If the European Commission has anything to say about it, starting about 18 months from now companies will have to start obtaining consent from Web site visitors to place cookies on their computers.
Last week, the European Parliament approved amendments to Europe’s e-Privacy Directive (see page 76, item 5) requiring, among other things, that operators of Web sites obtain a user’s consent before placing a cookie on the user’s computer. “Cookies” are digital files that are routinely placed on a user’s computer when they visit a Web site. These files are used for many purposes, including to save a user’s name and password so they can be pre-populated in a Web site’s log-in page; to enable Web sites to engage in behavioral marketing by displaying ads that are keyed to a user’s browsing history; to enable Web sites to perform analyses of the demographics of the site’s visitors and what areas of the site are most popular; and to save the contents of a user’s online shopping cart.
Under the amended e-Privacy Directive, Web sites may only place cookies if the user has consented, after having been provided with clear and comprehensive information about the purpose of the cookie. The amended directive provides an exception to the consent requirement if the cookie is “strictly necessary” in order for the Web site to provide a service specifically requested by the user. While this exception is mildly helpful, it would not apply to most uses of cookies.
A recital (see recital 66) that prefaces the directive suggests that “where it is technically possible and effective,” consent may be expressed by using the appropriate settings of a Web browser or other application. However, it is unclear whether user consent can be obtained this way when the default Web browser setting is to accept cookies, as is the case with most Web browser software on the market.
Furthermore, due to the European law’s definition of “personal information,” the EU’s new rule even applies to cookies that do not collect a user’s name or contact information, on the grounds that anonymous cookies still enable a Web site to recognize a user who has been to the site before.
While this amendment leaves European companies in a state of alarm, it also leaves non-EU companies in a state of quandary. The EU (specifically, the Article 29 Working Party) consistently has taken the position that its personal data directive (an older sibling of the e-Privacy Directive) applies to wholly non-EU Web sites that place cookies on computers which are located in Europe. If the e-Privacy Directive also applies to all Web sites that drop cookies, the global impact of these amendments essentially requires every Web site to change its practices in about 18 months, which is the deadline by which European Member States must implement the e-Privacy Directive’s amendments.