This article was first published in Data Protection Law & Policy in March 2011
The official deadline for the implementation of the revised e-privacy directive across the EU is only a few weeks away and there is a clear sense of panic in the air. National governments seem to be struggling to find a rational way of formulating the controversial cookie consent rule, which essentially requires the consent of the user in order to place a humble cookie in that user's equipment or access a cookie that is already there. Meanwhile, data protection authorities are insisting that obtaining consent must not be a farce and Internet businesses are waiting for a silver bullet that will end this surreal nightmare.
How could this have happened? Here is the story so far. Barely two years ago, everyone was happy with the notice and opt-out regime affecting Internet cookies. But all of the sudden, just at the end of a process aimed at reviewing the legal framework regulating European electronic communications, the European Parliament decided to have a go at tackling the use of surreptitious means to invade Internet users' private sphere. In their efforts to keep the law technologically neutral, the uses of cookies got scooped into the consent regime and by then it was too late to stop the process. The new rule lay dormant for more than six months until the end of 2009, when the revised directive was formally adopted kick-starting the implementation process.
At the time, the idea of having to stop the normal flow of Internet traffic to ask for permission in order to place or access cookies seemed so out of the question that many decided to ignore it or talk themselves into thinking that nothing had changed. But then, just before last summer, the European privacy regulators put their marker down and said that the new law demanded an opt-in mechanism requiring an affirmative action to indicate the user's consent before a cookie was placed or accessed. Frankly, opt-out alone may not be sufficient, but to suggest that the continuous and blind acceptance of a myriad of tick boxes and buttons may amount to genuine consent is also ludicrous.
European legislators are facing a real dilemma. Do they implement the directive exactly as drafted and prolong the uncertainty or do they try to tweak the wording to make it more precise but risk legal action for not getting it right? The UK Government has been very forthcoming about this challenge and said that whilst an opt-in system would have a large negative impact across a wide range of Internet business models, doing nothing would be a breach of the UK's legal obligations. As a result, the UK approach is likely to include the directive's consent obligation but qualified in respect of cookies by allowing the use of the browser settings to obtain consent in line with the reference made in the directive's recitals.
In other EU countries, the situation is less forthcoming. So far, only Finland, Luxembourg, the Netherlands and Sweden appear to be prepared to qualify the cookie consent obligation by referring to browser settings. In the majority of jurisdictions, the legislative silence is deafening, which means that the May deadline will certainly be missed except in a handful of member states. A few other countries that have dared to look into this appear to lean towards a pure consent obligation. Then there is the extreme case of Greece, where double opt-in has been proposed. So it is quite likely that as the directive gets implemented across the EU, two main models will emerge - plain consent and qualified consent. Under the latter, some room for manoeuvre will be given by the law as to how that consent is obtained beyond traditional "hard opt-in" approaches.
So where is this all going to end up? The stakes are certainly high, particularly given the recent comments by Viviane Reding, the EU Justice Commissioner, about the need for explicit consent of the user for non-obvious data uses. Headlines aside, we still need to figure out how the new obligation can be complied with. As ever, a bit of careful thinking and good intentions can go a long way even where uncertainty remains. In practice, this means assessing first of all to what extent cookie uses may actually be essential for the functioning of the site, as these uses are outside the scope of the consent obligation. Then the top priority is to make sure that the cookie disclosure is as full as it can be, as there will not be much leniency for getting this one wrong. Any efforts to link the disclosure to whatever cookie control mechanisms are available will also be seen positively by the regulators. Beyond that, it is a matter of ensuring that people’s choices are properly respected and keeping a close eye on the marketplace and associated public policy developments. Above all, please do not bury you head in the sand.