Feeds

UK passes buck on Europe's cookie law with copy-paste proposal

You sort it out

Build a business case: developing custom apps

Opinion The government has let businesses down by refusing to clarify a law on cookies that has privacy regulators and advertisers at loggerheads, leaving publishers languishing in the middle, unsure whether their advertising is lawful or not.

This week the government had the chance, when transposing EU law into UK law, to find a way to provide UK firms with much-needed clarity, but it passed it up. Instead it will write Brussels-authored confusion into UK law, word for word.

OUT-LAW reported yesterday that the Department for Business Innovation and Skills (BIS) has launched a consultation on its plans for implementing a suite of five EU Directives, known collectively as the European Electronic Communications Framework.

One of these Directives amends the existing Directive on Privacy and Electronic Communications. The new law includes an Article that demands that websites get every visitor's prior consent before sending cookies to their machines.

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

This law, which is not yet in force across Europe, immediately appeared to hamper the prospects for advertisers, in particular the serving of behaviour-based ads, which tend to generate more clicks and more income for publishers.

The EU law is not just bad for business: it is bad for consumers too. It adds small-print, clicks and confusion without improving privacy in any meaningful way. I have written before that the new EU law is a shambles.

The Article that demands prior consent appears to be qualified by a Recital that says: "Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application."

A recital (a context-setting introduction to a Directive) is not meant to qualify an Article (a rule of the Directive) yet this one appeared to do just that. So businesses were left to wonder: can we rely on the cookie settings in a user's browser to indicate consent, or do we need to ask them a question about cookies when they visit our site?

The advertising industry is adamant that you can rely on cookie settings. It has relied on that recital as justification for saying that cookie settings indicate consent. Privacy watchdogs disagree. They have pointed out that most browsers accept cookies by default. "It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes," said the Article 29 Working Party. In their view, to comply with this law, visitors should be asked a question about cookies.

This is a muddle. It is not one that BIS could resolve.

If BIS deviates too far from the wording of the Directive, to pass a UK law that makes compliance straightforward and consumer-friendly, it risks infraction proceedings in Europe for failing to transpose the Directive into UK law properly. It also runs the risk that other countries in Europe will transpose the Directive differently – giving businesses the headache of having to detect a website visitor's home country to decide whether or not to present cookie questions.

So the easiest thing for BIS to do is to copy and paste the Directive into UK law and let someone else sort out the ambiguity. That is what it proposes. Frustratingly, though, it has not acknowledged that any problem exists. Instead, BIS appears to suggest that the Directive was nice and clear in the first place.

Next gen security for virtualised datacentres

More from The Register

next story
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Premier League wants to PURGE ALL FOOTIE GIFs from social media
Not paying Murdoch? You're gonna get a right LEGALLING - thanks to automated software
Online tat bazaar eBay coughs to YET ANOTHER outage
Web-based flea market struck dumb by size and scale of fail
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
XBOX One will learn to play media from USB and DLNA sources
Hang on? Aren't those file formats you hardly ever see outside torrents?
Class war! Wikipedia's workers revolt again
Bourgeois paper-shufflers have 'suspended democracy', sniff unpaid proles
'Aaaah FFS, 'amazeballs' has made it into the OXFORD DICTIONARY'
Plus: 'EE, how shocking, ANOTHER problem I face with your service'
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.