Consent will be required for cookies in Europe
New complications in the hoizon for technology firms in Europe. 
As posted on November 13, 2009 by Patricio Robles of econsultancy.com, new legislation in the EU will restrict the use of cookies. It reads:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities. [Emphasis added]
As Robles argues, “ this essentially requires that users be notified every time a cookie is to be placed on their machine unless that cookie "is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested". The big question, of course, is how you define "strictly necessary". Whatever isn't "strictly necessary" would require that the user somehow be informed that a cookie is going to be placed on his machine, and essentially consent to having it placed. From online advertising to the implementation of personalization functionality, this directive has the potential to wreak havoc.
Stuan Robertson , editor of OUT-LAW.COM and a technology attorney with the UK law firm, Pinsent Masons, explains that the current law – a provision of the Privacy and Electronic Communications Directive, says that sites using cookies must give visitors "clear and comprehensive information" about the purpose of the cookies. It also says that a site must offer visitors "the right to refuse" the use of cookies. There is an exception for cookies that are "strictly necessary" to provide a service "explicitly requested" by the user. Consequently, no cookie notices are required to serve a cookie that helps a shopper get from a product page to a checkout; but notices are required for cookies that are used in traffic analysis or advertising.When the original law was passed in 2002, the main question was how and when these notices must be given. What does a "right to refuse" require of a website? The UK's data protection regulator took the view that a notice in an easy-to-find privacy policy will suffice. That approach, it seems, prevailed across the EU and, to our knowledge, there has never been any action against cookie transgressors.
Robertson continues, “This interpretation of a "right to refuse" is shared by almost every other site, including OUT-LAW.COM. It's a fudge. It's a lazy but convenient interpretation of a law that in plain English appears to expect more. But it’s a fudge that was endorsed by our Information Commissioner's Office (ICO), because it was deemed harmless and because the alternative was deemed unworkable. Few people were .jpg)
keen to see consent screens for the advertising cookies that make it possible for newspapers to offer their content without charge (at least for now).So the ICO's guidance (19-page PDF) put pragmatism before pedantry and web businesses across the UK breathed a big sigh of relief.The new law will be harder to fudge. The words "right to refuse" are removed. Instead, sites can deliver cookies to a user's computer only if the user "has given his/her consent, having been provided with clear and comprehensive information" unless, as now, the cookie is "strictly necessary" for a service "explicitly requested".
Robertson relates a comment by an EU insider, who describes the new law as merely a clarification of the old one. He didn't wish to comment on whether the law was commercially viable or not – he would say only what he thought it meant. He acknowledged that regulators might interpret the new law in the same way as the old one.
That’s not good enough. I agree with Robles and Robertson that this new law is nonsense. Laws that do not make commercial success and cannot be enforced should never be passed. Their existence only undermines any moral authority of the legislating body. But we already know that about the EU and its intrusiveness into business.
