Google is reportedly one of a number of advertisers that have been bypassing Apple’s privacy settings to track the browsing habits of Safari users.

According to the Wall Street Journal (WSJ), code placed in display ads installed cookies in internet browsers without the user’s permission.

Safari blocks websites from using cookies without user consent, but Google’s code circumvented this by making the browser think that the user was interacting with the web page by filling out a form.

Google could then install a cookie on the user’s phone or computer and track their browsing across the web.

Three other online-ad companies were found using similar techniques: Vibrant Media Inc, WPP PLC’s Media Innovation Group LLC and Gannett Co.’s PointRoll Inc.

Google said that the code was to provide features that signed-in Google users had enabled and that the cookies did not collect personal information, but since the WSJ report on Friday, it has disabled the code.

Cookies are a hot topic at the moment thanks to an impending EU law that requires websites to gain user consent before installing them.

Taken from ssoosay's Flickr stream

In an interview with us last week Foolproof director Meriel Lenfestey said that websites need to look for new ways to gain user consent or risk affecting user experience and damaging revenues.

Without consent, the immediate impact will be a reduced set of functionality and a less personal experience where the user must hunt down relevant information rather than have it float to the surface.

She predicted that many major online retailers, such as Tesco or Amazon, would wait to see how the new law works in practice before complying with the regulations.

I expect that few (if any) will fully comply, at least at first until they see what their competitors have done, how the ICO is enforcing the law, and how users respond with their increased awareness.

The issue is made more complicated by third-party cookies such as the type being used by Google.

In a review of the latest ICO guidance Econsultancy CEO Ashley Friedlein said that it will be nearly impossible for websites to notify users of all third-party cookies when taking into account analytics, social log-in buttons, widgets, embedded YouTube clips and so on.

I assume the likes of Facebook, Amazon, Google, Apple etc. will all abrogate responsibility legally to the rest of us and it’ll be our job to explain what exactly Facebook is doing with cookies when our users log into our sites using Facebook Connect, for example?

So, even though at the moment Google’s Safari code is a bit of a headache for Apple, in future we may see web pages breaking EU law without even realising it.