{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

Earlier this year, I wrote about an EU plan to require that internet users consent to cookies before they're placed on their computers. At the time, I called the plan "absurd".

Which must be precisely why the Council of the EU has approved a directive amending legislation to do just that. The announcement of this potentially horrendous action? Well-hidden in an 18 page Council press release.

The press release states:

The Council adopted a directive amending legislation in force on universal service ePrivacy and consumer protection.

The directive adapts the regulatory framework by strengthening and improving consumer protection and user rights in the electronic communications sector, facilitating access to and use of ecommunications for disabled users and enhancing the protection of individuals’ privacy and personal data (3674/09).

Seems innocuous, but if you read the final text of the legislation, the implications become quite clear:

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

Yes, this essentially requires that users be notified every time a cookie is to be placed on their machine unless that cookie "is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested".

The big question, of course, is how you define "strictly necessary". Whatever isn't "strictly necessary" would require that the user somehow be informed that a cookie is going to be placed on his machine, and essentially consent to having it placed. The vague wording potentially creates a lot of headaches for a lot of businesses. From online advertising to the implementation of personalization functionality, this directive has the potential to wreak havoc.

Perhaps the businesses with the most to lose: those who operate and participate in affiliate programs. A lay interpretation of the "strictly necessary" gibberish would seem to indicate that affiliate cookies will need to be opted in to. After all, a user may not know when he clicks on a link that somebody is going to earn a commission if he proceeds to buy something, and the affiliate cookie certainly isn't necessary to "[enable] the use of a specific service explicitly requested" (a retail website). If this interpretation is correct, the entire affiliate market in the EU had better watch out, although there's some question in my mind as to whether or not anyone will really bother to follow this nonsense given how ridiculous it is.

Out-Law.com has a great article about the EU directive and notes that a lot will happen between now and April 26, 2011, the date on which this will need to go into effect. The EU directive will need to "transposed into national laws" and regulatory bodies will need to clarify how this directive gets applied practically. Hopefully at least a few people involved in the process will have some common sense and this ill-conceived directive will be neutered before it has the chance to do real harm to consumers and businesses.

Photo credit: scubadive67 via Flickr.

Patricio Robles

Published 13 November, 2009 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2341 more posts from this author

Comments (31)

Comment
No-profile-pic
Save or Cancel
Avatar-blank-50x50

susan forte

Reporting of this story is being orchestrated by a press release from a legal business that presumably has clients adversely affected by government stepping in to protect consumers. Consumers have overwhelmingly said they do not want to be scammed, they do not want cookies, they do not want advertising tailored to their browsing history. They want to be asked first if a website wants to advertise or sell to them.    

over 6 years ago

Avatar-blank-50x50

George - Planet Anarky

Absurd is definitely the word.

Is it fair to say that tracking could be affected too? Would a user consider that as "enabl[ing] the use of a specific service explicitly requested"?

I posted a small blog entry about this (here), and also wondered how it'd be enforced...

over 6 years ago

Jake Brumby

Jake Brumby, Managing Director at Mr Monkey Limited

This is just another example of how the EU is a massive waste of money and resources.

We must have a referendum on Europe.

http://blogs.telegraph.co.uk/news/danielhannan/100015753/we-must-have-a-referendum-and-not-just-on-the-eu/

over 6 years ago

Avatar-blank-50x50

Graham Knowles

My first thought was that this is great news for sites like Quidco, whose users would miss out on their cashback if they didn't accept the cookies. If I could buy shares in them, I would!

I guess other companies will just have to be more upfront about their services. For example, I've noticed that Criteo have finally added an information button to their banners, but still make it long-winded for users to opt out of their cookie.

