The changes and the new rules
The key change under the revised Directive is the inclusion of a consent condition: using cookies on a site user’s computer is only permitted on the condition that the site user ‘has given his or her consent, having been provided with clear and comprehensive information…inter alia about the purposes of the processing’. Though the wording in the Directive itself seems clear, if controversial, the amended wording of the Directive’s recital, and further European level guidance, is the source of much of the confusion surrounding these changes. The recital states that: ‘where it is technically possible and effective…the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application’, giving hope to businesses that browser settings may still be an effective means of satisfying European cookies rules. However, guidance from the Article 29 Working Party (the European Commission’s data protection advisory group) has subsequently indicated that permissive browser settings may not in fact be sufficient to provide the required site user consent to cookies. Whilst this guidance is not binding on Member Sates when they come to implement the revised Directive into national law, it will be influential.
Despite the obvious need of online businesses for clear guidance from regulators as to how the revised Directive will be implemented and enforced, the regulators and government departments have been slow to come forward with their implementation plans and new laws. Many will be waiting to see how others are approaching implementation, and all are still grappling with the difficult issue of, on the one hand, implementing the Directive accurately and adequately whilst, on the other hand, balancing the practical implications of this for online businesses and web users generally.
In France, the Directive has not yet been implemented. Given the very short timeframe left for such implementation, the French government has recently been authorized by the Parliament (on 23 March 2011) to implement the revised rules by way of an order, which will avoid the longer bill-passing process. Nonetheless, the French government has until September 2011 to issue the order which means it is unlikely that the Directive implementation date will be met. No draft order is available so it is impossible at this stage to know precisely how the cookie consent requirement will be implemented. The French government might however be inspired by the wording of a draft bill that was proposed by the Parliament a year and a half ago, which required user’s consent before the installation of cookies.
Taking a different approach, the German government has not included the cookies consent requirement in its implementing bill, and has indicated that it won’t be taking any legislative action for the time being, pending ongoing consultations with the European Commission which could include a self regulatory approach. It is therefore unlikely that Germany will be in a position to finalise or implement its new rules for some time, though if it stays with its current approach, the new cookie consent requirements will not be included in the new legislation.
In practice therefore, the new cookies rules may be more of a technical inconvenience for businesses, potentially requiring investment in enhanced technical solutions, rather than an impossible set of standards threatening the very nature of their online business. Governments and regulators recognise the disproportionate practical impact the new consent requirements may have, and are working together to find practical solutions, such as enhanced browser settings, and local and European wide industry solutions. These solutions (such as EASA Best Practice Recommendation on Online Behavioural Advertising) will allow affected businesses to maintain their current cookie functions as closely as possible whilst still complying the revised rules.
It remains a case of ‘watch this space’ for now, as we wait for each Member State to release its new laws and guidance, and in the longer term, to decide how it will enforce the new rules: the practical implications for online businesses will hang in the balance until enforcement strategies are made clear, and this is unlikely to happen on a European wide scale until the end of this year at the earliest.