Stop the cookie monster and save Europe's websites

Summary:Misguided European laws on cookies could have a devastating impact on websites, says Struan Robertson

Contradictory European proposals could outlaw the automatic delivery of cookies and disrupt the way websites work, says Struan Robertson.

Visit any website and there is a good chance it will send a cookie to your computer. But unless that cookie is essential, its delivery could become illegal under a strange new plan that has — very quietly — won EU support.

Cookies are small text files that websites send to visitors' computers. Without them, websites would struggle to recognise users or, for example, analyse traffic.

Under plans endorsed by the European Commission, the Council of Ministers and the European Parliament, we would have to ask visitors for permission to send that cookie when they visit.

We are all subject to this requirement for prior consent — or so it seems. The trouble is we do not know what the law really means. No one does because the proposed law is ambiguous.

There is already a cookie law in Europe today. It comes from the Privacy and Electronic Communications directive, which says sites using cookies must give visitors "clear and comprehensive information" about the purpose of the cookies. They must also offer visitors "the right to refuse" the use of cookies. That law was passed in 2002 and is somewhat ambiguous — but in a way that allows for pragmatic interpretations.

The 2002 directive did not say when or how the information had to be provided. It was implemented in the UK in a set of regulations that parroted the directive's ambiguous language. But our information commissioner, to his credit, took a pragmatic view. He published guidance that said it was acceptable to display the information in a privacy policy, asking only that "the policy should be clearly signposted at least on those pages where a user may enter a website." Usability survived — in the UK, at least.

To comply with today's law is easy. Websites add a privacy-policy link to every page, and that policy explains their uses of cookies. The right to refuse cookies is dealt with retrospectively: you will probably have the cookie by the time you read about it. But that is acceptable, the commissioner tells us, provided the policy guides users on how they can control and delete the cookies on their machines.

Taking the biscuit
That simple approach to cookie compliance is under threat. The new law says cookies can be delivered to a user's computer only if that user "has given his or her consent, having been provided with clear and comprehensive information" unless it is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service".

For example, if I'm shopping at and I put a book in my shopping basket, Amazon can use a cookie to remember which book I want when I proceed to the checkout. That cookie is essential to the service I have explicitly requested. But if Amazon wants to use a cookie for another purpose, perhaps to monitor shopping basket abandonment, it needs my consent.

That proposal sounds bad, but a 'recital' to the new law could provide an escape clause. In any directive, recitals are listed before the formal 'articles'. They provide an introduction to...

Topics: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.