New EC Cookie Law?

Considerable concern has been expressed about the news that it has apparently been agreed to change European law on cookies as part of the revision of the Telecoms Directives.

The current law on cookies is contained in Article 5 of the Directive on Privacy and Electronic Communications (2002/58/EC) and Regulation 6 of the UK’s matching Privacy and Electronic Communications Regulations 2003. Those require that whenever cookies are stored and accessed, the user must “[be] provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and [be] given the opportunity to refuse the storage of or access to that information”. The Information Commissioner’s Good Practice Note suggests that this can be done by providing information as part of the site’s privacy policy and allowing users to refuse continued processing once they are on a site, in  other words informing visitors and then allowing them to opt out of cookies.

However a new text – apparently already accepted by the European Parliament, Commission and Council of Ministers – would change the law to require the information and opportunity to refuse to be provided before any cookies are stored in a browser.This appears to be a well-intentioned attempt to improve privacy protection, but since cookies are now very widely used by websites, commentators have raised visions of every website being preceded by a “may we use cookies?” landing page or hidden behind a fog of permission-seeking pop-ups, with the resulting collapse of the advert-funded business model.

Two facts may mean that things aren’t quite that bad.

First, both the old and new texts recognise that some cookies are “strictly necessary” to provide the service that the user wants. Shopping cart cookies are the most obvious example. These cookies are, and will continue to be, exempt from the right to refuse – the only way to refuse these cookies is not to use the service.

Second, EC Directives need to be transposed into UK law, and commentators have expressed the hope that what emerges from this may be a more practical requirement, supported by pragmatic guidance from the Information Commissioner. Most Directives give member states 18 months to transpose the EC requirement into national law, so there are likely to be some interesting discussions between now and 2011.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *