Monday, February 1, 2010

The new rules for cookies in Europe

Despite some inaccurate press, the revised text of the ePrivacy directive does not require an opt-in for cookies. However, the text of the revised directive may be misunderstood especially if the preamble of the new directive is not transposed into national law. So national governments need to take great care when implementing the new law, in order not to jeopardise the development of the Internet and the information society.

In its Article 5(3), the ePrivacy directive outlines strong safeguards to protect users from unwanted software such as adware, junk, or even viruses and spyware, requiring software vendors to seek their consent.

For cookies, the EU legislation's preamble specifically says that the control settings in a browser are sufficient to comply with the consent requirement. Even for cookies that cannot be controlled by browsers – for example, Silverlight and Flash cookies – the new law also recognises that the settings of specific control panels satisfy the consent requirement.

The directive’s new preamble contributes to legal certainty by clarifying that websites can rely on browser controls and similar applications to define the acceptance of cookies. This was not clear under the current law.

Member States will have 18 months to transpose the new ePrivacy directive into national law (i.e. until April 2011). It's important they take great care so as to avoid misinterpretations that would create new barriers to the EU's internal market, confuse consumers, and ultimately put Europe at a competitive disadvantage.

So now, if a user configures his or her browser to accept only cookies from certain websites, or automatically delete cookies when closing a browser, these settings will be sufficient as expressing the wish of the user. Websites technologically rely on browsers and other applications for cookie management. The current directive had a blind spot in this regard as it did not explicitly recognise cookie control tools as a way to comply with the law. The new directive clarifies this, but it's important that implementation into national laws follows the letter and spirit of this goal.


Álvaro Del Hoyo said...

Guess the point is not consent, but previous information, but in any case is a good point.
Consent should not be express in many cases.
These days I have been involved in a debate whether consent for video surveillance image treatment is only possible if system implementation and operation is provided by private security companies. Omnibus law has declared that any data controllet could implement and operate them. Previously Agencia Española de Protección de Datos said that there was no chance to understand that if someone see video surveillance adverts and goes into monitored premises there was no chance to understand that action as that person was agree to be recorded. Now, after Omnibus law, our watchdog is sayin that this is changing nothing...they say that consent is being granted by law in both cases -systems implemented and operated by `private security companies, and systems implemented and operated by companies owning premises.
Treatments based on cookies are allowed by people cause they have previously set web browsers. Consent is coming from a particular action, and there is no need to wait for a law giving consent to this kind of treatment.
And good luck these days

Álvaro Del Hoyo said...


From the Directive preamble "Where it is technically possible and effective"

From your post "Even for cookies that cannot be controlled by browsers – for example, Silverlight and Flash cookies – the new law also recognises that the settings of specific control panels satisfy the consent requirement"

It will be possible only in case web browsers evolve, PETs are developed to manage this other kind of cookies, but while web browsers or other applications are not able to manage some kind of cookies,consent for treatments based on these cookies will come only if adequate information is provided beforehand.

Are you agreee?

Un saludo