New EU telecoms framework mandates user consent before getting cookies

The heads of state and high ministers of Europe's 27 member nations are now putting the finishing touches on a sweeping new telecommunications regulatory framework, some of whose provisions would go into effect as soon as the first quarter of next year. One of the provisions that appears likely to be approved without much debate would prohibit any Internet service from saving anything whatsoever to individual users' systems without their prior consent. And if they don't give consent, Web sites will just need to find a way to deal with it.

Although Europe's member states would be charged with enforcing this framework, technically there appears to be nothing that would prohibit any of them from taking action against non-conforming Web sites outside of their own borders -- even outside of Europe -- on the grounds that they publish to European readers.

"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses)," reads the October 22 draft of the regulatory framework (PDF available here). "It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible."

The exceptions that the new framework would allow include when a Web site must store something on the client side, when the user has specifically requested a service where that storage is necessary. But simply typing in the URL of that service may not constitute a request or an authorization for that storage; the site may still have to put up some type of notice. The framework also makes it feasible for Web browsers to effectively communicate a kind of "all cookies allowed" state to Web sites on behalf of their users, so that consent may be presumed if that's what the user permits. That would let users bypass a kind of "Vista UAC" scenario where they're prompted for permission to continue every 30 seconds.

But it might also become a security concern, as users who would enable browsers to say, "Go ahead and send me everything," and then filter absolutely nothing that's incoming, may open themselves up to more than they were expecting.

In the meantime, the entire Web may have to start functioning like User Account Control in order for sites to comply with this new directive, especially if it becomes law in a matter of months, in the opinion of Pinsent Masons technology law attorney Struan Robertson. In a post for his firm's Out-Law.com blog on Monday, Robertson wrote, "There has been almost no fuss about this little law, despite the harm it could do to advertising, the lifeblood of online publishing. It also threatens to irritate all Web users by appearing at every new destination like an over-zealous security guard."

Robertson was also among the first to point out that the entire Web analytics business -- how sites like Betanews counts their users -- depends on the cookie mechanism, which may no longer function in the background. "So almost every site that carries advertising should be seeking its visitors' consent to the serving of cookies," he wrote. "It also catches sites that count visitors -- so if your site uses Google Analytics or WebTrends, you're caught."