Don't overbake fear of EU cookie law

Don't overbake fear of EU cookie law

Summary: Under EU law, behavioural advertisers need consumers to agree, but the details may be less onerous than the industry feared, says Struan Robertson

TOPICS: Government UK

... a major hurdle facing them. Its interpretation of the law still forces publishers to ask a difficult question. Advertisers and publishers would rather not ask users if they want to be tracked for advertising purposes because users' answers could damage their businesses. But it's hard to avoid asking that question: the committee's interpretation of the law is, in purely legal terms, the most compelling interpretation, however flawed and unhelpful the law itself may be.

The working party's opinion isn't the final word on how to comply, though. We're still waiting to see the laws that will implement the new directive in each member state. These laws are likely to be accompanied by guidance from local regulators, in our case the Information Commissioner's Office (ICO). There's still the possibility that the local laws and local guidance will be more supportive of the IAB's view, though it would be surprising if that turned out to be the case.

Another recommendation says users' permissions should not last forever. Ad networks should ask again every year whether users are happy for cookies to be used to track them. Given the working party's views on other aspects of data retention, a year is an uncharacteristically generous period.

Read this

Neelie Kroes photo

Kroes to uphold net neutrality in Europe

Net neutrality and free online expression will be protected by the European Commission, according to Neelie Kroes

Read more

The party is calling for the labelling of behavioural ads with icons that link to information pages. That's a smart move for better transparency and something that the IAB is already supporting and working towards.

While real change will take years, the committee is also calling for browser makers to build greater privacy control into their products. Millions of internet users still browse the web using IE6, for example, even though it is nine years old. It will be a long time before websites can expect to see a large number of visitors using the privacy-protective browsers that the working party has in mind. Website privacy practices have to accommodate legacy browsers like IE6. For the foreseeable future they will be unable to delegate cookie compliance to the browser.

Publishers and advertisers are never going to be happy with the new law and nor should they be. But they now have clear guidance from the EU's regulators, and the situation is not as bad as they might have feared.

Struan Robertson is a legal director at international law firm Pinsent Masons and editor of the firm's Webby-winning legal information site, A specialist in technology law, Robertson has focused almost exclusively since early 2000 on the legal issues surrounding the internet.

Topic: Government UK

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Silly non issue. As any firefox user will tell you, you accept the cookies per session and they're gone when you close the browser.
    I find the EU tackling of this somewhat two faced. On the one hand we have the EU Data Retention directive, effectively pre-emptive mass surveillance, which is incompatible with the privacy law. Then we have their WHITE-WASH of the SWIFT data to the US, claiming it is still private even if handed over on bulk to a foreign power, even thought they know they run unrestricted queries on that full data set.
    And now they are proposing to store internet surfing histories, on the excuse of an 'early warning system to protect kiddies, just as the copyright lobby decides the best way to get mass surveillance of the internet... is to claim it's to protect kiddies..."

    The EU structures under Baroso have been a disaster, rolling back core liberties in exchange for expanding EU powers.

    Yet all they can do is talk about cookies?
  • Why is they no mention of the end user's getting a slice of the profits being generated on their backs? per session's.
  • why does your article not mention

    Browser Fingerprinting?

    cookies are of issue but no longer as significant
  • It's a stupid law. Cookies are used very frequently for non-invasive things, such as shopping carts, remembering logins etc. You don't want to store shopping carts in the URL, or if you send a copy of the URL to someone else, you're sending them the shopping cart, and you can't store logins anywhere other than in a cookie.

    Also, what happens if someone says 'No I don't want you to store a cookie' - you CAN'T remember that they've said 'no' (that would need a cookie, which would be illegal), so you have to ask them EVERY TIME they go to the website. Which would be incredibly un-user friendly

    It will end up with users pressing 'yes' just to get rid of the annoying prompts, which is worse than the current situation, because now the sites would have EXPLICIT consent, not just implicit.

    The correct solution is to enforce it in the browser, and that would have the advantage of 'protecting' EU customers even when shopping from outside the EU, and not annoying non-EU customers purchasing from the EU. Also, it would mean you would know it would work, rather than relying on the website to possibly have done what it's meant to do.

    The EU have got it badly wrong here - someone's come up with this who has no idea...
  • @pscs - your examples of useful cookies are all first-person cookies; the intrusive ones tend to be third-party cookies, so it's possible to treat them differently. I'm quite keen on the tracking protection lists in IE 9, now agreed as the W3C standard and hope to see the EU respond on whether that meets their view of the legal obligation to get the standard adopted across different browsers. We also need a lot of education in this area.
    Simon Bisson and Mary Branscombe
  • I think the whole cookie situation has got well out of hand.

    I find NoScript very revealing. I have it set to always block, then enable just enough per session for the website I'm looking at to work. This usually needs less than 3 cookies, you you frequently see up to a dozen third party cookies in the list.

    Then you've got flash cookies and iFrames. There is a hell of a lot of crap thrown at the users, most of whom have no idea what is going on.

    Incidentally there were 6 third party cookies on this page blocked by NoScript and 3 doubleclick images blocked by ghostery.