The Cookie Directive

(Also referred to as the Revised E-Privacy Directive or Directive 2009/136/EC – this is a Directive issued by the EU which is due to be adopted by all EU Member States by 25 May 2011.)

QUICK SUMMARY:

  • The Cookie Directive requires users to give “consent” for cookies to be placed in their browsers.
  • It’s possible to take a very literal interpretation from this Directive that would require users to give explicit consent before any cookie can be placed in their browsers HOWEVER it’s also possible to interpret the Directive in a more practical, common-sense way.
  • The UK has already signalled its intent to implement the provisions of this Directive in a practical manner by allowing “consent to the use of cookies to be given via browser settings”.
  • We are hopeful that other Member States will take a similar common-sense approach to the interpretation of this Directive.

NOTE: We’re not attorneys/solicitors/lawyers/legal experts. We are the Team behind StatCounter and we have prepared this post in reponse to a number of queries we have received recently. This post is for informational purposes only. This post is not, nor is it intended to be, legal advice and should not be considered as such.

EU Directives

  • Directives are binding on EU Member States NOT on EU citizens. (The related national legislation is binding on EU citizens.)
  • A Directive should be passed into law by each Member State (by a specified date) at which point it becomes binding on the citizens of the relevant Member State.
  • Each Member State must interpret each Directive so it’s possible for different Member States to have differing laws all based on the same Directive.

This means that it’s the legal interpretation of the Directive in each Member State that is relevant rather than the actual Directive itself. The Cookie Directive is supposed to be transposed into national law by all EU Member States by 25 May 2011. It’s not clear how many Member States will comply with this deadline.

The Cookie Directive – what does it mean?
The new Cookie Directive goes further than current legislative provisions, stating that “consent” must be given for cookies to be stored/accessed on users’ computers.

If the Cookie Directive is interpreted literally, it appears that an internet user could be required to give consent each time a cookie is placed on that user’s computer (e.g. via some sort of pop up consent form that asks visitors if they agree to the installation of specific cookies).

There are numerous potential problems with this Directive including:

  • The internet as we know it could not function without cookies. David Naylor has created an interesting (and worrying) example of the possible consequences of this Directive here. Not a pleasant prospect…
  • The scope and applicability of the new legislation is not clear but presents many potential problems. Will the new legislation apply to all EU citizens? If so, how will the EU force non-EU websites to comply? If non-EU websites are not subject to these draconian provisions, then will EU websites suffer a reduction in traffic as a result? Or will EU businesses considering relocating in order to avoid the penal legislation?
  • As Member States may all adopt different legislative provisions in relation to this Directive, a single entity operating in several EU countries may have to provide different website consent and privacy options in every jurisdiction. This could present administrative and technical difficulties and cause particular hardship for smaller businesses.
  • By placing severe restrictions on relatively harmless cookies, this law may encourage the use of more invasive technologies.
  • All cookies appear to be covered by this Directive regardless of how much (or how little) information they hold.
  • No account is taken of the value of advertising funded content and services nor the consumer support for interest-based advertising.

Enforceability?
Reading the Directive, it appears to us that as each Member State adopts the relevant legislation, that interpretation of the legislation will apply to all citizens of that Member State. (We’re open to correction on this, so please feel free to comment below.) If that is the case, then theoretically every website in the world may have to apply a different set of regulations to their website for every set of visitors to their site from every Member State. In practice, it’s difficult to see US, Australian or Chinese sites tripping over themselves to comply with differing sets of EU legislation plus it’s not at all clear how an EU State could impose a sanction on such a website for non-compliance in any event. Will this lead to non-EU sites (without burdensome consent requirements) being favoured by EU citizens?

Alternatively, if the transposed legislation applies to EU websites – then what is the definition of such a site? As mentioned earlier, will EU businesses be encouraged to move their hosting out of the EU to avoid the penal legislation? And while we’re on the subject of definitions the lack of same in the Directive has resulted in huge uncertainty…for example no definition of “consent” is offered – but equally, this leaves the door open for Member States to adopt a flexible and common-sense approach to this seemingly archaic Directive.

Some commentators have also discussed the possibility that cookies necessary to the operation of a site may be excluded from the consent provisions… but again, no definition of “necessary” is provided. Perhaps unsurprisingly, we view our own StatCounter cookies which we use to track visitor activity as vital to allow us to maintain and improve our sites. (Our tracking cookies contain minimal information and are used to determine unique and returning visitors only.) We know many of our members share this view. Reflecting on this Directive, we feel that the restrictions on cookies may have been initially aimed at behavioural advertising only… but somewhere during the drafting process this important distinction became lost resulting in headaches for website owners and operators throughout the EU.

