Therefore, in order to install a cookie the user’s permission is required. It appears from the preamble pertaining to the amended directive that the permission by the user can also be given by means of the settings of the browser or a different application. Apparently, in the eyes of the Commission this also meets the requirements regarding permission that apply on the basis of the general Privacy Directive (95/46/EC). On the basis of this Directive there must in any case be a freely-given, specific and informed expression of will. In concrete terms this seems to mean that when the browser of the user is set in such a manner that the installation of a cookie is accepted, the requirement of permission has been met.
As a standard almost all browsers automatically accept cookies. Therefore, a user must actively change the settings in order to ensure that cookies are refused. Many users, however, are not aware of their browser settings or how they can be adjusted. Therefore the question is whether changing or not changing the settings of a browser can indeed be regarded as a freely-given and specific expression of will of a user. If the European legislator is of the view that this is the case, this may have far-reaching consequences for the interpretation of the concept of permission under the general privacy legislation. As a result, the requirement of permission would become an empty shell. It will mainly depend on the Dutch legislator who has to implement the amended Directive and who has to substantiate the concept of permission whether it will come to this.
According to the second requirement, prior to the request for permission the user will have to be provided with certain information. This provision of information must be clear and comprehensive and must also take place in a user-friendly way as much as possible. It seems to be required to first show a pop-up or lead-in page during the first visit to a website in order to meet the requirement of information before obtaining permission via the browser settings. In practice this is a method that is not very practicable and extremely unfriendly to users.
The question is how websites can give substance to the requirement of permission and information in a user-friendly manner. It seems that the current practice must be adjusted and that informing the user about cookies via the privacy statement is not sufficient anymore. Time will have to tell how the new rules will be implemented in the Netherlands and how practice will subsequently deal with them.
All this does not alter the fact that cookies may violate the right to respect of the personal privacy of mostly unknowing users. It would show vision if the Dutch legislator would take this into account and propose a system in which the advantages of cookies may be maintained while the risks will be limited. It is obvious that in that case there should especially be looked at possibilities to prevent the link between the cookie and an identified user.