Consent Required for Cookies? EU Regulatory Madness
The EU – a vast unregulated monopoly – loves the chance to present itself as a bulwark against, er, vast unregulated monopolies. You might remember them dragging Microsoft through the courts for eleventy years because they had the temerity to bundle their browser in with their OS, a battle that thrilled us all and led to spontaneous outpourings of joy when Microsoft’s evil monopoly was broken. We had a firework party down our way.
Anyway, they’re at it again. This time, they have cookies in their sights. The draft legislation is available in full, in a monstrous PDF format here, but the parts you’re probably interested in run thus:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
Now cookies can, as we all know, be used for evil. But… seriously… dudes… WTF? It’s kind of hard to even know where to start with the stupidity of this law. If you unpick the offending clause it allows for their use if it is “strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.” We figure that means that your shopping cart is going to be OK but outside that… there’s a shedload of grey.
Technically speaking, this is merely a directive – not a law. That means that it is more guidance for lawmakers than an actual law with fines and prison sentences and stuff. But even putting this in shows a worrying lack of foresight. A single guy in a tinfoil hat who knows where to find his cookies and the name of a law firm could play merry hell with your business if you do something as zany as install Analytics.
You just know that someone somewhere is writing the form letter for solictors to send out at £180 a time about “our client… blah blah… EU directive… blah blah… cease and desist cookies… blah blah.. contact your ISP and have your site taken down… blah blah”.
They live for that shit.
You would have thought that the fact that the World Wide Web is all, like world wide might have seeped into the skulls of these people. If it’s really going to be a problem, I’m just going to locate my servers somewhere less savoury, or do my shopping on US sites or any one of 157,813 things that will make the EU less competitive for internet businesses to operate in and make precisely no difference whatsoever to the prevalence of cookies.
My guess (hope?) is that this is something that will get buried in the terms and conditions of most websites, unloved and ignored. The alternatives – dropping cookies altogether or masses of do-you-agree pop-ups springing up with every pageload – don’t even bear thinking about.
Alas, I can’t think of an internet version of the time-honoured French practice of burning a lorry load of lambs outside Calais by way of protest so I guess we’re all doomed.