The UK cookie rule is based on an amendment to the EU's Privacy and Electronic Communications Directive that applies to all EU member states.
The directive requires all European websites obtain users' opt-in consent first if they want to install pieces of code, known as "cookies", that store and pass on personal details and information about browsing activities to third parties.
However, the EC's website has no automatic or homepage notification about cookies. Only if a visitor clicks on the "legal notice” link at the top or bottom of the page, is there any information about cookies.
According to the information presented, visitors to the website "can control and/or delete cookies as you wish – for details, see AboutCookies.org."
User can also delete cookies already on their computers and you can set browsers to block them being placed. But the site warns users that, if they do this, they may have to adjust some preferences manually every time they visit the EC's website.
This looks very much like the old-fashioned “opt-out” approach, according to Stewart Room, partner at law firm Field Fisher Waterhouse.
"There’s no way this would satisfy the new consent rule," Room wrote in a blog post.
The European Data Protection Supervisor has been one of the most vocal critics of bad data protection, but there is nothing about cookies on his official website.
From there visitors can enter the legal notice where, according to Room, there is the following wording about cookies:
"The EDPS website uses two session cookies which are essential for the website to operate. The first cookie contains the username ‘guest’ used by each visitor on the site and the second cookie contains a hash key to allow the server to bind the visitor to the session on the server. Both session cookies are deleted when the visitor closes his internet browser."
The entities that have delivered cookie obligations for all of us, said Room, do not live by their own ideals.