I shouldn't think that companies with nothing to hide and a good cookie management UI will suffer much if this goes through.

over 6 years ago

Avatar-blank-50x50

susan forte

Before people rush to judgement, this could be drumming up business by scaring affiliates (by the legal business putting out the press release quoted above). An affiliate site that is providing a service that the consumer uses by clicking through to a merchant has to include a cookie. I'm not sure this directive is a problem for affiliates.

over 6 years ago

Jaamit Durrani

Jaamit Durrani, SEO Director at OMD UK

This is far bigger than just affiliate programmes - any site with any kind of Analytics or metrics uses cookies, as do shopping carts and display ads. To me it's a ridiculous piece of legislation.  I can see a mass 'civil disobedience' taking place amongst site owners if this does go ahead which could make enforcing it impossible. Also I would expect companies like Google using their weight to challenge this - imagine the effect on Analytics, Adwords, Adsense etc etc - all require cookies.

over 6 years ago

Avatar-blank-50x50

George - Planet Anarky

Susan, with all due respect, why would a business want to scare their affiliates? Some businesses rely on their affiliate networks to sell their products for them and is an intrinsic part of their business model.

I think the issue is that web users, rightly or wrongly, may not know that the site they're buying from is an affiliate/reseller for a larger company - and seeing a warning to accept a cookie for an affiliate network may put off users from purchasing.

That, and it'll be annoying. I don't even want to know how many times cookies are used on my daily web journeys.

over 6 years ago

Avatar-blank-50x50

susan forte

George, I was referring to the legal business which has started this debate. It may be drumming up business by predicting problems for affiliate partnerships, although it may be well founded comment. I dislike cookies and have a Firefox plug in that shows me exactly what is being loaded onto my computer. Yet I would accept having read what the directive says that if I use an affiliate website and click through from their to make a purchase, the affiliate needs to load a cookie onto my computer in order to be paid for the service I have used.

over 6 years ago

Avatar-blank-50x50

George - Planet Anarky

I see. Well, I've always considered out-law.com a good and unbiased source of info for the web/IT  industry, so (perhaps naively) don't see this as them touting for business.

I suppose my angle on this is that there are plenty of every-day web users out there who aren't as savvy as you regarding cookies (and what they do/where they're installed/what info they collect etc), and so seeing these warnings will simply put them off purchasing...or (perhaps worse) become blasé about always clicking 'accept' when, before the legislation & subsequent enforcement, the browser may have rejected it for them based on their security settings.

over 6 years ago

Avatar-blank-50x50

Jack

This absurd can go on further. Since if users are to be asked if they approve cookies installed on their machines they should also be asked whether they want all the graphics, images, css, flash and js files to be installed as well. Not only cookies are stored on clients' computers.

over 6 years ago

Avatar-blank-50x50

Cath

I can see what the EU are trying to do here and I'm an advocate of data privacy and transparency for web users even if it means our marketing gets that little bit harder, plus the EU are doing more to protect the electronic privacy of people in the UK than our own government. 

But such blanket legislation is going to effect usability and user experience, especially any form of personalisation - never mind the impact on something as basic as web analytics. They really need to differentiate the various tasks cookies are used for before enforcing any kind of legislation.

over 6 years ago

Avatar-blank-50x50

Struan

Hi Susan, I wrote the OUT-LAW story so I thought I'd respond to your comments to clear up any confusion.

I wrote the piece to raise awareness of an issue that I consider important and one that merited more attention than it had received to date. I'm delighted that econsultancy and others have picked it up. Whether people agree or disagree with my opinion on the merit of the law, businesses should know about it.

For avoidance of doubt, it was neither a press release nor a cynical attempt to drum up business. OUT-LAW has been running for almost 10 years. I doubt it would have lasted 10 days if that was our approach.

over 6 years ago

Avatar-blank-50x50

Sasha

So if a user declines cookies they will get the "do you want cookies?" question asked each and everytime they go to the site because the site can't use cookies to know they recognise them again. I suspect most users will simply accept cookies after a few visits just so they don't get the annoying question. Given that cookies do all sorts of things, other than being used for targeted advertising it's going to disrupt peoples day to day use of the internet greatly.

over 6 years ago

Patricio Robles

Patricio Robles, Tech Reporter at Econsultancy

Susan,

I'd half-jokingly point out that just about every time government steps in to "protect" consumers, the exact opposite happens. That will almost certainly be the case here.

