Prior consent is required, according to the privacy watchdogs. However, consent can be given to advertising networks covering thousands of websites and need not be given to every individual site, the regulators said.
Cookies are small files that websites send to web browsers to tag visitors. They form the basis of behavioural advertising systems which attempt to tailor adverts to particular demographic groups.
Last year the EU's Privacy and Electronic Communications Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though, and the law must be implemented in member states by May 2011.
While advertisers' trade bodies claimed that advertising behaviour need not change, some internet law experts, including Struan Robertson of Pinsent Masons, the law firm behind OUT-LAW.COM, said that website publishers would more likely have to ask visitors' permission before using cookies.
The Article 29 Working Party is a committee made up of the data protection regulators from the EU's 27 member states and it has just published its opinion (24-page / 202KB PDF) on what this new law means.
Advertisers had argued that because browser software can block cookies, any user who does not block cookies is effectively giving consent.
The Working Party rejected that view.
"Consent must be obtained before the cookie is placed and/or information stored in the user's terminal equipment is collected, which is usually referred to as prior consent," said the guidance. "Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user."
The Working Party did not go as far as to say that every single website needs to ask every single visitor to accept cookies, though. It said that because the cookies are used by advertising networks – which provide ads to many sites – then consent can be given to a network and cover all the sites that network serves.
"Users' acceptance of a cookie could be understood to be valid not only for the sending of the cookie but also for subsequent collection of data arising from such a cookie," said the report. "In other words, the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie."
The Working Party said that this consent should expire after a year, and that each ad network should request consent again every 12 months. It also said that the consent could be withdrawn at any time.
Advertisers have rejected the Working Party's definition and claim that it is anti-business and unrealistic.
"The Directive currently does not require an opt-in for cookies. In practice such a requirement would mean that users would have to confirm every single cookie placed on their PCs, leading to a permanent disruption of their Internet experience," said a statement released by the Internet Advertising Bureau Europe, the European Publishers Council and other advertising and publishers' trade bodies.
"The industry believes this is a gross misinterpretation of the intention of the Directive and a misrepresentation of the type of data typically collected and processed for the purposes of serving interest-based advertising to consumers on our websites," said the statement. "The ePrivacy Directive acknowledged that the controls in modern web browsers give users full and granular control over cookies."
Struan Robertson said, though, that while the new law passed last year was regrettable in terms of the effect on the commercial interests of publishers, it likely means what the Working Party says it means and not what the ad and publisher trade bodies claim.
"The new law is a shambles, in my view. It's ambiguous and potentially contradictory and I would also argue that it's unhelpful not just to businesses but also to consumers," he said. "The IAB had said that publishers and advertisers could rely on browser settings to indicate consent to cookies. The Working Party says you can't. We expected that. It isn't surprising because while the IAB's interpretation of the EU law was commercially attractive, its legal basis was somewhat weak and vulnerable to challenge."
Robertson said that the Working Party's interpretation of the law is more business-friendly than might have been expected because it demands that web users are asked for cookie permissions less frequently than might have been the case. But he said that, though an accurate interpretation of the law, it would still cause problems for business.
"The Working Party is basically saying websites have to ask their visitors a question while the IAB is saying they don't. That's a massive difference," he said. "Advertisers and publishers would rather not ask that question if they can avoid it because the answers could damage their businesses. The trouble is that the Working Party's interpretation of the law is, in purely legal terms, the most compelling interpretation, however flawed and unhelpful that law may be."
The Working Party's report also said that behavioural advertising should be labelled as such. Consumer regulator the Office of Fair Trading reported last month after an investigation into behavioural advertising. It said that behavioural ads should be labelled, and the IAB told OUT-LAW.COM that it is working on a pan-European labelling scheme.