European Union Caught With Its Hand In The Cookie Jar

    May 29, 2012
    Zach Walton
    Comments are off for this post.

Don’t you just hate cookies? Not the delicious sweets, but the kind that follow you around on the Web tracking your behavior. It seems that the European Union hates them too hence why the “Cookie Law” went into effect this week. The law requires any Web site targeting citizens in EU nation-states to ask for permission before installing cookies.

From that description alone, it sounds like a pretty good law. It’s on par with our own proposed legislation to install “Do Not Track” buttons on Web browsers that serve American citizens. Unfortunately, the word of the law and the implementation of said law are vastly different. The good news is that the cookie law does work as advertised. The bad news is that the EU thinks that it’s above the law.

ZDNet has found that Web sites run by the EU like the European Parliament and the European Commission are still installing cookies without asking for permission. It’s kind of hypocritical to impose a law and not follow it yourself, but there might be a loophole that the EU could exploit. The cookie law only applies to member states. It might be a frivolous distinction, but there is a difference between EU member states and EU institutions at large. Those installing cookies fall into the latter.

ZDNet argues, however, that a loophole might not work this time around. They spoke to Stewart Room, data protection expert, and he says that the EU is bound by the 2001 Data Protection Regulation. One could argue that the use of cookies could be tantamount to processing personal data which would put the EU in direct conflict of its own laws.

As mentioned previously, this smacks of the current debate over the “Do Not Track” button in the U.S. The idea is to give consumers an option to disable online tracking, which is often accomplished through cookies. We discussed in length on how such an option is good at face value, but does little to actually protect privacy.

It remains to be seen if general Web sites within the EU will comply with the law or just work around it. If the government’s approach is any indication, it seems that the EU will have a bill with a pretty face that does little to protect the privacy that it claims to hold dear.

For its part, an EU spokesperson seems to be ignorant to the governing body’s own sites still installing cookies without permission. The spokesperson offered to hear any proof that found the EU “not being transparent about cookies.” It’s a start, but we’ll have to see what the future holds. The law did just go into effect yesterday. We’ll keep you updated on both the cookie law and the “Do Not Track” button.

  • http://www.blog.web-media.co.uk Rob Willox

    The EU e-privacy directive actually came into law last year but in the UK it was deferred for 12 months to give site owners the opportunity to comply with the legislation: Can I have a cookie, please?.

    Since very little seems to have been done on any level and if the report above is correct it stirs up further confusion and highlights the short-sighted and overbearing imposition of this iniquitous law which will only confuse visitors and do very little in terms of aiding and improving privacy which is supposed to be the purpose of its introduction.

    To further confuse the issue, recent comments indicates that the ICO are likely to regard some 3rd party cookies eg analytics as less intrusive, although not exempt from enforcement, and will take a more lenient approach to their continued use: Enforcement of cookie consent law for analytics not a priority.

    Lastly, it only affects companies who operate from within the EU regarless of where their hosting is based so EU companies cannot simply host their sites in the US or elsewhere to opt-out. The corollary is that a non-EU company selling into the EU could have their sites hosted in EU but without any requirment to comply with the directive.

    How ridiculous is that!

  • matthew

    So where is the cooky ?