ICO calls on EU to amend 'cookie law'

The Information Commissioner's Office (ICO) has urged the EU to consider amending its so-called "cookie law", which requires website owners to obtain users' consent before placing cookies on their devices.

The ICO made the case in its submission to the European Commission's consultation on changes to the Privacy and Electronic Communications Directive, also known as the E-Privacy Directive.

"Requiring consent for the processing of personal data has not delivered the expected protection for individuals because some personal data must be processed in order for the consent mechanism to operate," argued the ICO.

"In our view, the rules should also seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals. There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal."

The consultation over the E-Privacy Directive, which is now more than a decade old but was amended in 2009, is intended to further update it in order to better complement the GDPR, which will become law across the EU in 2018. Both are part of the Digital Single Market Strategy for Europe, which is designed to provide a level playing field for online services across the EU.

The consultation appears to indicate that the European Commission is planning to tighten e-privacy laws with mandates requiring "privacy by default" settings on "terminal equipment" - a suggestion which the ICO cautioned may have unintended consequences, especially in terms of hampering the development of internet services that the Digital Single Market is supposed to aid.

"The definition of terminal equipment would need to be carefully defined as it could include connected cars, IoT devices and legacy equipment. Consideration also needs to be given as to whether all these devices are capable of delivering privacy choices," argued the ICO.

"The impact on small start-up companies would need to be carefully considered to avoid a disproportionate detrimental impact on innovation. Again, in our view, any rules in this area should seek to achieve a proportionate balance between the legitimate interests of businesses and the privacy rights of individuals, and not impose onerous and disruptive requirements in cases where privacy impact is minimal."

The consultation also indicates that the European Commission is considering compelling website operators to make available their content, even if users reject cookies - a measure that the ICO also opposes.