Europe's Cookie-Cutting Plan

Will European Web users need to “opt in” for every Web cookie?

Mar 15, 2011

Cookies have long been an integral part of the Web. But in Europe, at least, the future of cookies has been thrown into doubt thanks to an impending piece of legislation that will seek to regulate their use. 

Web cookies are small strings of data containing information like your login credentials or the contents of your shopping cart. Websites upload this data to your browser. Cookies are also the core component behind advertising systems that use behavioral targeting—a method to provide more personalized, and therefore more profitable, ads. Visit a travel website, for example, and a tracking cookie planted by an advertising network will register your interest in a trip overseas. Later, when visiting other websites that are part of the same ad network, the information in that cookie will be used to serve you advertisements for vacations.

On May 25, a new European Union directive on the use of cookies will come into force. The directive (actually an amendment to the Privacy and Electronic Communications Directive of 2002) asks European Union member states to come up with legislation that ensures that Web users give their consent for websites to use cookies that store their private information.

The directive actually applies to only one specific type of cookie: those used by advertising systems to record the sites you visit. But millions of sites use such methods—since the more targeted the ad, the more likely you are to click, and the more you click, the greater their income. The approach increasingly underpins the Web economy, but European officials are concerned that the rapid increase in advertising networks has not been matched by an increase in the information given to users about how they are tracked online. Websites such as SelectOut reveal how many services are tracking you.

European companies won’t be the only ones that will have to comply, either: businesses headquartered in the U.S. but with European offices will also be subject to the rules. Potentially, so will any company that interacts with customers inside the E.U.—at least under one very broad interpretation of the guidance.

But precisely how users will be asked to give consent is still up for grabs. While some envision the nightmare scenario—an endless stream of pop-up boxes asking for a user’s permission to store the most miniscule piece of information—experts suggest that there may be a wide number of ways to reduce the pain for users. “Clearly, if you direct someone to a landing page asking for their permission every time, it will not work—everyone is looking for the least intrusive method possible,” says Phil Lee, a senior associate specializing in Internet privacy issues at the London-based law firm Field Fisher Waterhouse.

Some sites may believe they can hide information about their tracking services deep in the small print on a website, enabling them to argue that failing to refuse consent is the same as granting it. However, Lee says, this is often the current method of disclosure—and something the directive is explicitly designed to change. “Simply burying stuff in the terms and conditions or privacy policy will no longer be enough,” he says.

In fact, some national governments are examining whether better in-browser tools may circumvent the need for individual sites to ask permission altogether. This approach chimes with moves already being made in the browser industry; Google and Mozilla have taken some steps to let users opt out of certain tracking systems in Chrome and Firefox, and have indicated that they may be willing to go even further.

“The Web is evolving quickly in how information about people is collected, used, and shared online,” wrote Mozilla’s global privacy leader, Alex Fowler, last month. “We believe it’s crucial to put people in control of their personal Web interactions and experiences.”

This solution has some international backing. Last year, the U.S. Federal Trade Commission said it supported the idea of “do not track” services that make it easier for Web users to stay private, which led to the efforts from Google and Mozilla.  And while consumers may not understand the technical details, they seem to support the idea of greater control: a 2009 study by the University of Pennsylvania and the Berkeley Center for Law and Technology found that 66 percent of U.S. adults did not want their private online information tracked.

But some within the European Internet industry are far from pleased. “This is the sort of crap that makes me want to move my business to the U.S.,” says Nick Halstead, chief executive of the U.K.-based Internet company Mediasift. Halstead has been one of the directive’s most vocal critics. “The U.K. tech Web industry will suffer massively if this goes through,” he says.

The question of implementation has yet to be tackled, however. European directives are not laws in and of themselves. They’re merely recommendations intended to harmonize national laws across the continent. They specify an “end state”—but how that state is achieved in law is up to each of the 27 national governments. Signs so far are that these national laws won’t be in place this year, and even when they are, the laws are likely to be sympathetic to the needs of online businesses in those countries.

In a consultation paper by the British government, for example, E.U. officials suggested that “it is important that this provision is not implemented in a way which would damage the experience of U.K. Web users or place a burden on U.K. or E.U. companies that use the Web.”

European politicians will be particularly keen not to encourage unscrupulous actors to simply find new ways to circumvent the law. With its Panopticlick project, the Electronic Frontier Foundation, a digital rights advocacy group, has already shown that a great deal of personally identifying data can be collected without cookies. Meanwhile, systems that mimic the tracking cookie without actually using the same process have also been demonstrated, such as so-called “evercookies,” written in JavaScript, or via code hidden inside Flash files. 

But Lee of Field Fisher Waterhouse points out that these methods would also be subject to the European rules. “The directive isn’t just about cookies; it’s about keeping any sort of tracking data. I don’t think industry can operate on the assumption that they have a right to own users’ data.”

Whatever solution does arrive, regulators will need to make sure that asking for consent doesn’t hamper the experience of using the Web—or cost companies so much that they try alternative techniques instead.

“There is a cost to regulatory compliance,” says Arvind Narayanan , a postdoctoral researcher at Stanford University who researches online privacy. “The smaller the number of entities affected by a law or regulation, the more likely it is that companies will fall in line—and the less the negative impact on innovation.”