Cookies are small text files that contain information about internet users' online activity which websites store on users' computers. Amendments to the EU's Privacy and Electronic Communications Directive force website owners to obtain users' consent to cookies in order to track their behaviour.
Peter Hustinx, the European Data Protection Supervisor (EDPS), said EU Commissioner Neelie Kroes had offered inconsistent advice to website owners on how they should obtain users' consent to cookies.
Last month Kroes said European companies had a year to create a uniform way for web users to opt out of being tracked by cookies. She said the Commission would take action if industry did not standardise opt outs in that time.
Kroes said she supported efforts made by the advertising industry to inform internet users about cookie tracking.
Adverts that track users' behaviour will display an icon if businesses sign up to voluntary regulations that were set out by advertising associations in April. If users click on the icon they are taken to a website that will enable them to switch off behavioural adverts delivered by companies that use the icon.
Hustinx said the self-regulation methods did not comply with the requirements of the Directive and criticised Kroes' support for 'do not track' measures that allow users to request websites not to monitor their activity.
"These [advertising] associations have in fact failed to implement the new consent requirement," Hustinx said in a speech (8-page / 41KB PDF) at Edinburgh University.
"At the same time, she expressed support for a US driven ‘do not track’ initiative that – although valuable – also seems to fall short of the ... Directive requirements.
Unfortunately, this also raises doubts on the position of the European Commission on this subject," Hustinx said.
Hustinx said he wanted the Commission to "ensure" that the Directive requirements were "fully respected".
"Systematic tracking and tracing of consumer behaviour online is a highly intrusive practice and now rightly subject to more stringent requirements," Hustinx said in his speech.
"Although initiatives for increased transparency and consumer control in the online environment are most welcome, this should not result in a limitation of consumer rights. The Commission should avoid any ambiguity as to its determination in making sure that these rights are delivered in the European Union," Hustinx said.
Hustinx said that internet users needed more "transparency, fairness and control" over privacy settings in web browsers in order to set their own preferences. This should be combined with a policy whereby everyone's settings are originally set to reject third party cookies until the user decides otherwise, Hustinx said.
"The fact that the European Data Protection Supervisor and EU Commissioner are at odds on the 'do not track' initiative only serves to further muddy the waters for European organisations with an online presence," said Claire McCracken, a technology law specialist at Pinsent Masons, the law firm behind OUT-LAW.COM. "What organisations need before action is taken in May 2012 is a definitive technological 'fix' that ensures compliance with the new cookie laws and in particular the 'opt-in' requirement."
In 2009 the EU's Privacy and Electronic Communications Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.
The Directive had to be added into national laws by 25 May, but only five EU countries, including the UK, have introduced measures to implement it, the European Commission said last month.
Previously the laws said that users can only be tracked if they are given the opportunity to opt out of the tracking. The new laws have divided business groups and privacy watchdogs on how user consent can be obtained in practice.
In the UK new regulations implementing the Directive have been introduced that require websites to obtain "informed consent" to tracking from users.
The UK's privacy watchdog, the Information Commissioner's Office (ICO), issued guidance on how online businesses can meet the new requirements. It suggested websites use 'pop-ups' that ask users directly whether they give tracking consent, but has also said companies could obtain users' agreement by specifying the right to track behaviour in website terms and conditions.
The ICO detailed a number of other features and settings options some websites could use to obtain consent but said it hoped web browsers would develop enhanced settings that would detail whether users consented to being tracked. The Government has announced it is working with Microsoft, Mozilla, Google and other browsers to help develop this technical solution.
Technology law news is also available from Bootlaw, a free resource for technology start-ups, with regular events hosted by Pinsent Masons.