A new European Union directive will require websites to get consent of users every time information gets stored on their computers, and now a UK politicians has given a speech suggesting he has a broad interpretation of what getting consent means. In a statement telling UK businesses they need to “wake up” to the new law, Information Commissioner Christopher Graham said businesses will need to obtain consent from each visitor to their website before putting any information on their computer-and that includes “cookies,” the small text files used for everything from online shopping, to remembering log-ins, to tracking and targeting behavioral ads.
The question is just what “consent” means. Some UK press reports, including one from the BBC, have suggested that it will be necessary to get “explicit consent” from every visitor to a website. If followed literally, that could render some websites practically unusable. Consider Dictionary.com, which last year was reportedly installing 234 separate cookies on the computers of each visitor, 223 of which performed some type of tracking.
But the term “explicit consent” doesn’t appear anywhere in the actual EU directive. Online advertisers are pushing for a more “pragmatic” system, which would allow users to express their consent through their browser settings. That approach is outlined in the EU directive, which says that “the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”
“Some data protection authorities would like it to be ‘explicit’ consent, but I don’t think the UK wants to go down that route,” IAB European director Kimon Zorbas said in an interview. “So far the UK has been pretty pragmatic.” Zorbas added that the EU’s guidance to its 27 member states doesn’t say that “explicit” consent is needed.
In any case, the member countries of the European Union have substantial leeway in how they implement the rule and work it into their national legal systems. Member countries have until May 25 to do that, but it’s not unusual for them to be late.
While U.S. regulators have also begun considering beefing-up online privacy, including various “Do Not Track” measures, no politician stateside has gone as far as the UK Information Commissioner went by suggesting that an explicit opt-in for standard HTTP cookies should be required.
But in interviews with the U.K. press, Information Commissioner Christopher Graham said businesses need to start thinking about re-working their websites to get consent, since browser settings might not be enough. “It’s going to happen and it’s the law,” Graham told the BBC.