Storing cookies on a user’s computer without permission to become illegal in Europe next week
The two year old “Revised E-Privacy Directive (2009/136/EC)”, which has been described as “unenforceable”, will become law from May 25.
Cookies perform a number of actions on the web, they can be used to authenticate a user when they login into a website, customise their website experiences and may also be used to track some aspects of their activities on a site.
With a week to go before the directive becomes law, the British Information Commissioner has issued guidance on the issue. Yet, even the ICO admits that it will be difficult to implement the legislation,
“You will need a user’s consent if you want to store a cookie on their device. The ICO recognises that cookies perform a number of legitimate functions. We also recognise that gaining consent will, in many cases, be a challenge.”
The aim of the law is to strengthen citizens’ digital privacy by preventing cookies, including tracking cookies such as Google Analytics and ad cookies, from being placed on their machines.
The hugely popular Irish-based website tracking company StatCounter described the importance of cookies in a blog post on the directive today, “The internet as we know it could not function without cookies.”
They went on to say “If the Cookie Directive is interpreted literally, it appears that an internet user could be required to give consent each time a cookie is placed on that user’s computer (e.g. via some sort of pop up consent form that asks visitors if they agree to the installation of specific cookies).”
Writing in Wired Magazine the UK telegraph columnist Milo Yiannopoulos described the law as “laughable”, adding that cookies are a “core component of how today’s internet works.”
Tracking users has become a hot-button topic lately; the latest versions of major browsers such as Firefox and Internet Explorer have given users the option to opt-out of allowing tracking cookies, although this option can be difficult to find. The UK has signalled that this opt-out option may be a sufficient method of implement the law, although this may not be the case throughout the EU. It is important to note that these browser opt-outs do not apply to all cookies a website may store on a user’s computer.
This implementation of the directive comes as web security companies warn that 99% of devices running Google’s Android operating system leak user data through unencrypted cookies. This data could be hijacked and used to access users’ personal cloud information.
The Sociable has reached out a number of relevant parties in Ireland the gain clarification on the Irish position. More when we get it.
You can read the Revised E-Privacy Directive (2009/136/EC) here or in the file below.