New EU Cookie Guidance: Crumbs of comfort or confusion?


As many who have struggled to find a clear way to comply will know, an important change to the EU E-Privacy Directive (implemented by many EU states late 2011/2012) meant that, in summary, websites which target/monitor/profile Europeans have been obliged to seek consent to use cookies via an opt in mechanism. However, given each member state was left to its own devices to implement this change at a national level and given some fierce lobbying by business to try to avoid strict “I agree” mechanisms, this has meant that a range of approaches have been taken to what precisely constitutes opt in consent, with some regulators (e.g. the Dutch) taking a more literal interpretation of the Directive, whilst others (e.g. the English) taking a much more liberal approach.

This patchwork approach across Europe has caused serious headaches for those conducting e-business in multiple EU countries., A compliance mechanism could be acceptable for one country, only to be slapped down (or worse, risk a fine) in another.

In an attempt to clear up some of the confusing and often contradictory views, the Article 29 Working Party, a body made up of the EU’s data protection regulators, released a new guidance note on 14th October 2013.

It recommends that all of the following elements should be included:

  1. Specific information should be provided in any cookie notice;
  2. Prior consent should be obtained before cookies are set;
  3. There should be an indication of wishes expressed by active behavior; and
  4. There should be an ability to choose freely.

The kicker here is the Working Group’s emphasis on the need for a user’s”positive action or other active behaviour“. In what sounds like the death knell for some existing techniques, the Working Party considers that an “immediately visible notice that cookies are being used or a notice that by further browsing on the website, the user agrees to the cookies being set“, although helpful, would be unlikely to constitute valid consent.

Those using cookies should, therefore: (1) not assume compliance because your site mirrors what other sites are doing (they may well be non-compliant) (2) note the compliance goalposts are shifting again and (3) urgently review their opt-in mechanisms and wording.