User Consent to be Required for Internet Cookies in Europe by the EU Revised ePrivacy Directive : Website & Blog Ads & Counters Implicated

A new EU law passed as part of the revised ePrivacy Directive of the European Union will require user consent for Internet cookies in Europe. Only some formalities remain in the way of this becoming the law in force in Europe.

The possible implications are enormous for the advertising industry and for any website and blog that uses any kind of affiliate service that uses cookies or counters of any kind – that is just about everyone.

One can only hope that future clarifying government laws and regulations of Member States put a sensible face on this law and permit broad scale browser-based opt-ins and opt-outs for certain types of cookies without being bombarded by consent requests from nearly every Internet web page or blog visited by the user. The conception that “counts” of visitors somehow “invade privacy” is a ludicrous concept and it is hoped that this is excluded from the “consent” category.

The EDPS (European Data Protection Supervisor) issued the following Press Release on November 9, 2009:

ePrivacy Directive close to enactment: improvements on security breach, cookies and enforcement, and more to come

Following last week’s agreement on the EU telecoms reform, nothing stands in the way for the ePrivacy Directive to enter into force. The formalities required for formal adoption will be undertaken in the coming weeks. The revised ePrivacy Directive (*), as amended by the European Parliament and adopted by the Council must be implemented by the Member States within 18 months.

The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment. The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules. The EDPS cooperated closely with the European Parliament, the Council and the European Commission on the legislative work leading to the final text (**).

Peter Hustinx, EDPS, says: “I welcome the many improvements in the protection of privacy in the revised ePrivacy Directive. But it is now crucially important to broaden the scope of the security breach provisions to all sectors and further define the procedures for notification. Also, the new rules must be effectively enforced. I note in particular the emphasis on more effective enforcement of the rules on spyware and cookies. This has special relevance where privacy rights must be protected in relation to so called targeted advertising.

The changes introduced include:

  • for the first time in the EU, a framework for mandatory notification of personal data breaches. Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them. Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. The notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;

  • reinforced protection against interception of users’ communications through the use of – for example – spyware and cookies stored on a user’s computer or other device. Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;

  • the possibility for any person negatively affected by spam, including ISPs, to bring effective legal proceedings against spammers;

  • substantially strengthened enforcement powers for national data protection authorities. They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

(*) Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

(**) EDPS first (pdf) and second (pdf) opinions on the ePrivacy Directive review [LawPundit comment: the pdf links were not active]

For more information, please contact the EDPS Press Service at:

EDPS – The European guardian of personal data protection

Read reports about this development at: (Pinsent Masons) – Hat tip! – Consent will be required for cookies in Europe – where Struan Robertson, editor of, writes in an editorial:

EDITORIAL: A law that demands consent to internet cookies has been approved and will be in force across the EU within 18 months. It is so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point.

The fate of Europe’s cookie law became improbably entwined with a debate over file-sharing. To cut a long story short, it broke free. On 26th October, it was voted through by the Council of the EU. It cannot be stopped and awaits only the rubber-stamp formalities of signature and publication.…” more….

ComputerWeekly.comEC gets tough on spammers, data breachers and snoopers, where Ian Grant writes:

The directive provides for the mandatory notification of personal data breaches for the first time in the EU. Any communications provider or ISP who is involved in a breach of individuals’ personal data must inform them if the breach is likely to hurt them. This included events where the loss could result in identity theft, fraud, humiliation or damage to reputation….

The directive also reinforced protection against interception of users’ communications through spyware and cookies on a user’s computer or other device….

The directive will also make it easier for consumers to take spammers to court, including those in other countries.more….

Marisa Taylor of Digits at Wall Street Journal WSJ Blogs writes in Europe Approves New Cookie Law:

[O]nce the law goes into effect, users must provide consent to cookies being stored on their computers, meaning that they could be bombarded with annoying pop-ups or pages asking for permission. The new legislation does offer an exception for when a cookie is “strictly necessary” — for example, if a user is shopping online, a cookie can go from a product page to the checkout page without the need for consent. The law could have broad repercussions for online ads. “Almost every site that carries advertising should be seeking its visitors’ consent to the serving of cookies,” wrote Struan Robertson, a lawyer specializing in technology at Pinsent Masons and editor of “It also catches sites that count visitors — so if your site uses Google Analytics or WebTrends, you’re caught.”” [emphasis added by LawPundit] read more …

Winter Casey, reporter at headlines his article European Union Says It’s Up To Users If They Want A Lot Of Cookies and writes;

The European Union’s independent supervisory authority devoted to protecting personal data and privacy said Monday that member states will soon be required to implement new privacy rules including requirements that users be offered easier ways to control whether they want cookies stored on their computer equipment.

See also – EDPS supports revised European ePrivacy Directive

ITBusinessEdge.comEU Green Lights ePrivacy Directive