New cookie laws are close to meltdown, with member states enacting them in differing ways, EU mandarins sniping at each other over alleged inconsistencies and now the European Commission is on the warpath against the vast majority of member states who have not yet implemented Directive 2009/136/EC. Stephen Groom reports.
Topic: Online advertising
Who: European Commission, European Data Protection Supervisor and EU state legislators
When: June/July 2011
Law stated as at: 1 August 2011
Confusion and division over new EU cookie laws has intensified as the European Data Protection Supervisor, Peter Hustinx, took a swipe at the EU Commission over allegedly inconsistent advice on compliance, more Member States have implemented the Directive in different ways, and the EU Commission has started enforcement action against dallying states who have still not implemented it at all.
The "cookie directive" 2009/136/EC (the "Directive") does a lot more than change laws affecting the dropping of cookies on laptops, tablets, mobiles etc but its tightening of these laws has stolen the limelight, and not necessarily for the best of reasons.
Instead of the old directive which required cookie users to give "clear and comprehensive" information about cookies and an opportunity to refuse their deployment, the new Directive retained the "clear and comprehensive" information rule, but changed the opportunity to refuse to a requirement that cookie use was only permitted "…on condition that the subscriber or user concerned has given his or her consent."
Consent waters muddied by Recital 66
The water was muddied however by Recital 66 to the Directive. This said that "where it is technically possible and effective, ..the user's consent …may be expressed by using the appropriate settings of a browser or other application.".
Some member states such as the UK and Ireland have lit on this recital and incorporated this as part of their implementing law, with work apparently progressing in the UK at least on the development of a new breed of browser that can somehow pull off the trick of enabling compliance with the new law without multiple opt in tick boxes having to be ticked before any EU-based website can be accessed.
A self-regulatory solution which adopted a broadly similar approach was apparently favoured by EU Commissioner Neelie Kroes in late June 2011, in a favourable reference to the initiative by IAB Europe and the European Standards Alliance.
Browser providers such as Mozillo Firefox and Google have also developed their own solutions but all these supposed solutions, remarked Mr Hustinx in a lecture at the University of Edinburgh School of Law entitled "Do not track or right on track?-The privacy implications of online behavioural advertising.", were all currently based on an opt out model.
Mr Hustinx was fine with initiatives for more transparency and consumer control but these should not, he continued, result in limitation of consumer rights. The Commission, he continued, should "avoid any ambiguity" in its determination to making sure that consumer rights in the new Directive are delivered in the context of the "highly intrusive practice" of "systematic tracking and tracing of consumer behaviour".
At the end of the day, the only satisfactory way of implementing the Directive, Mr Hustinx intoned, "would require the inclusion of a "privacy wizard in each browser to ensure the consumer had the opportunity to express preferences. This "should be combined with a "privacy by default" setting according to which third party cookies are rejected, unless the user decides otherwise."
Member States split on new cookie consent laws
Just how many EU states will follow the Data Supervisor's strict view? So far, Denmark, Estonia, Hungary, Netherlands and Sweden seem in tune with Mr Hustinx, whilst Finland, Ireland and the UK seem more attuned to a browser settings-based approach which would try to steer clear of default cookie rejection.
But what of the other 19 Member States?
The answer is that most seem to be waiting to see who blinks first. As a result, the European Commission is getting hot under the collar and has started enforcement action for non-implementation.
Why this matters:
With the UK's own Information Commission admitting that its guidance on how to comply with the new laws is a "work in progress" and inconsistent signals coming from member states as well as the highest EU echelons, it is little wonder that European cookie users looking to do the right thing are in a state of confusion over what approach to take. That's assuming they have been able to tackle the issue of which country's law applies to their activities in the first place, an issue on which the Directive gives no clear steer.
Will more clarity and consistency eventually prevail? Will these laws, however they are framed, be satisfactorily enforced, so that those who trouble to comply are not disadvantaged? Time alone will tell.