When the revised Privacy and Electronic Communications Directive was approved in November 2009, with its updated wording requiring prior consent to the use of cookies, European Union Member States were given until the end of May 2011 to implement the changes into their respective national laws.  That deadline is fast approaching, and the lack of action from governments and regulators is telling.  Controversy and confusion surrounding the new cookies rules have been widespread, not only for European based businesses, but for all global, web based businesses interacting with European consumers, and for the government departments and regulators implementing and enforcing the new rules.  It is only very recently that European governments and regulators have begun to give any clues as to how they will implement the new rules.

The changes and the new rules

Under the previous Privacy and Electronic Communications Directive, businesses are permitted to use cookies to collect information from site user’s computers on the condition that the site user is provided with ‘clear and comprehensive information…inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller’.  In light of these rules, common practice throughout Europe has been to rely on the ability of the site user to change their browser settings (i.e. to refuse all / certain cookies), and a statement in a privacy policy or on the site to explain the site’s use of cookies, to satisfy these requirements.

The key change under the revised Directive is the inclusion of a consent condition: using cookies on a site user’s computer is only permitted on the condition that the site user ‘has given his or her consent, having been provided with clear and comprehensive information…inter alia about the purposes of the processing’.  Though the wording in the Directive itself seems clear, if controversial, the amended wording of the Directive’s recital, and further European level guidance, is the source of much of the confusion surrounding these changes.  The recital states that: ‘where it is technically possible and effective…the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application’, giving hope to businesses that browser settings may still be an effective means of satisfying European cookies rules.  However, guidance from the Article 29 Working Party (the European Commission’s data protection advisory group) has subsequently indicated that permissive browser settings may not in fact be sufficient to provide the required site user consent to cookies.  Whilst this guidance is not binding on Member Sates when they come to implement the revised Directive into national law, it will be influential.

Regulator guidance

Despite the obvious need of online businesses for clear guidance from regulators as to how the revised Directive will be implemented and enforced, the regulators and government departments have been slow to come forward with their implementation plans and new laws.  Many will be waiting to see how others are approaching implementation, and all are still grappling with the difficult issue of, on the one hand, implementing the Directive accurately and adequately whilst, on the other hand, balancing the practical implications of this for online businesses and web users generally.  

In the UK, the government has confirmed that it will be implementing the revised Directive (but not the recital) word for word into UK law: consent will therefore be required for the use of cookies and existing browser settings alone will be insufficient to satisfy the revised requirements.  This is a strict approach from the normally relatively relaxed ICO, who has for some time now, informally at least, taken a pragmatic view of the new rules and their unrealistic scope.  However, in formal recognition of the practical implications of this consent requirement, the government is working with browser manufactures on new, enhanced browser settings with the aim of developing these into effective methods of evidencing a site user’s consent for the purposes of the new rules. The government has also indicated that it does not expect the UK regulator (the ICO) to take enforcement action against businesses for cookies rules infringement until the new browser settings and further technical guidance is provided (likely to be later this year).  A strong industry lead solution is also on the table in the UK, backed by the government and the ICO: participating sites will be required to display an icon to show consumers that cookies are being used, and to provide detailed information about the types and purposes of cookies used, and the advertisers / business responsible for that cookie.  The site must also provide a clear and simple option for the user to refuse those specific cookies, or all cookies from that server.  

In France, the Directive has not yet been implemented.  Given the very short timeframe left for such implementation, the French government has recently been authorized by the Parliament (on 23 March 2011) to implement the revised rules by way of an order, which will avoid the longer bill-passing process.  Nonetheless, the French government has until September 2011 to issue the order which means it is unlikely that the Directive implementation date will be met.  No draft order is available so it is impossible at this stage to know precisely how the cookie consent requirement will be implemented.  The French government might however be inspired by the wording of a draft bill that was proposed by the Parliament a year and a half ago, which required user’s consent before the installation of cookies. 

Taking a different approach, the German government has not included the cookies consent requirement in its implementing bill, and has indicated that it won’t be taking any legislative action for the time being, pending ongoing consultations with the European Commission which could include a self regulatory approach. It is therefore unlikely that Germany will be in a position to finalise or implement its new rules for some time, though if it stays with its current approach, the new cookie consent requirements will not be included in the new legislation. 

In practice therefore, the new cookies rules may be more of a technical inconvenience for businesses, potentially requiring investment in enhanced technical solutions, rather than an impossible set of standards threatening the very nature of their online business.  Governments and regulators recognise the disproportionate practical impact the new consent requirements may have, and are working together to find practical solutions, such as enhanced browser settings, and local and European wide industry solutions.  These solutions (such as EASA Best Practice Recommendation on Online Behavioural Advertising) will allow affected businesses to maintain their current cookie functions as closely as possible whilst still complying the revised rules.   

It remains a case of ‘watch this space’ for now, as we wait for each Member State to release its new laws and guidance, and in the longer term, to decide how it will enforce the new rules: the practical implications for online businesses will hang in the balance until enforcement strategies are made clear, and this is unlikely to happen on a European wide scale until the end of this year at the earliest.