Consent Required for Cookies? EU Regulatory Madness
The EU – a vast unregulated monopoly – loves the chance to present itself as a bulwark against, er, vast unregulated monopolies. You might remember them dragging Microsoft through the courts for eleventy years because they had the temerity to bundle their browser in with their OS, a battle that thrilled us all and led to spontaneous outpourings of joy when Microsoft’s evil monopoly was broken. We had a firework party down our way.
Anyway, they’re at it again. This time, they have cookies in their sights. The draft legislation is available in full, in a monstrous PDF format here, but the parts you’re probably interested in run thus:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
Or, to put it in English: Thou Shalt Not Use Cookies Without Asking First.
Now cookies can, as we all know, be used for evil. But… seriously… dudes… WTF? It’s kind of hard to even know where to start with the stupidity of this law. If you unpick the offending clause it allows for their use if it is “strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.” We figure that means that your shopping cart is going to be OK but outside that… there’s a shedload of grey.
Technically speaking, this is merely a directive – not a law. That means that it is more guidance for lawmakers than an actual law with fines and prison sentences and stuff. But even putting this in shows a worrying lack of foresight. A single guy in a tinfoil hat who knows where to find his cookies and the name of a law firm could play merry hell with your business if you do something as zany as install Analytics.
You just know that someone somewhere is writing the form letter for solictors to send out at £180 a time about “our client… blah blah… EU directive… blah blah… cease and desist cookies… blah blah.. contact your ISP and have your site taken down… blah blah”.
They live for that shit.
You would have thought that the fact that the World Wide Web is all, like world wide might have seeped into the skulls of these people. If it’s really going to be a problem, I’m just going to locate my servers somewhere less savoury, or do my shopping on US sites or any one of 157,813 things that will make the EU less competitive for internet businesses to operate in and make precisely no difference whatsoever to the prevalence of cookies.
My guess (hope?) is that this is something that will get buried in the terms and conditions of most websites, unloved and ignored. The alternatives – dropping cookies altogether or masses of do-you-agree pop-ups springing up with every pageload – don’t even bear thinking about.
Alas, I can’t think of an internet version of the time-honoured French practice of burning a lorry load of lambs outside Calais by way of protest so I guess we’re all doomed.
John 1284 days ago
http://www.twitter.com/omfg_followmeEU = Stupid child in the corner of the class room who should keep his mouth shut.
That was a great read, thanks! :}
Time to make a parody ‘EU cookie monster’ website methinks…
Torben Lundsgaard 1284 days ago
http://www.tlamedia.dk/This directive is not pro-consumer even though it was meant to be.
I don’t know about the UK but there certainly hasn’t been any public debate about this in Denmark.
As you point out it’s merely a directive – not a law. I believe that local governments have 2 years to implement the law but we all know that i can take longer. Eventually they will realise the madness and change the directive.
Bob Pitman 1284 days ago
http://www.twitter.com/Sandanista26th April 2011 is the date national legislatures must have put the Telecoms Reform Package directive into law.
Relocating your servers won’t help, if you retain any significant part of your company, infrastructure, staffing etc. within the EU you remain classed as an EU business and will be required to comply with the legislation or face the penalties.
Cookies will still be “allowed” its just that your website will be required to seek informed consent of clients before placing them, that means a pop up for EACH cookie giving (in my case) plain English explanation of what the cookie contains and is used for. The legislation has a few other wrinkles though, third party cookie explanations are not acceptable (so the built in cookie display in browsers won’t cut it) and each website will need to provide its own privacy policy statement rather than a handy third party template hosted elsewhere.
They may have made a cock up of it but the intent to allow internet users to control what information is collected on them thats all good, cookies, as you say, can be used for evil.
We await the Information Commissioners input and whether the fudge – informed consent may be assumed if the users browser agent is set to accept cookies) being hoped for is agreed.
But based on many (UK) company websites level of legal compliance to the plethora of web law and prosecutions arising therefrom this new legislation will not get observed at anything but the largest corporations anyway!
Be interesting to see whether any non EU corps get a technical Euro company stamp if they have significant corporate infrastructure based in the EU.
Bob Pitman 1284 days ago
http://www.twitter.com/SandanistaOh yes… the shopping cart cookie is to be allowed without informed consent as its essential to operation if you are selling online.
The visit counter cookie is not and you’d have to ask.
TallTroll 1284 days ago
Meh, once people work out that implementing this will break Amazon and just about every site that allows account creation, it’ll be canned, because it will make the WWW effectively unusable. It’s on a par with our own dear legislators plans to require ISPs to retain ALL user traffic data for 5 years, just in case anyone wanted to look at it. Then someone pointed out that you’d have to roof over the Isle of Wight to make it into a datacentre to store that quantitiy of data, and convert the whole of Wales into a giant power station to run it all. I think the current retention standard is 4 days…
Dudibob 1284 days ago
This won’t solve anything anyway, even if a site requests you to accept a cookie (even a bad one) people will do, same for the Vista ‘anti-virus’ feature where it asked if you really wanted to do that lol.
James 1284 days ago
http://www.jamesbreckenridge.co.ukWhen I first read this I was concerned, then I noticed this part:
‘Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.’
What has changed? By allowing cookies at browser level you are accepting the use of cookies.
Amelia Vargo 1283 days ago
Nice post! Had me all confused though with the legal jargon…
Until I read the comment from James. He interprets it to mean that you accept cookies if you allow them at browser level. I think he has a point because how can you ask for consent on every single cookie? I think that would be impossible. I also think this would be impossible to enforce. So like James says – nothing’s really changed.
Allan Stewart 1283 days ago
This is really bad news. Putting such restrictions on the use of persistent cookies is going to cause £1,000,000′s (and more) worth of damage to the economy in the UK and Europe. I only hope this doesn’t ever get passed as a law.
Gul 1282 days ago
This is absurd. We use cookies a fair bit and something like that would be a complete disaster.
Ric 807 days ago
This is pretty stupid and very hard to enforce. The amount of effort to enforce it would be better spent getting rid of ‘evil’ uses of cookies and saving us having to manually accept all the good ones.
Robert Hall 744 days ago
This is ridiculous people have the option not to use cookies. This will have a detrimental effect on the internet in the EU. People don’t like pop ups that is why they have pop up blockers and therefore wont like having to constantly click to accept cookies for loads of websites. This is a step in the wrong direction for the web. So come on Google start a protest against this stupidity! Surely someone will see sense and stop this. I use google analytics and find it useful when making changes to my site.