Don't overbake fear of EU cookie law

Don't overbake fear of EU cookie law

Summary: Under EU law, behavioural advertisers need consumers to agree, but the details may be less onerous than the industry feared, says Struan Robertson

TOPICS: Government UK

A new European law on how web publishers should use cookies is still stoking controversy, seven months after it was passed. EU privacy watchdogs have just given their view on it and while web publishers will still wince, the regulators' view is more accommodating for business than it could have been, says Struan Robertson.

The EU's Privacy and Electronic Communications directive was changed last year in a way that demands that websites get every visitor's consent before sending cookies to their machines. An exception exists in the directive where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user — so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

This law, which is not yet in force across Europe, immediately hampered the prospects for advertisers, in particular the serving of behaviour-based ads, which tend to generate more clicks and more income for host sites.

If every website has to ask every user if it's OK to track them for advertising, the revenues of advertisers and publishers are threatened.

Advertisers have claimed that the new law allows them to assume consent because a web browser is not set to block cookies. That was one way to interpret the law, but it was an ambitious interpretation at best. Now the Article 29 Working Party — a committee comprising the data protection regulators of the EU's 27 member nations — has said that, in effect, the advertisers got it wrong.

The working party has extended an olive branch to industry, though. Prior consent is still needed, it says, but one expression of consent can cover thousands of sites. There had been a fear that the new law might be so draconian as to demand that websites pester their visitors for consent constantly. Because it is actually the network that matches adverts to sites, the working party says it is the ad networks that must obtain your consent.

So if a site is uses one of the major ad networks, like DoubleClick, then a user who has previously visited one of DoubleClick's myriad partner sites will be pre-approved for behavioural advertising — if they gave consent.

This is far from ideal for publishers, but the working party has done a decent job of making a fundamentally anti-business law more palatable.

However, the problem here is the law itself. It is a shambles. It's ambiguous and potentially contradictory and unhelpful not just to businesses but also to consumers. The lawmakers should have found a way to safeguard consumers that didn't burden them with making decisions on complex relationships and technologies, and that didn't set up a user barrier at the front door of every website.

But the law is the law. Trade bodies such as the Interactive Advertising Bureau (IAB) and the European Publishers Council have objected to it and issued their own interpretations, claiming that the law says that browser settings give a user's consent. According to the working party, this is a flawed interpretation.

Individuals "cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information", the group writes. "Currently, of the four major browsers, only one browser blocks third-party cookies by default from the moment the browser is installed."

On Internet Explorer (IE), Firefox and Chrome, third-party cookies are enabled by default. Only Safari blocks them until the user changes the settings.

The committee's answer is not ideal, but it has on its side the benefit of almost certainly meeting the demands of the law.

Even though the Article 29 Working Party has made life slightly easier for publishers, there is still...

Topic: Government UK

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Silly non issue. As any firefox user will tell you, you accept the cookies per session and they're gone when you close the browser.
    I find the EU tackling of this somewhat two faced. On the one hand we have the EU Data Retention directive, effectively pre-emptive mass surveillance, which is incompatible with the privacy law. Then we have their WHITE-WASH of the SWIFT data to the US, claiming it is still private even if handed over on bulk to a foreign power, even thought they know they run unrestricted queries on that full data set.
    And now they are proposing to store internet surfing histories, on the excuse of an 'early warning system to protect kiddies, just as the copyright lobby decides the best way to get mass surveillance of the internet... is to claim it's to protect kiddies..."

    The EU structures under Baroso have been a disaster, rolling back core liberties in exchange for expanding EU powers.

    Yet all they can do is talk about cookies?
  • Why is they no mention of the end user's getting a slice of the profits being generated on their backs? per session's.
  • why does your article not mention

    Browser Fingerprinting?

    cookies are of issue but no longer as significant
  • It's a stupid law. Cookies are used very frequently for non-invasive things, such as shopping carts, remembering logins etc. You don't want to store shopping carts in the URL, or if you send a copy of the URL to someone else, you're sending them the shopping cart, and you can't store logins anywhere other than in a cookie.

    Also, what happens if someone says 'No I don't want you to store a cookie' - you CAN'T remember that they've said 'no' (that would need a cookie, which would be illegal), so you have to ask them EVERY TIME they go to the website. Which would be incredibly un-user friendly

    It will end up with users pressing 'yes' just to get rid of the annoying prompts, which is worse than the current situation, because now the sites would have EXPLICIT consent, not just implicit.

    The correct solution is to enforce it in the browser, and that would have the advantage of 'protecting' EU customers even when shopping from outside the EU, and not annoying non-EU customers purchasing from the EU. Also, it would mean you would know it would work, rather than relying on the website to possibly have done what it's meant to do.

    The EU have got it badly wrong here - someone's come up with this who has no idea...
  • @pscs - your examples of useful cookies are all first-person cookies; the intrusive ones tend to be third-party cookies, so it's possible to treat them differently. I'm quite keen on the tracking protection lists in IE 9, now agreed as the W3C standard and hope to see the EU respond on whether that meets their view of the legal obligation to get the standard adopted across different browsers. We also need a lot of education in this area.
    Simon Bisson and Mary Branscombe
  • I think the whole cookie situation has got well out of hand.

    I find NoScript very revealing. I have it set to always block, then enable just enough per session for the website I'm looking at to work. This usually needs less than 3 cookies, you you frequently see up to a dozen third party cookies in the list.

    Then you've got flash cookies and iFrames. There is a hell of a lot of crap thrown at the users, most of whom have no idea what is going on.

    Incidentally there were 6 third party cookies on this page blocked by NoScript and 3 doubleclick images blocked by ghostery.