EU to finally tidy up cookie rules

Wednesday, 24 October, 2018

Back in 2009 the European Union bowed to pressure and amended its 2002 ePrivacy Directive. This required companies to obtain our consent for storage or access to data, which included the use of cookies.

And it was this well-intentioned directive that has led to the constant daily bind of giving consent to cookies we are forced to endure on every website we ever visit. What’s colloquially known as cookie fatigue.

Quickly dubbed the Cookie Law, the directive has faced criticism since its inception. The accusations have been that it is ineffective, a disadvantage and a burden to those who adhere to it and almost impossible to enforce.

But the EU is now set to replace the directive with an ePrivacy Regulation. The major difference will be that as a regulation it becomes legally binding across all member states. While a directive can be interpreted by individual countries as to how it is enforced according to their national laws.

The new regulation will also address the cookie consent forms. At present we have little idea how these cookies work or what we are actually agreeing to.

It is generally unknown that many websites place cookies in a user’s browser when they visit, at the same time they are asking for your consent. It assumes you will consent. And even if you don’t click on I consent, the website will consider this an implied consent.

The new regulations mean that companies will now no longer be able to do this. They must first gain consent and then place the cookies. Secondly, under the new regulations it will not be enough for websites to simply notify that cookies are in use and asking for consent. In future websites will need to communicate what information the cookies contain and what consent is actually given for.

Furthermore, consent must be requested and freely given ‘as a positive and unambiguous action.’ This means websites can’t just instruct users to accept the cookies and then simply move on.

Alongside these changes, the new regulations will require web browsers incorporate settings that will allow users to more easily manage cookies. This means responsibility for storage and retrieval of cookies is shifted onto web browser developers.

The regulations do refer to users being able to set their cookie preferences upon installation of the browser, but it is unclear exactly how this will work and whether they will eventually replace the current banner system.

So far, the debate still rages on. Some have proposed that the browser provision be completely removed from the regulations. Others wonder if the regulations do really address cookie fatigue. While some have wondered how the new provisions will work alongside the GDPR.

Image: Brett Jordan

Tim Bamford author picture


Tim is a veteran freelance journalist writing extensively on internet news and cybersecurity.