The Cookie Directive

(Also referred to as the Revised E-Privacy Directive or Directive 2009/136/EC – this is a Directive issued by the EU which is due to be adopted by all EU Member States by 25 May 2011.)

QUICK SUMMARY:

  • The Cookie Directive requires users to give “consent” for cookies to be placed in their browsers.
  • It’s possible to take a very literal interpretation from this Directive that would require users to give explicit consent before any cookie can be placed in their browsers HOWEVER it’s also possible to interpret the Directive in a more practical, common-sense way.
  • The UK has already signalled its intent to implement the provisions of this Directive in a practical manner by allowing “consent to the use of cookies to be given via browser settings”.
  • We are hopeful that other Member States will take a similar common-sense approach to the interpretation of this Directive.

NOTE: We’re not attorneys/solicitors/lawyers/legal experts. We are the Team behind StatCounter and we have prepared this post in reponse to a number of queries we have received recently. This post is for informational purposes only. This post is not, nor is it intended to be, legal advice and should not be considered as such.

EU Directives

  • Directives are binding on EU Member States NOT on EU citizens. (The related national legislation is binding on EU citizens.)
  • A Directive should be passed into law by each Member State (by a specified date) at which point it becomes binding on the citizens of the relevant Member State.
  • Each Member State must interpret each Directive so it’s possible for different Member States to have differing laws all based on the same Directive.

This means that it’s the legal interpretation of the Directive in each Member State that is relevant rather than the actual Directive itself. The Cookie Directive is supposed to be transposed into national law by all EU Member States by 25 May 2011. It’s not clear how many Member States will comply with this deadline.

The Cookie Directive – what does it mean?
The new Cookie Directive goes further than current legislative provisions, stating that “consent” must be given for cookies to be stored/accessed on users’ computers.

If the Cookie Directive is interpreted literally, it appears that an internet user could be required to give consent each time a cookie is placed on that user’s computer (e.g. via some sort of pop up consent form that asks visitors if they agree to the installation of specific cookies).

There are numerous potential problems with this Directive including:

  • The internet as we know it could not function without cookies. David Naylor has created an interesting (and worrying) example of the possible consequences of this Directive here. Not a pleasant prospect…
  • The scope and applicability of the new legislation is not clear but presents many potential problems. Will the new legislation apply to all EU citizens? If so, how will the EU force non-EU websites to comply? If non-EU websites are not subject to these draconian provisions, then will EU websites suffer a reduction in traffic as a result? Or will EU businesses considering relocating in order to avoid the penal legislation?
  • As Member States may all adopt different legislative provisions in relation to this Directive, a single entity operating in several EU countries may have to provide different website consent and privacy options in every jurisdiction. This could present administrative and technical difficulties and cause particular hardship for smaller businesses.
  • By placing severe restrictions on relatively harmless cookies, this law may encourage the use of more invasive technologies.
  • All cookies appear to be covered by this Directive regardless of how much (or how little) information they hold.
  • No account is taken of the value of advertising funded content and services nor the consumer support for interest-based advertising.

Enforceability?
Reading the Directive, it appears to us that as each Member State adopts the relevant legislation, that interpretation of the legislation will apply to all citizens of that Member State. (We’re open to correction on this, so please feel free to comment below.) If that is the case, then theoretically every website in the world may have to apply a different set of regulations to their website for every set of visitors to their site from every Member State. In practice, it’s difficult to see US, Australian or Chinese sites tripping over themselves to comply with differing sets of EU legislation plus it’s not at all clear how an EU State could impose a sanction on such a website for non-compliance in any event. Will this lead to non-EU sites (without burdensome consent requirements) being favoured by EU citizens?

Alternatively, if the transposed legislation applies to EU websites – then what is the definition of such a site? As mentioned earlier, will EU businesses be encouraged to move their hosting out of the EU to avoid the penal legislation? And while we’re on the subject of definitions the lack of same in the Directive has resulted in huge uncertainty…for example no definition of “consent” is offered – but equally, this leaves the door open for Member States to adopt a flexible and common-sense approach to this seemingly archaic Directive.

Some commentators have also discussed the possibility that cookies necessary to the operation of a site may be excluded from the consent provisions… but again, no definition of “necessary” is provided. Perhaps unsurprisingly, we view our own StatCounter cookies which we use to track visitor activity as vital to allow us to maintain and improve our sites. (Our tracking cookies contain minimal information and are used to determine unique and returning visitors only.) We know many of our members share this view. Reflecting on this Directive, we feel that the restrictions on cookies may have been initially aimed at behavioural advertising only… but somewhere during the drafting process this important distinction became lost resulting in headaches for website owners and operators throughout the EU.

