The European Data Protection Supervisor (EDPS) is of the opinion that web browser should have the standard setting not to accept third party cookies. This follows from an opinion in which the EDPS advised the European Commission on the new privacy regulations regarding cookies.
The revised e-Privacy Directive stipulates with respect to the installation of a cookie that the permission of the user is required, after he has been provided with clear and comprehensive information about, inter alia, the purposes of the processing.
In practice websites seem to follow the idea that when the browser of the user is set in such a manner that the installation of a cookie is accepted, the requirement of permission has been met.
The EDPS acknowledges the problem that as a standard almost all browsers automatically accept cookies. Therefore, a user must actively change the settings in order to ensure that cookies are refused. Many users, however, are not aware of their browser settings or how they can be adjusted, and unintentionally accept the use of cookies for per example behavioural advertising.
The EDPS therefore urges for measures requiring an adjustment of the standard settings of browsers:
“A way to mitigate the above problem would be if browsers would be provided with by default privacy settings. In other words, if they would be provided with the setting of ‘not acceptance of third party cookies’. To complement this and to make it more effective, the browsers should require users to go through a privacy wizard when they first install or update the browser.“
The question remains whether this is an effective way to give substance to the requirement of permission and information in a user-friendly manner. In this context it is especially interesting that the proposal of the EDPS creates obligations for the supplier of the browser in stead of the website who is placing the cookie and possibly infringes the privacy of the user.
Furthermore, the offered solution by the EDPS does not deal with cookies and related technologies which can not be regulated through browser settings, like flash cookies. Also in these cases there should be looked at ways to protect the privacy of users.