The EU's Privacy and Electronic Communications directive was changed last year in a way that demands that websites get every visitor's consent before sending cookies to their machines. An exception exists in the directive where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user — so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.
This law, which is not yet in force across Europe, immediately hampered the prospects for advertisers, in particular the serving of behaviour-based ads, which tend to generate more clicks and more income for host sites.
If every website has to ask every user if it's OK to track them for advertising, the revenues of advertisers and publishers are threatened.
Advertisers have claimed that the new law allows them to assume consent because a web browser is not set to block cookies. That was one way to interpret the law, but it was an ambitious interpretation at best. Now the Article 29 Working Party — a committee comprising the data protection regulators of the EU's 27 member nations — has said that, in effect, the advertisers got it wrong.
The working party has extended an olive branch to industry, though. Prior consent is still needed, it says, but one expression of consent can cover thousands of sites. There had been a fear that the new law might be so draconian as to demand that websites pester their visitors for consent constantly. Because it is actually the network that matches adverts to sites, the working party says it is the ad networks that must obtain your consent.
So if a site is uses one of the major ad networks, like DoubleClick, then a user who has previously visited one of DoubleClick's myriad partner sites will be pre-approved for behavioural advertising — if they gave consent.
This is far from ideal for publishers, but the working party has done a decent job of making a fundamentally anti-business law more palatable.
However, the problem here is the law itself. It is a shambles. It's ambiguous and potentially contradictory and unhelpful not just to businesses but also to consumers. The lawmakers should have found a way to safeguard consumers that didn't burden them with making decisions on complex relationships and technologies, and that didn't set up a user barrier at the front door of every website.
But the law is the law. Trade bodies such as the Interactive Advertising Bureau (IAB) and the European Publishers Council have objected to it and issued their own interpretations, claiming that the law says that browser settings give a user's consent. According to the working party, this is a flawed interpretation.
Individuals "cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information", the group writes. "Currently, of the four major browsers, only one browser blocks third-party cookies by default from the moment the browser is installed."
On Internet Explorer (IE), Firefox and Chrome, third-party cookies are enabled by default. Only Safari blocks them until the user changes the settings.
The committee's answer is not ideal, but it has on its side the benefit of almost certainly meeting the demands of the law.
Even though the Article 29 Working Party has made life slightly easier for publishers, there is still...
... a major hurdle facing them. Its interpretation of the law still forces publishers to ask a difficult question. Advertisers and publishers would rather not ask users if they want to be tracked for advertising purposes because users' answers could damage their businesses. But it's hard to avoid asking that question: the committee's interpretation of the law is, in purely legal terms, the most compelling interpretation, however flawed and unhelpful the law itself may be.
The working party's opinion isn't the final word on how to comply, though. We're still waiting to see the laws that will implement the new directive in each member state. These laws are likely to be accompanied by guidance from local regulators, in our case the Information Commissioner's Office (ICO). There's still the possibility that the local laws and local guidance will be more supportive of the IAB's view, though it would be surprising if that turned out to be the case.
Another recommendation says users' permissions should not last forever. Ad networks should ask again every year whether users are happy for cookies to be used to track them. Given the working party's views on other aspects of data retention, a year is an uncharacteristically generous period.
The party is calling for the labelling of behavioural ads with icons that link to information pages. That's a smart move for better transparency and something that the IAB is already supporting and working towards.
While real change will take years, the committee is also calling for browser makers to build greater privacy control into their products. Millions of internet users still browse the web using IE6, for example, even though it is nine years old. It will be a long time before websites can expect to see a large number of visitors using the privacy-protective browsers that the working party has in mind. Website privacy practices have to accommodate legacy browsers like IE6. For the foreseeable future they will be unable to delegate cookie compliance to the browser.
Publishers and advertisers are never going to be happy with the new law and nor should they be. But they now have clear guidance from the EU's regulators, and the situation is not as bad as they might have feared.
Struan Robertson is a legal director at international law firm Pinsent Masons and editor of the firm's Webby-winning legal information site, Out-Law.com. A specialist in technology law, Robertson has focused almost exclusively since early 2000 on the legal issues surrounding the internet.