EU shifts stance on cookies

The Committee on Citizens' Freedoms and Rights, Justice and Home Affairs said Thursday that people should not be warned before a Web site installs a cookie on their hard drive. The issue is being considered as part of the committee's scrutiny of the draft European electronic data collection and privacy directive.

This policy would put the committee at odds with the European Council, which believes Web users should be told first.

"As regards the use of 'cookies,' the committee concurred with the council position that users should have the right to refuse the installation of cookies, but it felt that it would suffice to guarantee users the possibility of accessing clear information on the purposes of cookies, thus rejecting the council's view that users should receive this information in advance," said the committee in a statement following a meeting Thursday.

Cookies are small pieces of code used mainly by commercial Web sites to track Internet users. They are downloaded to a person's hard disk by the browser and used to recognize and authenticate individuals when they return to a Web site so they don't have to log in every time. Some, such as those involved with an online purchase, only last for a short amount of time, but others can last much longer--potentially creating a record of someone's surfing activities over several years.

Web browsing software can be configured so that it warns someone when a site tries to install a cookie, and it can even be set to automatically reject the code. However, there are concerns that less technically adept people will not consider using such settings.

The European Parliament is expected to ratify the draft directive in May. A compromise may have to be reached, though, between those who believe people should be told before a cookie is installed and those who believe individuals should pro-actively find out what the cookies on their system are doing.

Last November, the parliament adopted an amendment to the draft electronic data collection and privacy directive to restrict the use of cookies. If implemented, this amendment would have forced Web sites to ask people if they wanted to accept a cookie.

This amendment was opposed by organizations such as the Interactive Advertising Bureau, which said it would cost businesses millions of dollars and hamper Web users by forcing them to enter passwords and reset personal preferences whenever they visited a site.

Following this lobbying, an "opt-out" policy was proposed.

But in March, the European Council agreed to amend the text of the draft directive so that sites would be required to give information about cookies "in advance."

The council represents the national governments of the European Union's member states; the European Parliament is the directly elected watchdog over the union's governing bodies.

The United Kingdom's Office of the Information Commissioner takes a different line. It believes that computer users should be given the option of accepting or rejecting a cookie because some can be used to build up a profile of a person.

"We're not saying that all cookies are bad or that all cookies raise privacy issues," said David Smith, assistant information commissioner at the agency. "But when a cookie is used to build up an online profile, then it is processing personal data, and as such it is covered by the Data Protection Act."

The Information Commissioner's office supports an opt-in policy. Once the European Union issues the data-protection directive, the British government will have to bring it into U.K. law, which means it's still possible for Britain to embrace an opt-in approach.

"Once a policy is adopted at the European level, we must implement it. But it's possible that the U.K. could decide to introduce a more privacy-friendly approach. It very much depends how the directive is phrased," said Smith, explaining that the directive might give individual nations the flexibility to choose an opt-in or an opt-out policy.

Graeme Wearden reported from London.