The EU directive, passed last month, states that national governments must now “ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information.”
The directive itself will be implemented by EU member states through local laws. However, according Struan Robertson, a technology lawyer and legal director at law firm Pinsent Masons who specializes in areas including data security and online marketing, it will be “extremely difficult to interpret it in a way that allows the delivery of cookies without user consent.”
However, a non-binding section of the directive suggests that some cookies can be consented to by a user’s browser settings, which may be changed to block or accept some or all cookies. The section states, “Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”
Unsurprisingly, given the potential implications the new law could have on the online ad industry, it is this statement upon which the IAB has placed emphasis. A statement on the U.K. Trade body’s site suggests “the law now clarifies that websites can rely on browser controls and similar applications to define the acceptance of cookies. Publishers and online marketers support this approach because greater transparency, user-friendly information and easy cookies-management will increase consumer trust and confidence.”
IAB Europe Vice President Kimon Zorbas told ClickZ News last month he believed the directive essentially maintained the existing “opt-out” system with regards to cookies, thanks to the omission of the phrase “opt-in” from the language of the directive itself. He also commented that the law “recognizes the established practice that Web users set their cookie preferences in their settings managers.”
Robertson suggested it is difficult to interpret the directive itself to mean that no prior consent is needed. “It says users have to give consent to cookies ‘having been provided with’ information. I don’t see how that’s anything other than prior consent,” he said.
Ultimately, the fate of cookies within Europe now lies in the hands of local regulatory bodies, and the way in which they interpret and implement the directive through local laws. That must be done at the latest by April 2011.