Solution to a Non-Existant Problem? Cookies
We’re just not sure why the EU has decided to target cookies in this Directive… Cookies are harmless text files which are placed in your browser to document your preferences, keep you logged into a site, store your shopping cart contents… Cookies are not viruses, cookies cannot scan your system or search your computer for private information.

Furthermore, control of the cookies in your browser is already in your hands – you can clear cookies at any time and you can opt to reject some/all cookies via your browser settings… which is why we are confused about the point of this new Directive. If you want to reject cookies – you can do so! (Learn how to adjust cookie settings for IE, Chrome, Firefox and Safari.)

It would appear that this Directive has been badly drafted and takes little or no account of how the internet actually works. To obtain prior consent for every cookie, would result in a severe diminution of the quality of the online user experience. Imagine… Every website in the EU would have to use a pop up form to obtain consent for evey cookie… Users would be obliged to deal with these pop ups multiple times every day… Web browsing would become frustrating and cumbersome… And, somewhat ironically, the very people who reject cookies would suffer the worst experience; websites wouldn’t function correctly; shopping carts wouldn’t work and, as they don’t allow any cookies to remember their preferences, they would be prompted to opt in/out on potentially every page of every site they visit! In the end, most people would probably opt in to all cookies simply to eliminate all the pop ups… thereby defeating the purpose of this Directive in the first place!

The new Directive seems to be making a misguided attempt to “protect” some web users (who may not be aware of their browser settings) at the expense of everyone else… in our view, the money spent on developing this Directive would have been better spent educating people about the options that already exist, rather than implementing a whole new set of regulations and placing unnecessary burdens on websites and online businesses.

Solution to a Non-Existant Problem? Behavioural Ads
Behavioural advertising has a bad reputation – but in short it simply means that if you view or purchase furniture, for example, on a website, that same website may advertise their furniture to you on another site. Cookies are used to remember your previous browsing history and show you related ads. After all, if you have viewed or purchased a product on a site, you may be inclined to purchase from them (again) in the future.

We feel that this Directive may have been originally intended to target behavioural advertising cookies (but was widened somehow to cover all cookies)… but even restricting behavioural ads in this nonsensical manner seems OTT. “Traditional” advertising involves analysing trends and behaviour to allow advertising space to be sold based on demographics and preferences… this Directive appears to be punishing online advertisers who are effectively doing the same thing!

Behavioural advertising online is very similar to store loyalty cards – loyalty cards are used to track your purchases, spending habits and shopping behaviour in a particular store, that information is then used to offer you discounts and offers relevant to your interests. Online behavioural advertising works in a parallel fashion.

PLUS – if you don’t like targeted ads online – then you can just opt out! Using your browser settings you can disable all cookies, reject certain cookies or you can use the NAI opt-out tool to opt out of over 70 behavioural advertising programs (but remember that to opt out, you must accept a cookie to remember your opt-out preference!).

Practical Approach
Despite the possibility of taking a very strict (& restrictive) view of the Directive, we understand that the UK has decided to take a practical approach.

For example, the consultation & implementation documents drawn up by the Department for Business Innovation and Skills state:

The internet as we know it today would be impossible without the use of …cookies …so it is important that this provision [regarding cookies] is not implemented in a way which would damage the experience of UK web users or place a burden on UK or EU companies that use the web.

Further the DBIS goes on to explain its preferred option for obtaining consent:

“Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime.”

So – that appears to mean that if a user *allows* cookies via their browser, then that constitutes consent. The above would appear to be a reasonable approach and, in short… nothing will change!

So what will happen on May 25?
This is debatable. Until the Directive is passed into law it’s very difficult to anticipate the exact implications. In the future, guidelines on obtaining consent and information on enforcing the legislation will have to be released however, for now, it looks like the 25 May deadline will have no impact whatsoever. Further, if all Member States follow the example of the UK (as outlined above), then nothing will change at all!

We are hopeful that practical, common-sense and commercial realities will take precedence over an overly-zealous and misguided piece of legislation, particularly given the fact that the power to reject cookies is already in the hands of the people this Directive seems to be trying to “protect”.

We welcome your comments below.

