Implementing the EU e-Privacy Directive: The Cookie Problem

This article explores the EU e-Privacy Directive, with a focus on the “Cookie Law,” which was passed late 2009. The Directive has yet to be fully implemented in all EU member states and the amendment of the “Cookie Law” has created additional roadblocks to harmonization of legislation across Europe.

Background: e-Privacy Directive
The European Commission’s Directive of Privacy and Electronic Communications 2002/58/EC (also referred to as the e-Privacy Directive) required that public communications providers (i.e. internet service providers and telecommunications companies) inform national regulatory authorities of any data security breach. Subscribers should also be notified if the personal data breach is likely to adversely affect the personal data or the privacy of the subscriber. The deadline for member states to implement this Directive is May 25, 2011.

The Cookie Law
On November 9, 2009, the European Parliament made additions to the e-Privacy Directive, which included an effort to regulate online cookies. According to the previous law, web sites were required to allow consumers to opt-out of cookies, typically by selecting a setting on their web browsers. A Parliament committee determined that the practice be reversed; users should be presented with the opportunity to opt in before cookies are placed on their computers.

Under the new addition, companies are required to secure consent from users before tracking files, such as online cookies, are placed on the users’ computers. This addition is commonly referred to as the “cookie law:”

“The new e-Privacy Directive will include a provision requiring the EU Member States to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”

Although it does not directly mention cookies, commenters point out that the wording includes cookies as well as any other technologies which may be used to track users’ behavior through their internet browsers.

Cookie Law Controversy
The Cookie Law applies to cookies that collect personal data. Some experts have pointed out that certain cookies are not covered by this consent requirement. According to data protection authorities, persistent cookies that contain a unique user ID would qualify as personal data, thus subject to applicable data protection regulations. However, there are other types of cookies that do not meet such criteria.

Another uncertainty regarding the Cookie Law is the process by which consent should be obtained. The statement does not mention prior consent, rather suggests that users are presented with an opportunity to refuse cookies before they are delivered to their computers. The means by which consent should be obtained has given rise to a series of discussions between internet service providers, privacy advocates, advertisers, law makers and EU member states.

It is unclear if “consent” means that users need to agree to cookies when setting up their web browsers, or if they must give unambiguous consent for each and every cookie. Others have interpreted “consent” to mean a standardized plan that allows users to view and opt-out of data collected about them through cookies.

Advertising Outcry
Europe’s online advertising industry currently generates US$20.12 billion in advertising spending annually. The initial idea that cookie placement needed the user’s prior consent concerned industry executives, who argued it would be a costly and disruptive practice. As a result, the requirement of “prior consent” was moved to an addendum.

Rather than recurring pop-up windows requesting consent, advertising executives suggested placing icons on internet ads that rely on tracking tools. Users can click on the icon to view what data is being collected about them, or to block any cookies.

Dutch Telecommunications Act
On November 3, 2010, an amendment to the Dutch Telecommunications Act was submitted to the Dutch Parliament. This was an effort to implement the EU e-Privacy Directive.

The proposed Bill requires telecommunications and internet service providers to give notification of data security breaches involving personal data to the Dutch Telecom Authority. If individuals’ privacy is likely to be compromised in a breach, service providers would also be obliged to notify the appropriate individuals.
The proposed Bill also requires that consent be secured before the use of cookies, in particular, prior to the use of third party cookies that are designed to track individuals’ web browsing activities for behavioral advertising purposes. In response to confusion regarding unambiguous consent (i.e. whether or not consent was required for placing individual cookies), the Bill indicates that browser consent would be sufficient. However, browser consent may not be enough in all situations.

This article discusses the European Union’s e-Privacy Directive, also referred to as the Directive of Privacy and Electronic Communications 2002/58/EC. The Directive is a continuation of the EU Data Protection Directive and deals with data protection and privacy issues relating to digital technologies. The article takes a look at the “Cookie Law,” an amendment to the Directive that requires user consent before cookies are placed on users’ computers. This amendment has given rise to controversial discussions between internet service providers, privacy advocates, advertisers, law makers and EU member states. Finally, the article takes a look at how the elements of the e-Privacy Directive are being implemented in the legislation of member states.

CIPP Exam Preparation
In preparation for the Certification Foundation exam (Foundations) and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Online Privacy – Online Identification Mechanisms – Cookies (Foundations; III.B.g.i.)
• Privacy-Enhancing Technologies – Web Cookies (CIPP/IT; III.B.c.i.)
• Privacy & Data Protection Regulation – Europe (Foundations; I.F.b.ii.)


1 comment to Implementing the EU e-Privacy Directive: The Cookie Problem

  • India has called for global coordination to ensure that internet continues to thrive without the fear of its misuse at the London Internatinal Cyber Conference that give the nature of the task and the fact that IT networks can be attacked from anywhere in the world.

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>