In 2009 the European Union (EU) passed a new law called the Citizens Rights Directive for Internet tracking files such as cookies, under which the businesses placing those cookies had to obtain a consumer’s consent before actually placing them unless it is ‘necessary’ for the delivery of the service. Cookies are small text files placed on a consumer’s computer by certain websites to allow the saving of usernames and passwords, user preferences and certain user actions to allow targeted marketing.
Now an argument has developed over what the law actually means. It is vague in its requirements – it is not clear whether the law requires that a consumer should give consent each time a cookie is placed, or whether a one off consent when a consumer sets up their web-browser is sufficient. Providing consent for each cookie would provide much more privacy protection for a consumer. The flip-side would be that advertising revenues collected as a result of cookies would drop substantially, as consumers would be able to withhold consent for every cookie, and there would be a significant cost for businesses that place cookies to update their software to comply with the law. It would also be a major hassle and impediment to consumers’ use of the Internet to have their usage continually interrupted. The current law allows cookies to be placed unless a consumer specifically opts out.
Guidance has been promised by the EU for early 2011, but countries have to comply with the law by May 2011. That will not give countries much time to understand the guidance in time for implementation. That said, the UK, along with several other countries, has indicated that it will probably just copy the EU law out and invite the Information Commissioner’s Office – the UK privacy regulator – to interpret it. For more on the UK’s position, click here: http://www.mablaw.com/2010/09/bis-consults-on-implementation-of-new-e-privacy-directive/.