What do Estonia and Denmark have in common that sets them apart from the rest of Europe?
They're the only two of the 27 countries in the European Union that have complied with a directive on privacy that came into force on May 26. [The Register has the story.] The directive — a 2009 amendment to the broader directive on privacy — concerns cookies, those tiny bits of script that web servers can lodge on your computer in order to record your preferences, report back on your choices, or perform other relatively simple acts of communication between your machine and the mother ship that set the cookie.
The cookie law is paragraph 66 of Directive 2009/136/EC [PDF] and essentially mandates that computer users:
…be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible…
[See full content in pop-up]
The UK has formally announced that it is giving its citizens and businesses a year's grace before it passes a local law implementing the directive. Other countries have simply failed to take any steps towards implementation.
The concern seems to be the difficulty compliance would cause businesses that now set cookies and the desire not to harm commerce. It has been suggested that compliance may be most easily possible by getting the modification of browsers, taking the burden of the directive off business and putting on the technology. As well, it would seem that uses may be less likely to reject cookies if the warning and option are browser-based, rather than a part of a business's website.
Does such a "cookie warning" law seem like a good idea for Canada? Would it be sufficient if your browser asked for permission to set a cookie, or should the request come from the business itself? If a browser warning is okay, should you be able to turn off the warnings?