Members of the European Union were to have implemented the EU’s ePrivacy Directive by today, May 25, after two years of prep time to comply with the law’s requirements. However, in a development that surprises almost no one, virtually no European countries have done so, with only Denmark, Estonia, and the United Kingdom having indicated they’ve taken any action at all—and the UK’s response was to give companies another year to come into compliance.
The EU ePrivacy Directive (full text) includes many provisions aimed at giving consumers control over their personal information and how that information is used by companies, including both firms they have directly conducted business with but also advertisers, software vendors, and analytics outfits. Among the provisions is the so-called “Cookie Directive,” which requires companies get “explicit consent” from users before storing browser cookies on their computers or other devices.
Cookies are small bits of data, often unique identifiers, that sites often use to keep track of users’ sessions and log-in information to provide a customized or context-appropriate experience. However, cookies are also used by marketing and analytics firms to track users as they move around the Web: cookies used by advertising networks, for instance, can recognize an individual user when they innocuously access any site in the network. Advertisers say they use the information to serve up ads more tailored to users’ interests and habits; however, the fact that companies are collecting so much data about users’ interests and habits—which subjects typically have no way to access, audit, amend, delete, or correct—has long set privacy watchdogs on edge.
The ePrivacy Directive does not offer a detailed definition of what “explicit consent” must be to comply with the directive. Many companies and countries are hoping that merely using a Web browser set up to accept cookies implies consent by the user.
Most browsers ship with cookies enabled by default. The UK government, at least, believes default browser settings do not meet the requirements of the ePrivacy Directive.
“We recognize that some Web site users have real concerns around online privacy, but also recognize that cookies play a key role in the smooth running of the internet,” wrote UK Communications Minister Ed Vaizey, in a statement. “This Europe-wide legislation will ultimately help improve the control that individuals have over their personal data and help ensure they can use the internet with confidence.”
Retailers, online service providers, and others note that asking users to explicitly consent to every cookie used by their systems will place a substantial burden on their operations. A race to comply could create a free-for-all with most major sites and services developing their own inconsistent methods for handling cookie preferences. Governments instead have been looking to browser developers like Microsoft, Google, and Mozilla to implement “Do Not Track” and similar functionalities to solve the issue on the browser side.
In granting a one-year extension to business, UK Information Commissioner indicates his own office’s guidelines for UK companies are a still in development (PDF), and the solution his own office has settled on (a header bar on its pages) should not be considered a universal solution. The
In the meantime, the European Commission may consider opening infringement proceedings against member states that have failed to integrate the ePrivacy Directive into their own national law.