Solution to a Non-Existant Problem? Cookies
We’re just not sure why the EU has decided to target cookies in this Directive… Cookies are harmless text files which are placed in your browser to document your preferences, keep you logged into a site, store your shopping cart contents… Cookies are not viruses, cookies cannot scan your system or search your computer for private information.

Furthermore, control of the cookies in your browser is already in your hands – you can clear cookies at any time and you can opt to reject some/all cookies via your browser settings… which is why we are confused about the point of this new Directive. If you want to reject cookies – you can do so! (Learn how to adjust cookie settings for IE, Chrome, Firefox and Safari.)

It would appear that this Directive has been badly drafted and takes little or no account of how the internet actually works. To obtain prior consent for every cookie, would result in a severe diminution of the quality of the online user experience. Imagine… Every website in the EU would have to use a pop up form to obtain consent for evey cookie… Users would be obliged to deal with these pop ups multiple times every day… Web browsing would become frustrating and cumbersome… And, somewhat ironically, the very people who reject cookies would suffer the worst experience; websites wouldn’t function correctly; shopping carts wouldn’t work and, as they don’t allow any cookies to remember their preferences, they would be prompted to opt in/out on potentially every page of every site they visit! In the end, most people would probably opt in to all cookies simply to eliminate all the pop ups… thereby defeating the purpose of this Directive in the first place!

The new Directive seems to be making a misguided attempt to “protect” some web users (who may not be aware of their browser settings) at the expense of everyone else… in our view, the money spent on developing this Directive would have been better spent educating people about the options that already exist, rather than implementing a whole new set of regulations and placing unnecessary burdens on websites and online businesses.

Solution to a Non-Existant Problem? Behavioural Ads
Behavioural advertising has a bad reputation – but in short it simply means that if you view or purchase furniture, for example, on a website, that same website may advertise their furniture to you on another site. Cookies are used to remember your previous browsing history and show you related ads. After all, if you have viewed or purchased a product on a site, you may be inclined to purchase from them (again) in the future.

We feel that this Directive may have been originally intended to target behavioural advertising cookies (but was widened somehow to cover all cookies)… but even restricting behavioural ads in this nonsensical manner seems OTT. “Traditional” advertising involves analysing trends and behaviour to allow advertising space to be sold based on demographics and preferences… this Directive appears to be punishing online advertisers who are effectively doing the same thing!

Behavioural advertising online is very similar to store loyalty cards – loyalty cards are used to track your purchases, spending habits and shopping behaviour in a particular store, that information is then used to offer you discounts and offers relevant to your interests. Online behavioural advertising works in a parallel fashion.

PLUS – if you don’t like targeted ads online – then you can just opt out! Using your browser settings you can disable all cookies, reject certain cookies or you can use the NAI opt-out tool to opt out of over 70 behavioural advertising programs (but remember that to opt out, you must accept a cookie to remember your opt-out preference!).

Practical Approach
Despite the possibility of taking a very strict (& restrictive) view of the Directive, we understand that the UK has decided to take a practical approach.

For example, the consultation & implementation documents drawn up by the Department for Business Innovation and Skills state:

The internet as we know it today would be impossible without the use of …cookies …so it is important that this provision [regarding cookies] is not implemented in a way which would damage the experience of UK web users or place a burden on UK or EU companies that use the web.

Further the DBIS goes on to explain its preferred option for obtaining consent:

“Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime.”

So – that appears to mean that if a user *allows* cookies via their browser, then that constitutes consent. The above would appear to be a reasonable approach and, in short… nothing will change!

So what will happen on May 25?
This is debatable. Until the Directive is passed into law it’s very difficult to anticipate the exact implications. In the future, guidelines on obtaining consent and information on enforcing the legislation will have to be released however, for now, it looks like the 25 May deadline will have no impact whatsoever. Further, if all Member States follow the example of the UK (as outlined above), then nothing will change at all!

We are hopeful that practical, common-sense and commercial realities will take precedence over an overly-zealous and misguided piece of legislation, particularly given the fact that the power to reject cookies is already in the hands of the people this Directive seems to be trying to “protect”.

We welcome your comments below.

Related links:
Europe’s ad industry issues response to cookies opt-in
E-Privacy Directive on Cookies
Why the EU Privacy Directive is not a real threat

Access to European Union Law

Comments are closed.

Try Statcounter free for 30 days

No credit card required. Downgrade to the free plan anytime.

Try it for FREE!