On November 24, 2009, the European Parliament approved the EU telecom package, on the basis of which the ePrivacy Directive (2002/58/EC) was amended in the course of December 2009. One of the amendments that has recently raised concerns among online businesses active in Europe is the socalled "cookie law".
Cookies are small files placed on users' computers (or other "terminal equipment") for different purposes, including recognizing users' when they revisit a website. Often when a cookie is sent to an Internet user by a website, the user's computer is assigned a number, which is kept by the website as a reference. If the user of the computer that received the cookie does not delete the cookie file, the next time he/she visits the same website, the site will be able to identify the computer as the holder of the cookie. The website is then able to deduce that this computer has visited on previous occasions. Although there are different types of cookies, some allow for the tracking and profiling of the use and - arguably - the user of terminal equipment. To the extent that cookies involve the processing of users' personal data, storing and using cookies could raise privacy concerns. And that is where the new ePrivacy Directive comes in.
Article 5(3) of the new ePrivacy Directive requires EU Member States to ensure that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing".
For online businesses that are storing cookies with EU-based users, it will be crucial to determine whether their current practice is compliant with the new cookie rules. In particular, they will need to ensure that consent has been obtained in accordance with Article 5(3) of the new ePrivacy Directive.
Although the jury is still out on the question of how to obtain consent, the recitals of [the legislative proposal for] the new ePrivacy Directive include an interesting suggestion: "where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application". Last year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: "most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be "privacy friendly" but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings".
In light of the ePrivacy Directive recitals, it would be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue. Preferably before the EU Member States start transposing the provisions of the amended ePrivacy Directive into their national legislation.