I think most reasonable people would agree that consumer privacy online is an important subject, but trying to require consumers to consent to each and every cookie is as impractical as it is absurd. As Jaamit pointed out above, cookies are used for a lot of things, such as analytics. Many if not most of these things help businesses better serve consumers.

over 6 years ago

Avatar-blank-50x50

A. Rebentisch

You communicate desinformation, fine. But it does not make sense to me to do so after an act has been adopted. Apparently the message is to invest more in lobbying in implementation phase and invoke anti-EU sentiment to this end. Maybe you don't know that an EU directive is an act of the Council and Parliament. Maybe you don't know what are recitals. In any case your analysis about the legal implications is wrong.

over 6 years ago

Avatar-blank-50x50

Bob Jones

Surely the phrase "Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. " Means you can set your browser to the appropriate level of security/privacy to automatically accept cookies and that is defined by the above as expressing permission for the storage of cookies? Therefore there is no need to separately ask for permission, the user has been judged to have already granted permission by setting this on the browser settings.

over 6 years ago

Avatar-blank-50x50

A. Rebentisch

It is a recital of a directive which changes another directive. So the amended directive will be consolidated ("codified") and the recital is gone. Magic.

Recital language, also known as the department of "whereas": "It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."


That is lukewarm and does not mean a thing but it shows that MEPs and Council are not satisfied with the current privacy practice with regard to cookies. They expressed that before, they expressed that will again.

over 6 years ago

Avatar-blank-50x50

A. Rebentisch

Now the meat:

Article 5(3) shall be replaced by the following:
"3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.";

That makes perfectly sense to me. A kind of digital house right. I don't want that services hack my computer and store their data without my prior consent. I own my equipment and want to control what is performed and stored there. I would expect case law to develop along these lines of common sense.

Status quo:

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. ...

So  my "consent" instead of my "right to refuse". I can't help but that seems legally better. I wonder if consumer groups would argue they lost their right to refuse such processing...

over 6 years ago

Avatar-blank-50x50

Aurelie Pols

I just whished everybody would calm down before crying wolf like that!

A referendum on Europe? Wow!

You might want to read another perspective: http://aurelie.webanalyticsdemystified.com/2009/11/10/eu-cookie-law-interpretation-is-breathtakingly-stupid/

Respectfully,

Aurélie

over 6 years ago

Jake Brumby

Jake Brumby, Managing Director at Mr Monkey Limited

There is a strong case for leaving the EU. Watch it here:

http://www.youtube.com/watch?v=JkSIerYCXOA

over 6 years ago

Avatar-blank-50x50

Depesh Mandalia, Head of Digital Marketing at Lost My Name

At the end of the day, many web services for business rely on cookies to identify the user's visit. Imagine if you had to ask for permission to drop a cookie. If the user states 'no', how will you know that you've already asked them?

In basic terms, scaremongering users to reject cookies will in turn cause massive headaches for businesses ranging from analytics, MVT, surveys, banner retargetting, affiliate links (note: not all rely on cookies) etc.

What is likely to happen nearer the time is that the EU will realise the can of worms they've opened and retract it, or at least simply make it law to include, in as transparent a way as possible, what you are using cookies for and their implications to the user (i.e. a clearer privacy statement)

Here are some thoughts from the Affiliate Marketing community (note: topic started before this article was written) http://www.affiliates4u.com/forums/affiliate-marketing-lounge/130155-big-threat-affiliate-marketing.html

over 6 years ago

Avatar-blank-50x50

Diane

Doesn't internet explorer already have a setting that blocks all cookies without permission?

The idea that people will want to agree to setting a cookie every 5 seconds is insane.

There's nothing wrong with cookies used properly, although if the EU gets it's way it looks like the only proper way with cookies will be with a glass of milk!

over 6 years ago

Patricio Robles

Patricio Robles, Tech Reporter at Econsultancy

A. Rebentisch,

I would expect case law to develop along these lines of common sense.

Why would you ever expect such a thing? Frankly, I see little evidence that most of the laws passed around the world today develop along the lines of common sense.

