After frantic lobbying by the digital marketing industry, the long awaited EU Communications Data Protection Directive is softer on cookies than it was and than current UK law as interpreted by the Information Commission.
Topic: Cookies
Who: The European Parliament
When: 30 May 2002
Where: Brussels
What happened:
In probably its last debate and vote on the long awaited EU directive "concerning the processing of personal data and the protection of privacy in the electronic communications sector" (dubbed by many the "Communications Data Protection Directive" for short) the European Parliament voted through a dramatic concession to those promoting the use of cookies (files identifying computers using a website and storing information about each visit the computer makes to the site). Up until this vote, the draft directive prevented the activation of cookies unless and until the site visitor had been given clear information about the effect of the cookie being activated and been provided with an opportunity to opt out of the cookie being used in respect of that visit.
On 30 May, however, following strenuous lobbying by the industry through bodies such as the Interactive Advertising Bureau, Euro MPs voted for a watered down rule.
Here is the change. The old wording is in italics, the new is in bold type. The unchanged wording is in ordinary type. Activation of a cookie is to be "only allowed on condition that the subscriber or user concerned receives in advance is provided with clear and comprehensive information [about the cookie] and is offered the right to refuse such processing by the data controller".
The next milestone on the way to the Directive being finally adopted and becoming law across Europe is consideration of the Directive by the EU Council of Ministers in June 2002 with a view to its being adopted. After this, the Directive should be finally published in July 2002 with a view to its becoming law in all EU member states by October 2003.
Why this matters:
The Directive in its previous form was not, as has widely been suggested, "opt in" for cookies It was still likely, however, to have negative implications for e-commerce because cookies could not have been activated until cookie info and an opt-out opportunity had been provided. It has to be said that the amendment still leaves the situation far from clear. On the face of it, however, it looks as though cookies may legally be activated immediately on a surfer's arrival at a site, so long as the site provides easy access, somewhere on the site, to "clear and comprehensible" information about the operation of the cookie and an opportunity to opt out of it.
It is interesting to compare these much-publicised developments at the European level with the position here in the UK. Here, the Information Commission has long held the view that under the Data Protection Act 1998, cookies can only legally be activated after a cookie warning has been given and an opt-out opportunity provided, in other words, a position exactly the same as that threatened for the whole of Europe until the 30 May vote.