Our May 26, 2011 blog post on the new European cookies rules introduced by the revised E-Privacy Directive marked the deadline for EEA Member States to implement the Directive into national law. As of late August, only the UK, Denmark, Estonia, Finland, Ireland, Malta and Sweden have introduced laws fully implementing the amendments contained in the revised Directive.
Of the Member States with updated national laws already in place, the majority accept browser settings as a means of achieving valid consent (though current browser settings might be regarded as inadequate, since they enable the acceptance of all cookies by default).
Following its general approach to data privacy regulation, the UK has taken this more pragmatic view. It expressly states in the revised implementing legislation that consent may be indicated through appropriate browser settings. Ireland’s approach, with its revised legislation stating that consent to cookies may be obtained via appropriate browser settings, is similar. (It explicitly emphasizes that “the methods of providing information and giving consent should be as user-friendly as possible”.) Finland (Finnish language only) and Sweden (Swedish language only) also have taken this approach, with both countries’ regulatory guidelines noting that consent may be expressed though browser settings and should be practical for both users and online businesses. The Danish revised legislation (draft version, in English), though pragmatic with respect to user consent (it requires an informed expression of consent, which guidance suggests includes browser settings and continued use of the site / services, provided this use is sufficiently informed), is more onerous in terms of requiring the site user to be provided with clear and readily accessible information on what the cookie collects, who sets it, the purposes of the cookie, how long information will be stored, and how to delete it.
In light of the delay by the majority of EEA Member States, the European Commission has recently commenced legal action against 20 Member States for failure to meet the 26 May 2011 implementation deadline. The Commission’s latest steps are a meaningful reminder to Member States that, while the revised directive may be controversial, they cannot ignore their implementation obligations and that the revised E-Privacy Directive remains a high priority on the Commission’s Digital Agenda. The action taken against the relevant Member States-Austria, Belgium, Bulgaria, Cyprus, Czech Republic, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Luxembourg, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia and Spain– consists of a formal request to each Member State, asking them to explain their implementation strategy to the Commission by the end of September 2011. If a Member States fails to reply, or the reply is judged to be inadequate, the Commission may require the Member State to implement the necessary legislation and commence proceedings against the state in the Court of Justice of the European Union.
Who will implement next?
Proposed implementing legislation in both France and Spain indicates an intention to refer to consent via browser settings, though with varying degrees of flexibility. Spain’s draft legislation (Spanish language only) amending the General Telecommunications Act currently requires users to take active steps to configure their browser settings to accept cookies, and, in doing so, to provide consent. Article 37 of France’s draft ordinance (French language only) requires specific prior information to be provided to the user before browser settings may be relied upon; the final text of the implementing ordinance is expected to be adopted by the end of September 2011 (following a public consultation on the current draft in May – July).
Implementation in Germany remains an open issue – the German Federal Government initially decided not to propose any implementation steps at this stage, but after a competing Bill of the Federal Council, the Federal Government announced that it will prepare wording for the German Parliament as part of the general implementation of the European Telecoms Package.
At this stage, the picture of implementation that is emerging is far from harmonious. Many European governments and regulators are hoping for significant further guidance from the European Commission. Any such guidance would introduce a degree of consistency across Europe in terms of interpretation of the revised Directive, for those countries yet to finalise their national laws at least. Further guidance may not come quickly enough, however, to rescue the large number of Europe-based and global businesses, and internet users, facing an already inconsistent patchwork of requirements for cookie consent and user information. If the current de-harmonised pattern continues, we may begin to see a negative competitive effect for online businesses from those countries taking stricter approaches (particularly in significant online markets such as the Netherlands), as well as potentially greater investment into the development of non-cookie based technologies to monitor and track user behaviour (such as advanced URL rewriting and browser ‘fingerprint’ technology which consists of a combination of the IP address, browser configuration, user agent, installed plug-ins and a variety of other factors rendering each browsing session uniquely identifiable).