Related links:
Europe’s ad industry issues response to cookies opt-in
E-Privacy Directive on Cookies
Why the EU Privacy Directive is not a real threat

Access to European Union Law

65 comments on “The Cookie Directive

  1. Hahaha so ridiculous, I look down upon anyone who thinks the internet can be controlled. If this passes people will simply open servers in countries that do not abide by the same rules. (The example was hilarious by the way)

  2. Clearly this is a difficult issue but I hope in practice it does not curtail our usual trading ability. Certainly as time passes more and more controls are being applied to internet traders but as Austin implies: should the internet be controlled? Isn’t it preferable that humans globally establish a free information highway without the controls we meet daily elsewhere? Personally I believe anyone purchasing online takes personal risk responsibility. After all, we can still purchase offline!

  3. With all respects, this directive, even, in fact, is useless while already exists the privacy/data protection laws (very good in my country), is not a big deal and it’s nothing to be considered as a way to control internet.

    Few days ago, (this is the first time I heard of this Directive, so I didn’t have an idea of its existence) while I was thinking to make a website, as a privacy/data protection interested person, I thought to include a system on my website to request people to accept cookies.

    How? It’s as simple as create a welcome page with information about the usage of the website and the enhanced usability of the site if the user accepts to set cookies and make a secondary page to check what cookies are stored in their browsers and with the ability to select which one does the visitor wants to keep/use with the website.

    This can be accomplished with javascript enabled/disabled, through PHP/ASP,etc, and other systems.

    What’s the deal? Work. A little programming work. Why a webmaster won’t waste a little of time to program this? Only the webmaster knows.

    But anyway, I don’t find anything wrong with the directive, apart what I said at the beginning of this text. Is useless with the current laws and MUST BE a MUST DO for every webmaster that respects its visitors.

    This won’t be done by all and that’s the problem but it should.

  4. The problem I have with this is that users have to be bugged about something that isn’t going to hurt them. Its not like cookies can extract personal information or even names. Visitors are only identifiable to the web master as an ID number, unless they enter extra information through a form. Even behavioural advertising isn’t personal, it just tracks a users ID number and what that ID number likes.

    On top of all of that many browsers have options to block 3rd party cookies or cookies from particular websites or even just delete all cookies when the browser is closed so the websites should not have to ask permission as the user can already effectively opt out.

    I think the only need for this kind of legislation is where a user’s real identity is traceable. For example a search engine should allow users not to be tracked as everyone has searched their own name or post code at some point. A news or software downloads site however could spend days examining logs of a particular visitor and never get close to finding out who they are.

  5. While I agree this Directive is ludicrous, the problem is that some of us cannot just ignore it. Major plc’s in the UK all have compliance departments whose task it is to ensure that the company is sqeaky clean and conforming to every rule and regulation.
    This has given some of us the task of drafting of compliance and implementation plans without really being clear about what will be allowed and what won’t.
    Does anyone know when it’s likely to be “enacted into law”?

  6. Well, we can always hope for the “common-sense” approach to issues like these, but you just never know with legislatures. It will be interesting to see how this plays out.

    1. I think this is the best approach, common sense. The whole issue seems to be the result of a panic and clearly has not been sensibly thought through. How will this affect American users and the rest of the world is what occurs to me.

  7. Would it be possible to implement an option in the wizard which then generates a special code to invoke a JavaScript dialog for allowance at first visit, before placing the cookie (something like a check box “Ask visitors before sending the cookie” and one underneath “Choose your own message to ask for allowance” with text field, alternatively to a standard one in English)? 🙂

  8. About Entertainment Portal | Online TV Channels | Islam | Latest News | Music | Software | SMS To Pakistan | Wallpapers | Models | Cooking Recipes | Fun | Fashion | Cricket (hungamatime.com): A Big Entertainment Web Portal, Islam , Latest Music , Fun , Cooking Recipices , Software,Education ,Sports ,Download Free Softwares, Latest & Uniques Wallpapers , Models , Gallery , Sms & Jokes

  9. The UK governments ‘practical appproach’ is nothing of the sort. The latest guidelines from the Information Commissioners Office are as vague as the EU directive itself – probably deliberately so.

    There is both danger and opportunity here. Danger in that the implementation acrsos the EU could damage the digital economy. Opportunity comes in the shape of getting pro-active in response.

    One such organisation is the Cookie Collective, an association of UK web agencies that are proposing a practical, workable solution that could benefit both business and consumers. Have a look at the website and judge for your self: http://www.cookiecrunch.co.uk/

    PS cookies are not always benign.

  10. Thanks for the post – very useful. Agree with the concensus that this is yet another poorly thought through directive that offers little protection for either the user or the business. Already in the last 2 days I have been offered Ts and Cs “help” from 3 seperate legal firms!Ludicrous.

