Banning cookies in support of privacy
Not the oatmeal variety found on the supermarket shelf, but the computer-related kind stored on your processor. The latter consist of small files that contain a unique ID tag, placed on your computer automatically by a website when visited. Contemporaneously, the website keeps a matching ID tag for your recognition in the future. In these files, data is stored from pages visited including information voluntarily given to the site.
When the site is eventually revisited, the site recognises you by matching the cookie on your computer with the counterpart in its database. Computer cookies may be temporary, stored only in your browser’s memory and deleted as soon as browsing ends, or permanent, stored on the hard drive of your computer.
Most cookies are good as they are used for legitimate purposes, such as storing account information. Others however, may be used to track visits on different websites to know a person’s browsing habits or purchase history in order to personalise advertising directed to such person.
Albeit inherently harmless to the computer, cookies may jeopardise the privacy of browsers. This arises due to the fact that cookies track web activity and store information, which is silently gathered and transferred without notification to the web user.
In view of this, the EU thought fit to adopt the “Cookie Law” in support of privacy and protection of personal data of all Europeans active in the online world.
The changes introduced by the EU Cookie Directive are in line with the role of the European Union as guardian of personal data protection, pioneering in privacy in the field of electronic communications. It considers paramount the importance of involving directly web users when engaging in any activity that could result in storage or gaining of access to their data.
For this purpose, the adopted legislation requires web users to give their consent to websites using tracking cookies. Consumers therefore would be required to give their permission to the installation of cookies, thus prohibiting the automatic storage of data without seeking the prior consent of the data subject and giving users more control over who can or cannot access their browsing habits.
An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user. So cookies can take a user from a product page to a checkout without the need for consent; other cookies will require prior consent.
Under the new law users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment.
The Cookie Law forms part of an EU Directive. This means that it is not directly applicable, but needs to be transposed into national law. The member states of the EU had been requested to transpose the directive into their national laws by May 25, 2011, by which date however, only Denmark and Estonia had notified measures to implement the whole package of telecom reforms including the Cookie Law.
At this point, the EU may consider infringement proceedings against a large swathe of the European Union.
Dr Grech is an associate with Guido de Marco & Associates and heads its European law division.