New Cookie Law Creates Confusion in E.U.

A directive that takes effect Thursday requires website operators and advertising companies operating in Europe to gain “explicit consent” for every cookie they place on users’ machines.

But some member states will likely miss the deadline, leaving publishers and online media companies unsure of what business practices they must alter in order to operate legally in the continent, if any.

The requirement is a provision in an amendment to the E.U.’s Privacy and Electronic Communications Directive, which was adopted in 2009. The revision is intended to give users greater control over the cookie data that is stored on their machines for purposes such as content personalization and ad targeting.

To date only Denmark and Estonia have reported implementation of the directive to the European Commission, according to Jonathan Todd – a spokesman for its vice president, Neelie Kroes. Each member state is expected to notify the Commission of its compliance with the directive.

The commission anticipates notifications from the U.K. and Ireland tomorrow, but also assumes multiple states will miss the deadline completely. “We’re not expecting notifications from all member states by tomorrow evening, and we’re aware many haven’t undertaken the necessary preparations,” he told ClickZ, warning, “Infringement proceedings will follow the deadline.”

Practically speaking the commission is unlikely to take immediate action against countries that are slow to comply, however, according to Quentin Archer – a technology specialist at London-based law firm Hogan Lovells. “If there are several lagging there’s no way the commission will come down hard on them immediately,” Archer said, suggesting it will likely take a more aggressive approach if those states still don’t comply in six months time.

According to some, the primary reason for the delayed implementation of the directive is confusion around its intended purpose, as well as how best to implement it without destroying the businesses that rely on cookie placement to generate revenue, such as online advertising networks.

“The fact that numerous states haven’t transposed the directive in time shows that people are having difficulty understanding it. It’s badly written, and we’ve pointed that out from the beginning,” said Kimon Zorbas, vice president of pan-European online ad trade body IAB Europe.

According to Zorbas, each European state could interpret and subsequently enforce the directive differently, creating a fragmented legal landscape across the EU. “It’s going to be extremely messy if you want to be compliant in several member states,” he said.

The IAB Europe has been fighting the commission’s decision to introduce an “explicit consent” requirement, arguing that it could bring the Internet grinding to a halt as websites seek consent for cookie placement through pop-ups and other awkward mechanisms.

Though the U.K. has yet to inform the commission of its compliance with the directive, the Information Commissioner’s Office – the regulatory body responsible for enforcing privacy laws in the U.K. – has issued guidance for companies operating in the market. That advice has come under fire from parties in the U.K., though, for being too vague and arguably contradicting language used in the directive itself.

For example the directive suggests users can express consent through the use of browser settings, whereas the ICO guidance states, “At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie… We are advising organizations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.”

The ICO recommends consent should instead be obtained through other means – such as pop-up windows – but gives little concrete information regarding which types of cookies that requirement pertains to, or how U.K. companies should implement such a measure. “I’m extremely concerned about the ICO’s view on browser settings,” Zorbas said, arguing the Office’s view implies the European Commission is “silly” for suggesting that browser settings would suffice as consent.

As Archer points out, however, the ICO itself has billed the guidance as a work in progress and highlighted broad solutions to allow companies to experiment with different ways to satisfy the directive depending on their business practices. “It’s clear the ICO does not expect everybody to be fully in compliance by Thursday, but it expects people to be putting plans into place by the very least,” he said.

In the meantime, there’s little companies operating across Europe can realistically do to satisfy the directive, given that local laws haven’t been set in place in the majority of markets. Until that happens, major European online players are unlikely to rush into anything.

UPDATE: After this story published, the U.K. Information Commissioner’s Office announced it will not enforce the new E.U. directive until May 2012.

Related reading

Overhead view of a row of four business people interviewing a young male applicant.