In the end of 2009 the European Parliament adopted the telecom reform package containing an amendment of the rules on the use of cookies. It is expected that these amendments will be transposed into Dutch legislation in April 2011. The amendments include an adaptaion of the regulation of cookies. The question is what the amended e-Privacy Directive will change in this respect. The new Article 5 (3) stipulates with respect to the installation of a cookie that the permission of the user is required, after he has been provided with clear and comprehensive information about, inter alia, the purposes of the processing.
Permission
Therefore, in order to install a cookie the user’s permission is required. It appears from the preamble pertaining to the amended directive that the permission by the user can also be given by means of the settings of the browser or a different application. Apparently, in the eyes of the Commission this also meets the requirements regarding permission that apply on the basis of the general Privacy Directive (95/46/EC). On the basis of this Directive there must in any case be a freely-given, specific and informed expression of will. In concrete terms this seems to mean that when the browser of the user is set in such a manner that the installation of a cookie is accepted, the requirement of permission has been met.
As a standard almost all browsers automatically accept cookies. Therefore, a user must actively change the settings in order to ensure that cookies are refused. Many users, however, are not aware of their browser settings or how they can be adjusted. Therefore the question is whether changing or not changing the settings of a browser can indeed be regarded as a freely-given and specific expression of will of a user. If the European legislator is of the view that this is the case, this may have far-reaching consequences for the interpretation of the concept of permission under the general privacy legislation. As a result, the requirement of permission would become an empty shell. It will mainly depend on the Dutch legislator who has to implement the amended Directive and who has to substantiate the concept of permission whether it will come to this.
Information
According to the second requirement, prior to the request for permission the user will have to be provided with certain information. This provision of information must be clear and comprehensive and must also take place in a user-friendly way as much as possible. It seems to be required to first show a pop-up or lead-in page during the first visit to a website in order to meet the requirement of information before obtaining permission via the browser settings. In practice this is a method that is not very practicable and extremely unfriendly to users.
The question is how websites can give substance to the requirement of permission and information in a user-friendly manner. It seems that the current practice must be adjusted and that informing the user about cookies via the privacy statement is not sufficient anymore. Time will have to tell how the new rules will be implemented in the Netherlands and how practice will subsequently deal with them.
All this does not alter the fact that cookies may violate the right to respect of the personal privacy of mostly unknowing users. It would show vision if the Dutch legislator would take this into account and propose a system in which the advantages of cookies may be maintained while the risks will be limited. It is obvious that in that case there should especially be looked at possibilities to prevent the link between the cookie and an identified user.
