Earlier this year, I wrote about an EU plan to require that internet users consent to cookies before they're placed on their computers. At the time, I called the plan "absurd".
Which must be precisely why the Council of the EU has approved a directive amending legislation to do just that. The announcement of this potentially horrendous action? Well-hidden in an 18 page Council press release.
The press release states:
The Council adopted a directive amending legislation in force on universal service ePrivacy and consumer protection.
The directive adapts the regulatory framework by strengthening and improving consumer protection and user rights in the electronic communications sector, facilitating access to and use of ecommunications for disabled users and enhancing the protection of individuals’ privacy and personal data (3674/09).
Seems innocuous, but if you read the final text of the legislation, the implications become quite clear:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
Yes, this essentially requires that users be notified every time a cookie is to be placed on their machine unless that cookie "is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested".
The big question, of course, is how you define "strictly necessary". Whatever isn't "strictly necessary" would require that the user somehow be informed that a cookie is going to be placed on his machine, and essentially consent to having it placed. The vague wording potentially creates a lot of headaches for a lot of businesses. From online advertising to the implementation of personalization functionality, this directive has the potential to wreak havoc.
Perhaps the businesses with the most to lose: those who operate and participate in affiliate programs. A lay interpretation of the "strictly necessary" gibberish would seem to indicate that affiliate cookies will need to be opted in to. After all, a user may not know when he clicks on a link that somebody is going to earn a commission if he proceeds to buy something, and the affiliate cookie certainly isn't necessary to "[enable] the use of a specific service explicitly requested" (a retail website). If this interpretation is correct, the entire affiliate market in the EU had better watch out, although there's some question in my mind as to whether or not anyone will really bother to follow this nonsense given how ridiculous it is.
Out-Law.com has a great article about the EU directive and notes that a lot will happen between now and April 26, 2011, the date on which this will need to go into effect. The EU directive will need to "transposed into national laws" and regulatory bodies will need to clarify how this directive gets applied practically. Hopefully at least a few people involved in the process will have some common sense and this ill-conceived directive will be neutered before it has the chance to do real harm to consumers and businesses.
Photo credit: scubadive67 via Flickr.