In 2009, the ePrivacy Directive was adopted mandating all website operators to first inform visitors about – and obtain their consent for – placing cookies. Incidentally, the ePrivacy Directive has been written technology neutral, and applies to all technology that places information on, or reads information from, a user’s computer (and yes, a mobile phone, tablet or even TV fall under the definition of computer). Many EU countries have by now implemented the ePrivacy Directive in their national legislation. But instead of having led to harmonised legislation on this topic throughout the EU, the ePrivacy Directive has instead produced heated debate, concerned website owners and disgruntled website users. Here are five things you should know about the cookie legislation.
1. Consent needs to be unambiguous
Valid consent requires an active indication of the user’s wishes. It is undisputed that prior consent is required before cookies may be placed. Unfortunately (or perhaps fortunately), the regulators have not specifically prescribed how consent should be obtained. Of course, buttons marked “yes” or “no” quite clearly facilitate consent. But the UK regulator has indicated that consent may also be ‘deemed implied’ if a user is made aware of cookies but consistently continues to visit and make use of the website. Also in the Netherlands, the Dutch Minister of Security and Justice is currently investigating whether a system of implied consent could work. Be warned though, this is currently not the law yet.
2. There are exemptions
There are exemptions to the cookie rules. Certain types of cookies are exempt from the notice and consent requirement. These are cookies that either are required to bring a requested functionality by the user (such as the shopping basket at web stores) or without which the webpage would not be able to load. The threshold for exemptions is quite high. Note that “functional” cookies are not exempt per se.
4. There is enforcement already
5. Changes may still be afoot
The cookie rules are still very much in flux. Legislators and regulators have started to see that the cookie rules have been implemented often to the detriment of usability and userfriendliness. Where the cookie rules can be made more flexible to cater for a better user experience is being considered and discussed. However, legislators still seem to take a ‘wait and see’ approach and very much leave it to the market to come up with fresh and creative ideas on how the rules can be practically complied with. Until then, the rules are still in effect, and still apply to many of the cookies that most websites use. And all discussion and consideration notwithstanding, it is clear that having no policy or information statement about cookies at all (while using them) will not be accepted by the regulators.