What you need to know about the EU Cookie Law

For the last couple of years, European officials have been trying to implement a new online privacy directive that they say is intended to give ordinary web users greater control over their data — but many companies believe is deliberately designed to make their lives difficult.
But whether they’re outraged, scrabbling in terror, or simply hoping it goes away, it’s the privacy rule that European startups can’t ignore. But what exactly is the so-called “cookie directive”?
As the rules finally come into force in the U.K., we take a look at the details.

What is it?

Let’s start by giving the rule its proper name: it’s EU Directive 2009/136/EC (PDF), known as the E-Privacy Directive. The broad legislation was first passed into European law two years ago, essentially forming a series of amendments to federal rules regarding electronic communications and data privacy.
Specifically, there is one section of that directive — Article 5(3) — that applies to the use of data storage by websites. And for the most part, that boils down to cookies.

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information… about the purposes of the processing.

Forget the legalese, here’s the bottom line: under the rules, which cover the whole of the European Union, websites must ask visitors for their consent before they can install most cookies.
Unsurprisingly, it’s a little bit more complicated than that.
Neelie KroesFirst, this rule — championed by European Commissioner Neelie Kroes — doesn’t actually apply to cookies alone — it still counts if you use HTML5 local storage, for example. But the reality is that because cookies are so widespread, they have become central to the way the rule is being interpreted.
Second, it doesn’t ban cookies — it just needs consent from users before they can be installed (which can, in some cases, be given through browser settings).
And third, not all cookies are subject to the rules. Data that’s considered necessary for the basic functioning of the website — the session cookies used for tracking a basket of goods up to the checkout, for example — don’t require consent, because it’s implied by the simple fact they’re trying to use the site in the first place.

What’s the point?

The idea is to give users more control over who knows what about them, and how it’s used. As part of a wider directive, it’s an attempt to harmonize laws across European member states around things like data retention and privacy.
And lawmakers have good reason to think that website tracking is an important issue: a recent study by Truste said that the typical British web page uses 14 different tools to track user behavior — usually without their knowledge.

Why is it being brought in now?

The directive was first passed in 2009, and the wheels of European regulation spin very, very slowly. Many countries have struggled to make the federal rule mesh with their own local implementation and privacy laws. By the time the original deadline for adoption arrived in 2011, only Denmark and Estonia had enacted national laws that were deemed compliant.
Just over a year ago, faced with mass non-compliance, the U.K. took the unique decision to defer adoption for one year — though whether it had the authority to do so is disputed.
In any case, that year is up.

Where does it cover?

The rule is already theoretically in force across Europe, but the truth is that it’s a complete patchwork. It comes into force in the U.K. on May 26, 2012.

Who does it affect?

Pretty much everybody based in Europe who runs a web-based business is subject to the directive. Anyone headquartered or with offices in Europe is subject to the law, or will eventually be. And unlike some online regulation, it doesn’t matter where your servers are based, but where your business is directed.
Typical services that will definitely fall under the rules include website analytics, advertising — particularly third-party advertising — or recommendations. Essentially anything that is not completely intrinsic to the functioning of the site.

And how is it meant to be implemented?

The most common approach seems to be a check box that users are presented with when they first visit a site:
Here’s the BBC’s approach. It’s fairly typical.

But that’s what has so many startups up in arms, since they believe this step will lose them valuable traffic, dissuade users, lose them money and — potentially — hand power over to American startups that aren’t subject to the same regulations.