EU Cookie Law

You have probably heard about the EU Cookie Law and wondered what all the fuss is about. Well, lets talk about it. To understand whats going on, we need to first understand what a ‘cookie’ is?

For convenience here are some common resources you can read up on to get detailed information about cookies: living internet, how stuff works, wikipedia.

Briefly though, a cookie is a small piece of data/text file which can be stored by a website either on a users browser or it can be stored on a users hard drive. Cookies perform many of the essential back end functions of browsing the world wide web. For example, when you chose to store your user ID and a password for a particular website, there is a cookie functioning behind it.

However, a cookie can also be used for more than just essential functionality on the web. It can be designed to track a users activity across multiple websites, to store information such as search terms used or products viewed; information which can then be used by third parties and marketers or businesses to analyzing user behavior or serv targeted advertisements.

The catch is, till date, the user has had relatively little choice or knowledge about what kind of cookies are being used to track him/her or what information those cookies are collecting. This is a serious privacy concern and the EU Cookie Directive is going to up the ante regarding individual privacy on the internet.

So, what is the EU Cookie Directive?

Lets examine its history and evolution.

— In 1995 the EU passed the EU Data Protection Directive 95/46/EC. It was one of the first regulations regarding protection and processing of personal data.

— In 2002, the EU passed a Directive on privacy and electronic communications 2002/58/EC, also commonly known as the EU Privacy Directive. This directive dealt with significant issues such as data traffic and retention, spam and cookies. It was in this directive that Article 5(3) first brought forth the concept of receiving informed consent of users before storing cookies on their terminal. This was however put forth as a recommendation.

— In 2009, the now commonly known EU Cookie Directive 2009/136/EC    was adopted, amending various provisions of the EU privacy directive 2002/58/EC.

One of the most significant amendments in the EU Cookie Directive was to Article 5(3) which states in pertinent part:-   “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

To put it simply under the new EU Cookie Directive, marketers, advertisers, business owners and website owners operating in any EU country or targeting any EU country are now required (It is no longer a recommendation as before), to obtain an affirmative informed user consent, aka an “opt-in” from the user, before using web cookies or other technologies to harvest user data. The only exception is if what you are doing is ‘strictly necessary’ for a service requested by the user.

On the face of it, the EU Cookie Law does seem like a step in the right direction of providing greater control to users for their individual privacy.  On the flip side, one could question as to how informed a user consent will actually be? For example, on a regular basis we click on check boxes accepting terms and conditions to various web services without ever actually reading them; even though there is consent, it is not informed.

Will this new EU Cookie Law be just another a bureaucratic layer that is added to a users web experience or will it actually be a tool that spearheads  the movement for control of individual online privacy? This, is yet to be seen.

Another point to consider is what impact this law will have on web based services. To illustrate this point- the next time you are on Netflix and have opted out of cookies, you will no longer be able to see any movie recommendations since there will be no cookies present to remember your prior choices  or if you want to automatically log in to your email, you will not be able to do so, since opting out will remove cookies that store your username and password. For advertisers and web marketers, this could potentially be a big loss, since losing the ability to track and analyze user behavior will directly impact their ability to serve the user relevant ads.

The course of the EU Cookie Law is a good example of the increased trend towards regulation by state bodies. This is a good move, keeping in mind the increasingly obvious privacy concerns. What I would like to see how ever is how this fragmentation in regulations between state versus industry bodies, as well as the regional differences (for example US verses EU) pans out.