  11. There are actually a variety of details like that to take into consideration. That may be a great point to convey up. I provide the thoughts above as common inspiration however clearly there are questions like the one you convey up the place the most important thing will likely be working in trustworthy good faith. I don?t know if finest practices have emerged round issues like that, but I am positive that your job is clearly recognized as a good game. Both girls and boys really feel the impression of only a second’s pleasure, for the rest of their lives.

  12. This post was useful in the fact that it exposed the truth about internet cookies. Continue to shed light in these areas.

  13. That’s a new cons-productive decision, as many other done in Europe about a socalled Internet security measure. I think that many european websites will be penalized by this obligation and many webmasters will switch their current hosting to a non resident provider.

  14. I think this is hilarious also, there´s a huge need of controlling not only Internet but everything lately, anyway i don´t think this will happens …..
    Internet should be used at every user´s risk !

  15. Than you so much for this blog subject. I’ve been suspicious of Cookies ever since they hit the scene. We must always be vigilant regarding internet security, even more-so today. This information is invaluable.

  16. It is frightening how much market research will be lost with the permission to put a cookie on a device. I believe in freedom of information however I wish that the end user did not have to opt in to allow it. This will be detrimental in any business from toys to the public library. I believe online retail will be the big loser here.

  17. Why doesn’t statcounter make the cookie optional? Something in the code like ‘var use_cookies=0;’ along with the other variables? Or a setting on the config page? I know this would switch off some of the functionality, but while everything is still unclear this would help a lot.

  18. @ Walt.

    I don’t know if you realize; but there are a number of freeware programs that will delete all cookies on your system: “CCleaner” and “Window Washer come readily to mind. I think they may be loaded at start-up too.

    End of problem.

  19. If this idea will help improve lives on the affected country then why not. Just consider the factor of what will be the effect and who will be affected.

  20. This is such a great idea! Egypt and Tunisia really needs it nowadays. This will help them improve and modernize their economies and generate more oppurtunies in their population. Also, this will help resolve the economical issue of poverty and hunger caused by the continous war between the military and Hosni Mubarak in Egypt and Ben Ali in Tunisia.

  21. May the increase of consumer price average help to improve the economic state of Jordan. Jordan deserves for this achievement, for they have a good service in terms of Transportation, rental, especially in Fuel and Lighting. I believe that if the people in Jordan will participate to maintain the peace in their country, there will be lots of achievements they will have in the future. Wish more luck to Jordan.

  22. If you are bothered about cookies affecting your identity or personal data just use one of the many software programs out there that wipe your history, cookies and cache when you close your browser. Alternatively use C-Cleaner or similar – job done!

  23. @walt
    +1

    If one chose a version without cookies, it would spare to follow the upcoming legal discussion, which only makes oneself mad. This ‘career-bitch’ now is a European directive, and national politics will likely recycle it annoyingly opportunistic.

    Furthermore, they will use that piece to promote “consumer protection” to an extent where it leads to a question of trust. Which is a dynamic hurting non-established business startups and political groups, as these are all internet-based and technology underneath needs the little database-files.

    If one e.g. uses a service like StatCounter in human rights activism (where +visitors are already insecured by nature), it currently seems better to implement a small privacy statement informing about cookies, in order to avoid loss of trust. However, blog community statistics which are implemented by default + can’t be turned off, don’t require being so careful; people use these communities since years and never had a problem.

  24. Does this seem to be only a local Europe issue or is the USA involved also in this legislation? It seems at any time half the world wants to decree how the other half should act.

  25. Shouldnt the EU be addressing more pressing issues on their agenda than wanting to go after cookies. Come on I receive a high number of scam email a day! Surely they should go after these guys than go after affiliates who want to make an honest buck!

  26. This could spoil the simplicity of just getting on and browsing the web, a crazy idea, why can’t goverments just focus on teaching the general public how to use a computer and to use all of the useful resources / tools available to browse the web with as much / little privacy as desired!!???

    It ain’t rocket science, at all, all thats needed is to select a compatible add-on for the browser used and then make your own privacy / cookie rules!

    Why all the fuss when a simple piece of ‘easy’ education would suffice all!

  27. Glad to hear this has been delayed by a year. We attended a seminar with Dell this week who stated they have not begun to action this and will not do so until more information is given. Seems fair as there are a lot of unanswered questions.

  28. This cookie issue has become a burden to say the least. I agree that this ruins the simple ability to just browse the web. I think that this is going to become a bigger issue with personalized search especially in Google.

Comments are closed.