Out-Law News 6 min. read

Online advertising is threatened by Europe's cookie law

EDITORIAL: Visitors to websites in Europe may soon face a barrage of pop-ups that seek their consent to internet cookies. Bizarrely, the plan to change current laws on cookies can be stopped only if politicians fail to resolve a file-sharing dispute.

If the new law is passed, websites will be required to seek consent from users before serving cookies – the small text files that help a site to remember a visitor. The law's fate has become inextricably linked to a file-sharing policy.

The EU's Council of Ministers and Parliament are in disagreement over a single clause in a package of laws, a clause that requires a court's authority before an individual can be disconnected from the internet for illegal downloading. The rest of that package – including the cookie plan – is now sealed and closed to further negotiation.

If the file-sharing impasse is resolved, the entire telecoms package will be passed into law on 14th December. If MEPs and Ministers cannot reach agreement before then, the entire telecoms package falls.

So if your business is funded by web advertising, cross your fingers that a committee of 54 MEPs and Ministers continues to squabble over the rights and freedoms of BitTorrent users. Any consensus may damage your website's usability and possibly your business.

I spoke with someone (who asked not to be named) who was close to the negotiations on the new cookie law. He heard the advertising lobbyists scream, but he says the proposal changes nothing.

Most websites "don't seem to offer the clear and comprehensive information and the right to refuse mentioned in the current law,", he argues, and the new law is just "shorter, clearer and more elegant" than what is currently in force.

The current law – a provision of the Privacy and Electronic Communications Directive (11-page PDF) – says that sites using cookies must give visitors "clear and comprehensive information" about the purpose of the cookies. It also says that a site must offer visitors "the right to refuse" the use of cookies.

There is an exception for cookies that are "strictly necessary" to provide a service "explicitly requested" by the user. Consequently, no cookie notices are required to serve a cookie that helps a shopper get from a product page to a checkout; but notices are required for cookies that are used in traffic analysis or advertising.

When the original law was passed in 2002, the main question was how and when these notices must be given. What does a "right to refuse" require of a website? The UK's data protection regulator took the view that a notice in an easy-to-find privacy policy will suffice. That approach, it seems, prevailed across the EU and, to our knowledge, there has never been any action against cookie transgressors.

Consequently, if you visit the homepage of, say, Times Online for the first time, you will receive no fewer than 30 cookies from the newspaper's owners and its advertising partners in the moments that it takes the page to load. Your web browser is probably set to accept them all, so you won't know about them. Your "right to refuse" requires you to visit the site's privacy policy, where cookies are addressed.

This interpretation of a "right to refuse" is shared by almost every other site, including OUT-LAW.COM. It's a fudge. It's a lazy but convenient interpretation of a law that in plain English appears to expect more. But it’s a fudge that was endorsed by our Information Commissioner's Office (ICO), because it was deemed harmless and because the alternative was deemed unworkable. Few people were keen to see consent screens for the advertising cookies that make it possible for newspapers to offer their content without charge (at least for now).

So the ICO's guidance (19-page PDF) put pragmatism before pedantry and web businesses across the UK breathed a big sigh of relief.

Sites across Europe take the same approach. The law has been in force since 2002 and no sites seem to give the information and the right to refuse before serving cookies. That sounds to me like a breach of the current law if you take a strict interpretation.

"What right to refuse did I get?" our source asks of his own visit to a homepage placing a selection of cookies on his computer. "You might imagine some sort of pop-up: 'do you refuse this – yes / no'. You could phrase that many ways but it seems to me you need to ask for a reaction before storing or gaining access to a machine."

Can you imagine a pop-up box to explain 30 cookies, or 30 pop-up boxes? You can simulate this, to experience the irritation first-hand, if you ask your browser to prompt you each time a site tries to serve a cookie. You'll soon see why everyone decided to neglect the letter of the law.

The new law will be harder to fudge. The words "right to refuse" are removed. Instead, sites can deliver cookies to a user's computer only if the user "has given his/her consent, having been provided with clear and comprehensive information" unless, as now, the cookie is "strictly necessary" for a service "explicitly requested".

The consent standard is surely closing the loophole we've all been exploiting. Regulators sometimes take liberal interpretations of laws when doing so can benefit both consumers and businesses. They don't advocate breaking them.

In May I said that a recital in the new law appeared to be inconsistent with the Article on the subject. In any Directive, a recital has less weight than an Article (it's there to set the context for the law and explain why it is being passed). The recital to the new law says:

"…Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's will to accept processing may be expressed by way of using the appropriate settings of a browser or other application."

The default setting of most browsers allows cookies. I read this recital as meaning that consent could be implied from a default browser setting. How, I asked, could consent be implied from a default setting?

But our man in Europe takes a different view. "It is doubtful that today's browsers give clear and comprehensive information about cookies," he said. That's true: they will show you what a cookie contains, but that will be code, so you'll have no idea what it means.

Nor does the right party give you the information: the law expects Times Online to explain its use of cookies – not a third party like Microsoft, the Mozilla Foundation, Apple, Google or Opera. So in his view the recital allows a shortcut for users of a browser plug-in that probably doesn't exist and that's certainly nowhere near ubiquitous. (The closest we came was with the Platform for Privacy Preferences, or P3P, which is as good as dead.) So perhaps the recital a red herring.

The new law, said our insider, is merely a clarification of the old one. He didn't wish to comment on whether the law was commercially viable or not – he would say only what he thought it meant. While he stressed that he was giving his personal views, I suspect that others share his views. He acknowledged that regulators might interpret the new law in the same way as the old one – but my fear is that they won't. My fear is that they will take a harder line.

This is supported by concerns raised in Europe and the UK about behavioural advertising, something that relies on the freedom to send and read cookies.

European Commissioner Viviane Reding expressed concerns about behavioural advertising this month. "European privacy rules are crystal clear: a person's information can only be used with their prior consent," she said. "The Commission is closely monitoring the use of behavioural advertising to ensure respect for our privacy rights. I will not shy away from taking action where an EU country falls short of this duty."

It is also consistent with the opt-in approach recommended for behavioural advertising by the UK's All Party Parliamentary Communications Group in a report earlier this week . ApComms doesn't like the idea of cookies being served to users, if they will be used to monitor behaviour across a network of sites, unless consent is explicit. "We do not believe that 'opt-out', however commercially convenient, is the way that these systems should be run," said ApComms.

I maintain that the plans for cookie law reform are misguided. Behavioural advertising has raised new issues that must be addressed – but not this way. Websites and their users as well as advertisers and intermediaries will suffer unnecessarily if this law is passed.

So please keep fighting, file-sharing factions. Compromise is for wimps.

By Struan Robertson, editor of OUT-LAW.COM. This article represents Struan's views – not necessarily those of Pinsent Masons. You can follow him at twitter.com/struan99.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.