Europe moves away from cookie clampdown

It is looking increasingly unlikely that the European Commission will insist on tough restrictions on the use of cookies, although the UK could still follow a more pro-privacy approach

Internet users will not be warned before a cookie is installed on their computer if the European Parliament accepts the recommendations of one of its key committees, even though privacy advocates are pushing for an opt-in policy.

The Committee on Citizens' Freedoms and Rights, Justice and Home Affairs said on Thursday that users should not be warned in advance before a Web site installs a cookie on their hard drive. The issue of cookies was being considered by the committee as part of its scrutiny of the draft European electronic data collection and privacy directive.

This policy puts the committee at odds with the European Council, which believes users should be told first. Back in March the European Council agreed to amend the text of the draft directive so that sites would be required to give information about cookies "in advance".

"As regards the use of 'cookies', the Committee concurred with the Council position that users should have the right to refuse the installation of cookies, but it felt that it would suffice to guarantee users the possibility of accessing clear information on the purposes of cookies, thus rejecting the Council's view that users should receive this information in advance," said the committee in a statement following a meeting on Thursday.

Cookies are small pieces of code used mainly by commercial Web sites to track users. They are downloaded to a user's hard disk by the browser and used to recognise and authenticate users when they return to a Web site so they don't have to log in every time. Some, such as those involved with an online purchase, only last for a short amount of time, but others can last much longer -- potentially making them a record of a user's surfing activities over a number of years.

Web browsing software can be configured so that it warns a user when a site tries to install a cookie, and can even be set to automatically reject them. However, there are concerns that less technically adept users will not consider using such settings.

The European Parliament is expected to ratify the draft directive in May. A compromise may have to be reached, though, between those who believe that users should be told before a cookie is installed and those who just believe users should have to pro-actively find out what the cookies on their system are doing.

Back in November 2001, the Parliament adopted an amendment to the draft electronic data collection and privacy directive to restrict the use of cookies. If implemented, this amendment would have forced Web sites to ask a user if they wanted to accept a cookie.

This amendment was opposed by organisations such as the Interactive Advertising Bureau, which claimed it would cost business millions of pounds and hamper the user, because they would have to enter passwords and reset personal preferences whenever they visited a site.

Following this lobbying, the European Commission subsequently proposed an "opt-out" policy.

The UK's Information Commissioner takes a different line. It believes that computers users should be given the option of accepting or rejecting a cookie, because some can be used to build up a profile of a user.

"We're not saying that all cookies are bad, or that all cookies raise privacy issues," David Smith, assistant information commissioner at the Office of the Information Commissioner, told ZDNet UK News. "But, when a cookie is used to build up an online profile then it is processing personal data, and as such it is covered by the Data Protection Act," Smith explained.

As such, the Information Commissioner's office supports an opt-in policy. Once the European Union issues the data protection directive the British government will have to bring it into UK law, which means it's still possible for Britain to embrace an opt-in approach.

"Once a policy is adopted at the European level we must implement it, but it's possible that the UK could decide to introduce a more privacy-friendly approach. It very much depends how the directive is phrased," said Smith, explaining that the directive might give individual nations the flexibility to choose an opt-in or an opt-out policy.

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.