Cookie law needs more than ‘do not track’, says Neelie Kroes

Website owners still need consent to use cookies even if web users' browsers offer 'do not track' (DNT), says EC vice-president Neelie Kroes

EC vice-president and leader of the digital agenda Neelie Kroes says website owners still need to obtain consent to use cookies, even if web users have browsers that offer 'do not track' (DNT).

Kroes, who is seeking a way for web users to opt out of being tracked by cookies, has accepted browser-based systems will not deliver that result, according to

Representatives from top technology firms are currently working on developing a 'do not track' system for web browsers.

A working group of the World Wide Web Consortium (W3C) has been overseeing work by technology firms on a ‘do not track’ system for browsers.

But in a speech in Brussels, Neelie Kroes said she is increasingly concerned about what she sees as a delay to concluding the DNT standardisation process. In particular, she said she was concerned about watering down the standard.

“The DNT standard must be rich and meaningful enough to make a difference, when it comes to protecting people's privacy. It should build on the principle of informed consent, giving people control over their information. And, indeed, it must be designed to let people choose to not be tracked,” Kroes said.

DNT standardisation diverges from cookie law requirements

But Kroes said the way the discussion is going shows that the DNT standard, on its own, will not guarantee complying with the EU cookie law, particularly because of the emerging consensus to exclude first-party cookies from the scope of the DNT standard.

"The fact is, we need, as far as possible, a simple and uniform way of addressing e-privacy – across different providers and different types of tracking. You shouldn't have every provider reinventing the wheel on this one," Kroes said.

"Going the whole way would be better than going half way. But going half the way together is better than leaving everyone on their own. Because it is a common approach, open and generative, fit for the global web.

"But, if DNT only goes half way, providers will need to ensure legal compliance beyond that. There will be a delta, things providers need to do to get valid cookie consent; on top of or beyond implementing DNT."

Kroes said those involved in DNT standard discussions "need to find a good consensus – and fast". She specifically called on US firms to be mindful of EU rules on cookies.

Web users reject online tracking

Earlier this month, a survey published by the University of California found that most US citizens reject online tracking and do not want any information collected about which websites they visit.

Asked what they would like a DNT function to do, 60% said they want it to prevent websites collecting any information about them.

One-fifth said such a tool should allow them to block websites from serving ads and 14% said they would like it to prevent websites from tailoring advertisements based on sites they had visited.

The study revealed that 20% were under the impression that advertisers were not allowed to track people when they browsed medical sites. Only a third correctly said they could be tracked by marketers.

UK websites show mixed compliance with cookie law

In September, three months after the enforcement of the cookie law, a study revealed that only 12% of UK websites complied with the cookie law and had implemented prominent privacy notices with robust cookie controls.

The regulation on the use of cookies derives from an amendment to the EU's Privacy and Electronic Communications Directive.

The directive and related UK law came into force on 26 May 2011, but the Information Commissioner's Office (ICO) gave businesses 12 months' grace to comply.

However, a recent analysis of more than 200 top UK websites showed just over half at least have minimal privacy notices with limited cookie controls.

The study by data privacy management firm TRUSTe revealed that 37% of websites in the sample do not appear to have taken any steps to comply with the law.

Read more on Privacy and data protection