The law in detail
The relevant extracts from the law explained.
The EU Directive
In October 2009 the Council of the EU adopted a Directive, amending the existing law on electronic privacy. A Directive isn't a law but it compels the member states to create their own laws, these were due by May 2011.
The relevant portion of the directive is Article 5(3):
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
The same document continues with a slightly contradictory "recital". A recital is not part of the law, but can contain context to clarify it:
"(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."
The bold section appears to suggest that browser settings (i.e. leaving cookies enabled, as they are by default in most nearly all) would be sufficient to comply.
The Internet and advertising industry quickly began citing Recital 66 as proof that a website can rely on browser settings to indicate consent to cookies. Privacy watchdogs disagreed, and subsequent events have discredited this interpretation.
EU Working Party clarification
The Article 29 Working Party is a coalition of data protection regulators from across the EU. They met to clarify the official EU position on this Directive.
In June 2010 they published their opinion in a 24 page document:
"It follows from the literal wording of Article 5.(3) that: i) consent must be obtained before the cookie is placed and/or information stored in the user's terminal equipment is collected, which is usually referred to as prior consent and ii) informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user."
Of importance to people looking for guidance on asking for consent:
"In this context, it is important to take into account that for consent to be valid whatever the circumstances in which it is given, it must be freely given, specific and constitute an informed indication of the data subject's wishes. Consent must be obtained before the personal data are collected, as a necessary measure to ensure that data subjects can fully appreciate that they are consenting and what they are consenting to. Furthermore, consent must be revocable."
They specifically discredited the idea that existing browser settings were sufficient:
"... generally speaking data subjects cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information. Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies. It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes."
They also acknowledged the impracticalities of asking for consent for 3rd party cookies which are shared between multiple websites (e.g. the cookies which Google, Facebook etc set on many other websites which use them):
"The Article 29 Working Party is conscious of the current practical problems related to obtaining consent, particularly if consent is necessary every time a cookie is read for the purposes of delivering targeted advertising. To avoid this problem ... users' acceptance of a cookie could be understood to be valid not only for the sending of the cookie but also for subsequent collection of data arising from such a cookie. In other words, the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie."
This in itself appears to suggest that the liability for setting those cookies belongs to the advertising provider, if only because they are the ones who would have to ask for permission. If so, it suggests the companies with the most to fear are those who embed their technology into other's websites (such as Google, Facebook, YouTube, plus countless analytics and advertising companies).
Confusing clarification from EU
In November 2010, European Parliament deputy Alexander Alvaro conducted an interview in which he clarified the intent of the EU Directive.
He stated it does not require websites to obtain prior consent for cookies to be placed on users' computers, saying:
"The definition of consent as provided by the data protection directive is very clear. Any further details would rather complicate the matter in my opinion. European legislation should set the appropriate framework for its application at [the] national level."
He suggests that while browser settings may be sufficient for compliance with the law, because Flash cookies are not controlled by the browser, they may not be:
"Therefore, since flash cookies cannot be as simply deleted as other third party cookies (whether by browser setting or manually) they circumvent the user's personal browser settings and therefore also circumvent the consent issue, i.e. article 5.3 of the e-Privacy Directive becomes applicable. The same goes for other devices, such as HTML5- techniques, Java API, Silverlight or similar technique."
He questions some of what the Working Party said:
"While the Article 29 WP worr[ies] that adapting the browser settings does not constitute informed consent by the user, I believe that it does precisely that. True, most browsers are set to accept all cookies by default. Nothing would prevent a relevant notice upon installation of the browser informing the user about this fact."
At this point it becomes increasingly difficult to know how the law will be interpreted, and all eyes were on the member states to clarify the situation in their own laws.
The UK law passes the buck
In September 2010 the UK announced that they would be copying the EU directive word-for-word into UK law. In doing so they missed an opportunity to provide much sought-after clarification.
The Department for Business Innovation and Skills (BIS) said:
"Given the fast-moving nature of the Internet, it would be very difficult to provide an exhaustive list of what uses are strictly necessary to deliver a particular online service and if we implemented in this way it would risk damaging innovation. We therefore propose to implement this provision by copying out the relevant wording of the Article, leaving ICO (or any future regulators) the flexibility to adjust to changes in usage and technology."
Essentially they passed the buck.
The ICO issues guidance
The Information Commissioner's Office is the body responsible for enforcing the new laws in the UK. Less than a month before the law came into effect, they issued some of their own guidance.
They again clarified that browser settings are insufficient for consent:
"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user's equipment that they have to gain consent some other way.
We are aware that the government is working with the major browser manufacturers to establish which browser level solutions will be available and when. For now, though, you will need to consider other methods of getting user consent."
They also clarified that the law covers all "similar technologies" to cookies:
"The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as "Flash Cookies")."