A self-regulatory code addressing online behavioural advertising, which has recently been adopted by a number of companies operating in the UK, is raising concerns of non-compliance with the new EU cookie law (for full details of the changes to the law see our previous e-updates "All Eyes on the Cookie Jar" and "Cookie Breathing Space").

The code, which was founded by the European Advertising Standards Alliance (EASA) and the Internet Advertising Bureau Europe (IABE), requires that an icon is featured on company websites which informs users that their online movements are being monitored for advertising purposes, i.e. that cookies are being collected to enable companies to send users advertisements for products or services they may be interested in based on their online activity. It also allows users to opt out of the targeted advertising through the use of a pan-European website.

Whilst the code represents a step in the right direction, by communicating information on behavioural advertising to users, the European Committee of National Data Protection Regulators argues that the code does not go far enough in meeting the requirements of the new EU law, which sets out that cookies should only be collected with the prior, informed and express consent of the user. The only exception to this requirement is where the cookie is "strictly necessary" for a service - for example, in an online check-out context.

The problem with the code is that while users have the option to turn off tracked advertising it fails to explicitly obtain user consent and simply presumes that the user agrees to cookie tracking. It takes an opt out approach where the EU law requires an opt in process, with the principle of user permission at its centre. Use of the code therefore raises key issues including breach of user privacy and uncertainty for users in relation to its meaning.

Whilst there are concerns that enforcing EU cookie laws will have major implications for how users interact with online sites and will result in a huge burden on the operation of websites, the regulations in force are clear and the code itself is insufficient to meet its requirements.

The UK government is currently attempting to develop a technical solution to ensure all website operators comply with the EU law, however, given that companies only have a year from the introduction of the new law (May 2011) to become compliant, pressure is mounting to meet this deadline. It may take some time, if at all, for a blanket solution to be developed, therefore companies should take action now to avoid falling foul of the new law. How UK organisations address the issue of consent in light of the new warning will be closely watched in the coming months.