Stop the cookie monster and save Europe's websites

Contradictory European proposals could outlaw the automatic delivery of cookies and disrupt the way websites work, says Struan Robertson.

Visit any website and there is a good chance it will send a cookie to your computer. But unless that cookie is essential, its delivery could become illegal under a strange new plan that has — very quietly — won EU support.

Cookies are small text files that websites send to visitors' computers. Without them, websites would struggle to recognise users or, for example, analyse traffic.

Under plans endorsed by the European Commission, the Council of Ministers and the European Parliament, we would have to ask visitors for permission to send that cookie when they visit.

We are all subject to this requirement for prior consent — or so it seems. The trouble is we do not know what the law really means. No one does because the proposed law is ambiguous.

There is already a cookie law in Europe today. It comes from the Privacy and Electronic Communications directive, which says sites using cookies must give visitors "clear and comprehensive information" about the purpose of the cookies. They must also offer visitors "the right to refuse" the use of cookies. That law was passed in 2002 and is somewhat ambiguous — but in a way that allows for pragmatic interpretations.

The 2002 directive did not say when or how the information had to be provided. It was implemented in the UK in a set of regulations that parroted the directive's ambiguous language. But our information commissioner, to his credit, took a pragmatic view. He published guidance that said it was acceptable to display the information in a privacy policy, asking only that "the policy should be clearly signposted at least on those pages where a user may enter a website." Usability survived — in the UK, at least.

To comply with today's law is easy. Websites add a privacy-policy link to every page, and that policy explains their uses of cookies. The right to refuse cookies is dealt with retrospectively: you will probably have the cookie by the time you read about it. But that is acceptable, the commissioner tells us, provided the policy guides users on how they can control and delete the cookies on their machines.

Taking the biscuit
That simple approach to cookie compliance is under threat. The new law says cookies can be delivered to a user's computer only if that user "has given his or her consent, having been provided with clear and comprehensive information" unless it is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service".

For example, if I'm shopping at Amazon.co.uk and I put a book in my shopping basket, Amazon can use a cookie to remember which book I want when I proceed to the checkout. That cookie is essential to the service I have explicitly requested. But if Amazon wants to use a cookie for another purpose, perhaps to monitor shopping basket abandonment, it needs my consent.

That proposal sounds bad, but a 'recital' to the new law could provide an escape clause. In any directive, recitals are listed before the formal 'articles'. They provide an introduction to...

...the new law, sharing the lawmakers' rationale for the provisions that follow. Curiously, the cookie recital includes a suggestion that conflicts with the main article.

The new cookie recital says: "The user's will to accept processing may be expressed by way of using the appropriate settings of a browser or other application."

Most browsers have a default setting that allows cookies. Most people never change that, and many do not know that the setting exists. A court might reasonably question how consent can be implied from a default setting. If no question is asked, silence does not convey consent.

In fact, the expression of a "will to accept" is as close as the recital gets to mentioning consent. The recital refers twice to "the right to refuse" a cookie — yet the article itself tells us that users must give consent, which is a different standard and a higher one.

The recital reads like an afterthought, like an apology for the overzealous article that follows. As such, the combination makes little sense — and websites are given a headache.

Before it crumbles
The root of the problem is that this law is probably not aimed at cookies at all. It is aimed at more sinister things being placed on or read from website visitors' computers. In an effort to remain technology-neutral, the article fails in its purpose. It talks of storing "information", not cookies, thereby categorising harmless cookies and password-stealing Trojans together. That is unhelpful and we have been left with ambiguous wording.

Fortunately, there is time to fix this legislative mess. The law is part of a wider telecoms reform package, which looks likely to face delays because of a last-minute amendment in the European Parliament relating to file sharing.

On 12 June, the Council of Ministers will decide whether or not to accept the file-sharing changes. By then there will be a new Parliament and, from November, a new group of commissioners. Although all three bodies had agreed the cookie part of the law, the new assemblies may revisit and change that element too.

Without this potential delay, the latest cookie proposals would have been installed in EU law this month with the stealth of the spyware they set out to block. Most of us did not know these plans existed. But our silence must not be misinterpreted as consent.

Struan Robertson is a legal director at international law firm Pinsent Masons and editor of the firm's Webby-winning legal information site, Out-Law.com. A specialist in technology law, Robertson has focused almost exclusively since early 2000 on the legal issues surrounding the internet.