This patchwork approach across Europe has caused serious headaches for those conducting e-business in multiple EU countries., A compliance mechanism could be acceptable for one country, only to be slapped down (or worse, risk a fine) in another.
In an attempt to clear up some of the confusing and often contradictory views, the Article 29 Working Party, a body made up of the EU’s data protection regulators, released a new guidance note on 14th October 2013.
It recommends that all of the following elements should be included:
- Specific information should be provided in any cookie notice;
- Prior consent should be obtained before cookies are set;
- There should be an indication of wishes expressed by active behavior; and
- There should be an ability to choose freely.
The kicker here is the Working Group’s emphasis on the need for a user’s”positive action or other active behaviour“. In what sounds like the death knell for some existing techniques, the Working Party considers that an “immediately visible notice that cookies are being used or a notice that by further browsing on the website, the user agrees to the cookies being set“, although helpful, would be unlikely to constitute valid consent.
Those using cookies should, therefore: (1) not assume compliance because your site mirrors what other sites are doing (they may well be non-compliant) (2) note the compliance goalposts are shifting again and (3) urgently review their opt-in mechanisms and wording.