wording gives limited room for manoeuvre.

The wriggle room, such as it is, probably doesn’t lie in saying that advertising or traffic monitoring are ‘strictly necessary’ to provide the free service ‘explicitly requested’. A better prospect is a weird recital to the Directive that suggests "the user's consent to processing may be expressed by using the appropriate settings of a browser".

It's not a get-out-of-jail-free card by any means. Remember, it's only a recital, not an article. Recitals are meant to explain the lawmakers' rationale and sometimes they're used to resolve ambiguities. They are not meant to contradict the business end of the Directive – and this recital sounds like a contradiction (which smacks of bad drafting).

We've heard a different view of what the recital might mean, but to many it will look like a place of shelter. Subject to whatever our domestic law says, and our ICO’s guidance, some businesses might be tempted to hide in the confused wording of that recital. If I was desperate to avoid landing pages and pop-ups, I would too. The risk you run is a £5,000 fine, unless the penalties are increased (which the new Directive invites member states to do).

That's a gamble that many will consider worth taking because the alternative might be to haemorrhage ad revenues.

By Struan Robertson, editor of OUT-LAW.COM. The views expressed are Struan's and do not necessarily represent those of Pinsent Masons. You can follow Struan at Twitter.com/struan99.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.