On November 24, 2009, the European Parliament approved the EU telecom package, on the basis of which the ePrivacy Directive (2002/58/EC) was amended in the course of December 2009. One of the amendments that has recently raised concerns among online businesses active in Europe is the socalled "cookie law".

Cookies are small files placed on users' computers (or other "terminal equipment") for different purposes, including recognizing users' when they revisit a website. Often when a cookie is sent to an Internet user by a website, the user's computer is assigned a number, which is kept by the website as a reference. If the user of the computer that received the cookie does not delete the cookie file, the next time he/she visits the same website, the site will be able to identify the computer as the holder of the cookie. The website is then able to deduce that this computer has visited on previous occasions. Although there are different types of cookies, some allow for the tracking and profiling of the use and - arguably - the user of terminal equipment. To the extent that cookies involve the processing of users' personal data, storing and using cookies could raise privacy concerns. And that is where the new ePrivacy Directive comes in.

Article 5(3) of the new ePrivacy Directive requires EU Member States to ensure that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing".

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party - an independent European advisory body on data protection and privacy - has earlier expressed the view that the "neutral" wording chosen is not limited to cookies but implies any other new technology that could be used to track users' behavior using their browser.

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law. As Commissioner Reding recently commented at a press conference, "there are also technical cookies, those which make that the infrastructure of the Internet can function. These are not concerned by this rule". As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to "prior" consent, but the use of the past tense ("has given") suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users' computers.

For online businesses that are storing cookies with EU-based users, it will be crucial to determine whether their current practice is compliant with the new cookie rules. In particular, they will need to ensure that consent has been obtained in accordance with Article 5(3) of the new ePrivacy Directive.

Although the jury is still out on the question of how to obtain consent, the recitals of [the legislative proposal for] the new ePrivacy Directive include an interesting suggestion: "where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application". Last year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: "most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be "privacy friendly" but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings".

In light of the ePrivacy Directive recitals, it would be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue. Preferably before the EU Member States start transposing the provisions of the amended ePrivacy Directive into their national legislation.