The Dutch cookie conundrum
This week, the new Dutch cookie law came into force, leading to confusion and chagrin among website owners. The cookie law is controversial, as it requires website owners to get consent from the user before placing cookies, which can be quite burdensome.
The cookie law is part of the Dutch implementation of the European telecoms reform package (more specifically Directive 2009/136/EC). Article 5(3) of this directive states that publishers must obtain the consent of the user for placing cookies on their computer. The main goal of this article is to protect user privacy. Cookies allow website owners to track the surfing behaviour of users across the Internet, which may threaten their privacy. By forcing website owners to actively inform users and get their consent, users will become more aware that their surfing behaviour may be tracked and have more control over their data.
While this idea is sound in theory, the way in which it is now codified gives rise to a lot of (practical) issues. The problem with the law is that it is not sufficiently clear what constitutes a valid consent. Should consent be explicit for instance, or can it also be inferred from the actions of the user, or a lack of actions (implied consent)? Because it is unclear what constitutes a valid consent, it is likely that many website owners will opt for the ‘safest’ option: a pop-up with an explicit opt-in requirement. Not just for the tracking cookies, but also for those cookies that pose little to no threat to user privacy (such as basic website analytics). The result is that the user will have to wade through a sea of annoying pop-up screens, a problem noted by reseachers from our faculty as early as 2010 (pdf in Dutch).
However, this issue did not deter Dutch politicians. Instead of trying to make the Dutch implementation more clear and effective, they decided to make the law even more strict and complex. A coalition led by PvdA, PVV and D66 sponsored an amendment which added the notion to the law that cookies are ‘presumed to be personal data’, triggering the applicability of the Data Protection Act, thereby creating an even more unfriendly regulatory climate for website owners.
So what we might end up with is a law that is unfriendly to both users and website owners. This wouldn’t be so bad if it would lead to a significant privacy gain for consumers, but I fear it will not. Consumers will likely suffer from ‘pop-up fatigue’ within a few months, and website owners need to devote precious resources on cookie law compliance, rather than using them to address actual privacy issues.
Ironically, the main sponsors of the bill (D66, PvdA and PVV) fail to comply with the law on their own websites at the time of writing this post. Perhaps it was not so important for the privacy of the Dutch citizens after all…