Cookies are illegal in EU

**Dave A** · 13-Nov-09, 06:16 AM

I take it the concern is section 69:

(66) Third parties may wish to store information on the equipment of a user, or gain access to
information already stored, for a number of purposes, ranging from the legitimate (such as
certain types of cookies) to those involving unwarranted intrusion into the private sphere
(such as spyware or viruses). It is therefore of paramount importance that users be
provided with clear and comprehensive information when engaging in any activity which
could result in such storage or gaining of access. The methods of providing information
and offering the right to refuse should be as user-friendly as possible. Exceptions to the
obligation to provide information and offer the right to refuse should be limited to those
situations where the technical storage or access is strictly necessary for the legitimate
purpose of enabling the use of a specific service explicitly requested by the subscriber or
user. Where it is technically possible and effective, in accordance with the relevant
provisions of Directive 95/46/EC, the user's consent to processing may be expressed by
using the appropriate settings of a browser or other application. The enforcement of these
requirements should be made more effective by way of enhanced powers granted to the
relevant national authorities.

Before over-reacting, you probably should read section 26:

(26) In order to address public interest issues with respect to the use of communications
services and to encourage protection of the rights and freedoms of others, the relevant
national authorities should be able to produce and have disseminated, with the aid of
providers, public interest information related to the use of such services. This could include
public interest information regarding copyright infringement, other unlawful uses and the
dissemination of harmful content, and advice and means of protection against risks to
personal security, which may for example arise from disclosure of personal information in
certain circumstances, as well as risks to privacy and personal data, and the availability of
easy-to-use and configurable software or software options allowing protection for children
or vulnerable persons. The information could be coordinated by way of the cooperation
procedure established in Article 33(3) of Directive 2002/22/EC (Universal Service
Directive). Such public interest information should be updated whenever necessary and
should be presented in easily comprehensible printed and electronic formats, as determined
by each Member State, and on national public authority websites. National regulatory
authorities should be able to oblige providers to disseminate this standardised information
to all their customers in a manner deemed appropriate by the national regulatory
authorities. When required by Member States, the information should also be included in
contracts. Dissemination of such information should however not impose an excessive
burden on undertakings. Member States should require this dissemination by the means
used by undertakings in communications with subscribers made in the ordinary course of
business.

It's about notices and browser settings. I'd think websites just need appropriate Privacy statements.

**Dave A** · 13-Nov-09, 07:25 AM

Another observation - Google Adsense normally does quite a good job of advising publishers and there's no notices on this in their feed.

**Chatmaster** · 13-Nov-09, 03:01 PM

I am mostly peeved because I have to go and make manual changes to over 40 sites now, because I originally thought that the privacy of cookies were in the hands of the user. I have a P3P policy in place on all my sites so users know what they are opting in for when reading it, however this new law specify that I must ask permission from visitors in order to use cookies. This effects conversions, banner advertising and creates user frustration, simply because the law wasn't thought through clearly. I am not a happy camper.

**Dave A** · 13-Nov-09, 03:45 PM

Where are you getting this idea from? Let me stress this bit:

Where it is technically possible and effective, in accordance with the relevant
provisions of Directive 95/46/EC, the user's consent to processing may be expressed by
using the appropriate settings of a browser or other application.

The focus is on the browser.

This affects Google too, especially with their user interest based advertising program. When Google introduced the program I got a notice from Google telling me my privacy statement had to include certain phrases to cover the situation.

I've had no notices from Google around this and they're on the ball with this sort of thing. If anything, they're a target - they have to be on the ball.

**Chatmaster** · 13-Nov-09, 04:13 PM

Originally posted by Dave A

Where are you getting this idea from?

We've been having a discussion for the past few days on a private affiliate forum and according to the attorney representing one of our affiliates the interpretation was exactly as I stated.

He is not the only one thinking so...

Out-Law

http://www.out-law.com/default.aspx?page=10510

Daily legal news, analysis and guidance from Pinsent Masons

I am sorry Dave maybe I should have gotten off my high horse and posted more rationally. I was truly upset about this whole issue... I'll have a beer now

**Dave A** · 13-Nov-09, 11:35 PM

Do a search for the word "website" in that document. It only comes up three times and the context has nothing to do with websites requiring permission to place cookies. Then do a search for the word "cookie" - it only comes up once!

The entire directive is about public communication service providers and their communication networks, including standard voice, VOIP and data. In our lingo that's telecommunication companies and ISPs. It also deals with the distribution of marketing material over these services (via email, SMS, MMS and auto-dialers - not the browsing of websites). It's not that far removed from our Electronic Communications Act.

My read when it comes to cookies is that the directive is seeking to have these companies educate users via their websites and service contracts of the very feature in browsers you mentioned - editable cookie permissions. And editable pop-up permissions.

But even if what these scaremongers are suggesting was true, the answer is simple - just don't host your websites in the EU.

There is one section I would read on page 79 - something I'd like to see around the world -

4. In any event, the practice of sending electronic mail for the purposes of direct
marketing which disguise or conceal the identity of the sender on whose behalf the
communication is made, which contravene Article 6 of Directive 2000/31/EC, which
do not have a valid address to which the recipient may send a request that such
communications cease or which encourage recipients to visit websites that
contravene that Article shall be prohibited.

Thump those deceptive spamming bastards

There is no legitimate reason for a person to deliberately mislead where they are sending their email from.

I am sorry Dave maybe I should have gotten off my high horse and posted more rationally.

No need to apologise at all. The EU bureaucrats' reputation for being incredibly pedantic is well established. I understand the concern. I come from a background where my industry here is being affected by the EU biocidal directive. Last I heard they are starting to get a bit more practical with things nowadays. Ultimately they've got a penchant for legislation that can be expensive to comply with, but not entirely ridiculous.

Cookies are illegal in EU

[Opinion] Cookies are illegal in EU

Comment

Comment

Comment

Comment

Comment

Comment