ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
BNET UK
silicon.com
ZDNet.co.uk

You are here: ZDNet.co.uk > News > Hardware

Server platforms Toolkit

e-Communications directive: MEPs vote on cookie compromise

Marc Dautlich, Olswang ZDNet.co.uk

Published: 11 Jun 2002 16:02 BST

The outcome of the vote is something of a mixed bag for online businesses: the draconian restrictions on cookies originally proposed have been tempered, but companies will still need to adapt to new constraints on the way they collect web users' data and use e-mail and SMS to target customers. The new legislation will be formally adopted at EU level over the next few months, and should be implemented by Member States by the end of 2003.

Summary
In brief, the implications of Thursday's vote are as follows:
Cookies: website operators will need to give provide users with "clear and comprehensive information" about devices such as cookies used to collect their data including the purpose of any processing, and must give users the opportunity to reject them. Earlier proposals that this information must be given "in advance" have been dropped, but it remains unclear at what point, and exactly how, business are expected to make this information available to users.

"Soft opt-in" for spam: an EU-wide "opt-in" approach is to be adopted, meaning that businesses will only be permitted to send marketing e-mails and SMS messages to individuals who have previously consented to the use of their details in this way. Existing customers may be targeted, provided certain conditions are met, although there is still some uncertainty about the precise scope of this carve-out.

Data retention: telcos and ISPs could be required to retain traffic and billing data for fixed periods for national security and law enforcement purposes under national legislation, but only where such measures are "necessary, appropriate and proportionate" and consistent with Community legislation, including human rights law.

The key issues in more detail
The new Directive is designed to give a technology-neutral face-lift to the existing telecoms data protection regime. Although it was not intended to create major changes of substance, many aspects of the wide-ranging proposal have proved controversial.

Cookies: in its controversial vote last November, the European Parliament had originally voted to make the use of cookies subject to users' prior consent. One suggestion was that, effectively, this would have meant site users being greeted with pop up boxes as a means to give the requisite consent or be given the requisite information "in advance" (the approach favoured by the European Council) every time they clicked on a site. The compromise now reached by the different EU institutions, though far from ideal from a business perspective, represents a less disruptive and more commercially workable solution. The use of cookies is permitted, provided users are provided with "clear and comprehensive" information, inter alia, about the purposes of the processing, and are given the right to refuse such processing. Arguably, this merely confirms the existing UK legal position under the Data Protection Act 1998 which already requires data controllers to inform people about the purposes for which their details are to be processed, unless this is obvious from the context.