From May 25th 2011, a EU wide privacy directive will come into effect. If implemented in Ireland this law would then make the use of third party cookies on a website without the prior consent of the user, illegal. A cookie is a piece of software that websites use to track user behaviour. A third party cookie is a cookie that is placed on your machine by a domain other than the one you are visiting. Google Analytics is a good example of the use of third party cookies.
The EU directive, which is available here, requires that website users be informed what information is being stored by the cookie and be asked to give their consent before the cookie is set.
The problem is that many Internet users do not know or understand what cookies are and given the option of whether to allow cookies, fearing the unknown, many people will opt to not allow the cookie. Google has always stated that the use of Google ‘Analytics requires that all websites that use it must update their privacy policy to include a notice that fully discloses the use of Analytics.’ However many websites that use Google Analytics don’t even have a privacy policy and the Google Analytics Opt-out Add-on for browsers is not widely known. This new directive could mean that this tool becomes a lot more popular.
There is also the issue of how best to ask for cookie consent. How will designers make the request obvious and meet the requirements of the law without turning users off. Will a cookie consent box become the norm on all websites operating out of the EU? If the website is hosted on a server outside of the EU would this law still apply to that site? These are all questions that remain unanswered.
Although this directive has been public knowledge for quite some time and has been reported on in various technology news sites, there does not seem to be any sense of urgency or worry over how this could affect the Internet industry in the EU.
Some reports claim that the terminology of the directive is so vague that it could be an non-issue. Specifically the text “Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application” could be used to argue that prior consent is not needed if the users browser is set to allow cookies. However if the browser accepts cookies by default can this really be seen as giving consent given that many people don’t know how to change the cookie settings in their browser.
It is up to each European country how they will apply the directive into law and what recommendations they will make to website owners that currently use third party cookies on their website. As yet there has been no announcement from Ireland’s new government on how they will handle this.
My guess is that even if it is applied to Irish law, big Internet players like Google will find a way around the law, by changing the third party cookies used for Analytics and AdSense into first party cookies. Don’t ask me how they will do this. I’m sure Google will find a way. Thoughts?
