EU cookie recipe is half baked

Brussels' new move on online privacy smacks more of paranoia than a realistic concern for the rights of the individual, argues...

Brussels' new move on online privacy smacks more of paranoia than a realistic concern for the rights of the individual, argues legal expert Peter Hall. Some speedy and effective lobbying is called for.

The Eurocrats of Brussels have struck again with a piece of regulation that could spell trouble for online business. This time, the target of their overzealous approach to regulation of online business is the use of cookies.

On 13 November, the European Parliament accepted an amendment to regulations dealing with online data protection which will mean that Web site owners and operators will have to obtain the prior, explicit consent of site users before they can use cookies (and other devices such as Web-bugs) to collect information on Web site use.

If the regulations get past a second reading of the European Parliament early next year, this will become law (although it may take some time for the regulations to become law in member states).

The burning question is how on earth do the Eurocrats expect businesses to obtain prior consent? The trouble is that under EU data protection laws, silence of a Web site user no matter how well informed they may be, is not enough to qualify as consent. Businesses will need to have some positive indication from users that they are willing to have their site use tracked by cookies before the cookie is sent to their PC.


How can that work? Cookies are part and parcel of the HTML that flows from the Web server to the user's PC in most commercial sites. Are the Eurocrats saying that cookies will need to be stripped out from the HTML until the user has ticked a box or sent an e-mail saying that they are happy
"The Eurocrats have completely overlooked the importance of cookies in the way the Web works"
Peter Hall
for cookies to be used?

A cumbersome process
Will this mean that businesses will stop using cookies rather than face having to embark on such a cumbersome process? Important questions that apparently they have not thought through.

The Eurocrats have completely overlooked the importance of cookies in the way the Web works. My wife buys our groceries from SimplyOrganic.net. Our favourite organic chocolate biscuits, wholemeal bread and so on are on our shopping list which is
"The line on legitimacy is crossed when cookies are used in a covert way to collect information"
Peter Hall
revived every time we order. That is, I suspect, done by an inorganic cookie. I doubt we would bother to shop online if we had to type in our list every time.

This is just one way in which cookies enhance the user experience. There are many others. What would it mean for Amazon, Tesco and all those other sites if cookies are removed? Millions in lost revenues possibly.

Overdoing the privacy risk
Brussels also seems to have blown completely out of proportion the privacy risks presented by cookies. Yes, you can build a profile about someone by their Web use but most of the time that will be pretty innocuous stuff. Having said that there are legitimate concerns that some online advertising businesses are pushing the boundaries of acceptability. Don't you get annoyed when those double-click frames keep popping up?

The silly thing about this is that there is a far more practical way of dealing with the privacy issues raised by cookies. The solution is to raise user awareness. I would say that the line on legitimacy is crossed when cookies are used in a covert way to collect information. Why not just require cookie users to tell people what they need to know and tell them how to disable the blighters? This is possible with most browsers after all (see cookiecentral.com for tips).

This is the line taken by Elizabeth France, the UK Information Commissioner, who is not exactly a soft touch on privacy. Why can't Brussels take a leaf out of her book on this one?

Because this regulation only saw the light of day on 24 October, there has been little time for Internet businesses to react and muster their lobbying forces. If I were an owner or operator of a Web site using cookies I would be lobbying hard now to make sure that this misconceived regulation never becomes law.

It is worth noting that the Interactive Advertising Bureau UK is coordinating efforts in the UK to do just that - why not drop them a line?


A cookie too far?
Is the EU move part of the championship of individual rights or a piece of meddlesome bungling?> >Let us know with an e-mail.



Peter Hall is TMT at law firm Wragge & Co - www.wragge.com

Read more on IT legislation and regulation

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close