The end of the world is nigh, if you believe some of the doomy predictions around the ‘EU cookie law’.
Coming into force in the UK on Saturday, Article 5(3) of the E-Privacy Directive (happy reading) says EU countries have to make sure consumers are “offered the right to refuse” cookies being downloaded onto their computers by web services, in all but essential cases. They also have to give “clear and comprehensive information” about what the cookies are for.
The deadline for all this was late May 2011. A year on, eight member states – Belgium, Cyprus, Germany, Italy, Malta, Poland, Romania and Slovenia – have yet to even transpose the directive into their national laws, let alone start enforcing it.
And in the other 19 countries, there’s a pretty big variation in how national laws interpret the directive. It should also be pointed out that the UK is something of a special case here, in that its data protection authority gave businesses an extra 12 months to comply (ending on Saturday). The rest are already enforcing their updated laws.
But before looking at what they’re enforcing, let’s go back to the rationale behind all this, from the perspective of digital agenda commissioner Neelie Kroes:
If you log in to a web service, the cookie that remembers that you are logged in is fine – and indeed this makes our lives a whole lot easier online. But a cookie that is used to build a profile of what you are doing online is less OK: it might mean that your web surfing over time (searches, web pages visited, the content viewed, etc.) is tracked, for example in order to match ads against your interests as determined from the profile. The use of such cookies requires your consent,” Kroes blogged earlier this year.
“Consent” is the key word here, and it can be interpreted in several ways.
In countries such as Latvia, a strict opt-in principle is in play. That means the user has to agree to almost every cookie being installed on their machines, and browser settings that give the all-clear to cookies are not enough to imply informed consent.
If you’re operating in Spain or Luxembourg, the law demands that users opt into cookies, but accepts that browser settings are satisfactory. In Finland or Bulgaria, the users don’t even have to opt in – they just have to be given an opportunity to opt out – and browser settings are again an accepted way of communicating cookie preferences.
Austria demands opt-in, but browser settings may be OK (the law is open to interpretation). France is fine with opt-out and also with browser settings, as long they’re not over-general. The UK doesn’t demand strict opt-in but it also doesn’t see browser settings as a satisfactory solution.
Portugal’s implementation doesn’t even mention cookies, so it’s hard to say what the rules are there.
Confused yet? You’re not the only one, and Kroes knows it. She’s a savvy operator and she’s also not the one who came up with the E-Privacy Directive – that was her predecessor Viviane Reding, now the justice commissioner.
Which is probably why Kroes has been pushing like mad to get a consistent solution implemented within the technology itself. That would be the ‘Do Not Track’ (DNT) browser feature, which, as the name suggests, gives users a way to set their cookie preferences within the browser rather than for every specific site – preferences that website providers are supposed to respect.
Google, Yahoo, AOL, Mozilla, Microsoft, Apple and Twitter have all signed up to implement and/or respect DNT preferences. Facebook, you will be astonished to hear, has not.
As explained above, DNT will not in itself be an answer to the cookie problem in some countries. However, there are countries such as the Netherlands and Lithuania where legislators have decided that it’s only current browsers that don’t offer satisfactory cookie settings. In those cases, a proper implementation of DNT may pass muster, bringing those countries in line with the relaxed majority.
So for all those online publishers and marketers grousing about the UK’s implementation of the cookie law, consider these points:
• Some other EU countries have stricter rules.
• Sooner or later, you’re going to come up against the consent issue from a technical as well as legislative standpoint anyway.
• The UK Information Commissioner’s Office seems keen to play fair, hence the 12-month extension. But consider this quote: “We will allow for a greater focus on wilful non-compliance by letting those who are making genuine attempts to comply get on with the job without unnecessary interference from the regulator.” In other words, do make some attempt to play along.