Public policy insight for your business

European Union approves new Web cookie directive

The European Union recently made strides to toughen regulations dealing with the storage and use of web cookies. By updating a directive aimed at online privacy, the European Council approved new requirements that websites obtain a users consent before placing a cookie on their computer.

While regulators have said that cookies are an essential function of many websites, there has been a growing concern surrounding privacy issues due to their ability to track user behavior. The Europe’s policy makers first approved a directive aimed a cookies in 2002 in passing the Directive on Privacy and Electronic Communications, also known as the e-Privacy Directive. The directive allowed the installation of cookies on condition that the user is provided with clear and comprehensive information about the how the cookie is processed and offered the right to refuse such processing. This requirement has most commonly been implemented through a section in the website privacy policy describing what information is collected through the cookie and how it will be used together with instructions or link to instructions as to how to delete and/or refuse cookies.

At the end of 2009, several amendments were added to the directive that changed how a website uses and stores cookies. First, a website must first obtain a users consent before placing cookies on their machine instead of simply offering an opt-out through a privacy policy. For those cookies used for website transactions, which were exempted from the previous rule, many must now comply. Finally, the directive now also applies cookies obtained from off-line materials.

The directive now moves to the EU’s Member States that must pass laws enforcing the directive by April 2011. While the opt-in directive is a significant policy change, the legislative history associated with the directive notes that browser settings are an acceptable means to gain consent. Still, the challenge moving forward is that language found in the legislative history is not a requirement for adoption by Member States. As a result, we'll likely see a varied interpretation across European countries. Several are likely to require websites to obtain express consent from a user while others will only require consent through browser settings. Further, countries will need to consider whether default browser settings are an acceptable means to comply with the law.


  • © Experian 2010. All rights reserved.