The EU's Privacy and Electronic Communications directive was changed last year in a way that demands that websites get every visitor's consent before sending cookies to their machines. An exception exists in the directive where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user — so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.
This law, which is not yet in force across Europe, immediately hampered the prospects for advertisers, in particular the serving of behaviour-based ads, which tend to generate more clicks and more income for host sites.
If every website has to ask every user if it's OK to track them for advertising, the revenues of advertisers and publishers are threatened.
Advertisers have claimed that the new law allows them to assume consent because a web browser is not set to block cookies. That was one way to interpret the law, but it was an ambitious interpretation at best. Now the Article 29 Working Party — a committee comprising the data protection regulators of the EU's 27 member nations — has said that, in effect, the advertisers got it wrong.
The working party has extended an olive branch to industry, though. Prior consent is still needed, it says, but one expression of consent can cover thousands of sites. There had been a fear that the new law might be so draconian as to demand that websites pester their visitors for consent constantly. Because it is actually the network that matches adverts to sites, the working party says it is the ad networks that must obtain your consent.
So if a site is uses one of the major ad networks, like DoubleClick, then a user who has previously visited one of DoubleClick's myriad partner sites will be pre-approved for behavioural advertising — if they gave consent.
This is far from ideal for publishers, but the working party has done a decent job of making a fundamentally anti-business law more palatable.
However, the problem here is the law itself. It is a shambles. It's ambiguous and potentially contradictory and unhelpful not just to businesses but also to consumers. The lawmakers should have found a way to safeguard consumers that didn't burden them with making decisions on complex relationships and technologies, and that didn't set up a user barrier at the front door of every website.
But the law is the law. Trade bodies such as the Interactive Advertising Bureau (IAB) and the European Publishers Council have objected to it and issued their own interpretations, claiming that the law says that browser settings give a user's consent. According to the working party, this is a flawed interpretation.
Individuals "cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information", the group writes. "Currently, of the four major browsers, only one browser blocks third-party cookies by default from the moment the browser is installed."
On Internet Explorer (IE), Firefox and Chrome, third-party cookies are enabled by default. Only Safari blocks them until the user changes the settings.
The committee's answer is not ideal, but it has on its side the benefit of almost certainly meeting the demands of the law.
Even though the Article 29 Working Party has made life slightly easier for publishers, there is still...