The Article 29 Working Party is an advisory group to the
European Commission on issues of Privacy and Data Protection, so
they would have had a lot of input into the Cookie Directive while
it was being written up.
Therefore, when they come out with an 'opinion' on one of the
most imortant aspects of the law - the definition of consent, it is
worth paying attention.
If you really want to read the full text of their opinion, which
was officially adopted on 13 July 2011, you can find it
here in PDF form. However, be warned that it runs to 38
For those who don't want to wade through all that very
legalistic language, we have done and are happy to announce we
think it can be boiled down to a few key points.
Firstly, in order for consent to be meaningful, it must be based
on accurate information being supplied as to what it being
Secondly, consent needs to be given before any action for which
it is being sought can start.
And thirdly, that consent can only be signified by taking some
In the context of the cookie law it means that website visitors
need to be given information about what is being done with the data
in the cookies, and that they will have to take action to agree to
that, before any cookies can be set or retrieved by the site.
This is much clearer guidance than we have previously
seen. Notably the open letter from the
DCMS in the UK back in May that seemed to suggest that consent
could be acquired after cookie processing had begun - which this
new opinion directly contradicts.
It also has significant implications for the so-called browser
based approach to consent. The requirement for consent to be
signified by a positive action in response to specific information,
makes a browser based approach impossible without significant new
browser functionality, and then forcing all web users in the EU to
download a new version.
If anyone thinks that is going to happen in less than a year -
they are dreaming.
Firstly, browsers would have by default to be set to refuse all
cookies, until the user opts to change the settings.
Secondly, the information that browsers supply to users about
cookies can in no way be considered specific enough for a use to
give informed consent.
This is not entirely the browser's fault - the cookies
themselves carry no information about what they do or who collects
There is also the issue of liability. It is the
responsibility of the website owner to ensure that cookies are not
used without consent. Which would mean that a browser would
have to actively send a message to the website that consent had
been recieved, before it could act.
A lack of such a message could not signify consent - so the
website has to de facto assume there has been none - and would
therefore need to seek it from the visitor using its own methods,
becuase it could not rely on the browser not storing them.
We'd love to hear your opinions on this but we believe this all
means that web based permission scripts, of the sort we have
developed, are the only viable solution in the short term, and may
be the only safe one for website owners for many years to come.