I donned my lawyer’s hat to take a look at the major change to the EU e-Privacy Directive due to come into force by May.
A new Article in the Directive referring to cookies has sparked media controversy about the negative impact it may have on online organisations. This controversy may be unjustified as the law seems more focused on the protection of personal privacy than the banning of cookies.
The new Article 5(3) provided by Directive 2009/136/EC now requires consent to store a cookie to be sought by an online organisation. This new rule aims to protect the website user by adopting an opt-in mechanism to indicate the willingness of a user to receive a cookie rather than just block it.
There has been criticism by online organisations that this enhanced requirement will disrupt business. If the new provision is adopted literally, there may be a significant cost involved with figuring out a suitable model for obtaining this user consent.
The Department for Business Innovation and Skills in the UK carried out a fantastic study into the potential costs. Annex 3 should be of interest to anyone affected by the new rules.
If the adoption of the provision is not so literal and the included exception to the rule is interpreted widely then, the new rules may not be so harsh. The exception provides that where a cookie is “strictly necessary for the legitimate purpose” of allowing the user to access a service he or she has specifically requested then no consent is necessary.
It appears from this that the new rules may target third party cookies primarily and first party may generally fall within the exception. So, for example, cookies used to remember passwords may fall within the exception whereby a user is accessing a service he or she expressly requested.
Under EU law, each EU Member State has a certain amount of latitude in how it implements certain legal measures. As a result, and due to the rather ambiguous wording of the Directive itself, the cookie provision and its exception may be adopted slightly differently by each country.
Ultimately, the new cookie rules aim to protect an internet user. Directive 2009/136/EC is called the “Citizens’ Rights Directive” and that is exactly what it deems to uphold in relation to cookie storage.
There is a lack of basic information out there about cookies. This fosters suspicion among many average internet users. If more information on cookies is made available through the consent process, this may actually encourage a more accepting attitude to them. That would be a welcome outcome.
[Note: Information provided by this post represents the personal opinion of the author and should not be deemed as legal advice]