I don't want that services hack my computer and store their data without my prior consent. I own my equipment and want to control what is performed and stored there.

Placing a cookie on your machine is not hacking and you already have the control you seek. As far as I've seen, modern versions of all the major browsers allow you to reject cookies, or reject cookies with no attached privacy policy.

From a technical standpoint, using the control your browser already gives you is a perfect solution since the blocking is taking place proactively on your machine.

From a technical standpoint, putting the burden of asking for your consent on a third party is far from perfect. Not every website you visit will be based in the EU, and not everybody in the EU would obey the laws that EU nations implement. Because of this, laws that require others to ask for your consent will only provide you with a false sense of security and nothing more.

With this said, I suppose a question is in order for those who don't have a problem with this directive: why do you want government bureaucrats implementing laws designed to accomplish what you can already achieve with a few clicks of a mouse?

over 6 years ago

Avatar-blank-50x50

Amit

This post definitely teaches some nice things.Nice work and nice post.

over 6 years ago

Avatar-blank-50x50

pick your shoes

I've just finished entering the details of the shipping prices for around 60 merchants into a vertical comparison tool of ours.

over 6 years ago

Avatar-blank-50x50

Paul Lewios

Great post...

How are the big comanies such as Google going to be affected and where do you think affiliate marketing will go, because it won't die away..

Why not just take it a step further and sue anyone who looks at you without permission.

Wrote a follow up article here http://www.pglewis.co.uk

over 6 years ago

Avatar-blank-50x50

A. Rebentisch

"With this said, I suppose a question is in order for those who don't have a problem with this directive: why do you want government bureaucrats implementing laws designed to accomplish what you can already achieve with a few clicks of a mouse?"

First of all I would abstain from insults. That is just a matter of professionalism. The persons are not bureaucrats but European legislators.

Their idea is apparently that a requirement of consent is necessary when you store and retrieve data about me on my equipment. It is important to consider what "consent" means in legal terms. In short it requires a prior declaration of will but probably also concludent behaviour (e.g. permitting cookies in your browser settings) would qualify. "Consent" is a very straight concept from private law, bread and butter, the earlier solution was not. So in fact no one needs to implement sui generis rules.

"From a technical standpoint, putting the burden of asking for your consent on a third party is far from perfect. Not every website you visit will be based in the EU, and not everybody in the EU would obey the laws that EU nations implement."

When in Rome, do as Romans do. The EU is large and important enough to set rules. If you want to store data on my machine, you need my consent. No one forces someone to store data on my machine.

Disobedience to the law is no argument but just an enforcement task.

over 6 years ago

Avatar-blank-50x50

Legal Advice

I agree - this is very hard to police!

about 6 years ago

Avatar-blank-50x50

Office Space to Rent

Privacy is very important - they should get my persmission!

about 6 years ago

Avatar-blank-50x50

Kristian

EU legislators clearly don't understand the way the web works!

A web server doesn't have access to the client equipment to store any data. A cookie is just a text string (a line of text) that is transmitted in HTTP requests and responses between the browser and the server. When the browser receives an HTTP response which includes a cookie string, it (the browser software running on the client machine) decides whether to and how to store the string based on it's configuration and/or the users preference.

The browser stores and manages the string, then bombards the associated server with the cookie string on every subsequent request. The server doesn't ask the browser to send the cookie with EVERY request, it's automatic.. that's the way the web works. When you visit the average website, the server is force fed your cookie 10-20 times: once for the page itself, then again for each of its resources (images, style sheets, JavaScript) if they are located on the same domain. The server only wants it once but that's not the way the web works.

Saying the server needs permission to "gain access to information already stored" is like saying a when the phone rings, a person must avert their eyes as they answer the phone and not look at the caller ID display until after they've answered it and asked for the permission to look at the caller ID and see the phone number. It's nonsensical! This law can only be applied to browsers and other client software, not websites.

about 6 years ago

Avatar-blank-50x50

Lawyer

Good post howver I can't see this been implemeted as it will be very difficult to police

over 5 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.