With a cookie, it is possible to recognize and track visitors. This enables behavioral or targeted advertising, a useful mechanism but challenging from a privacy perspective. Currently, an opt-out regime applies to cookies: visitors must be informed and they can refuse to receive cookies. A European legislative proposal aims to change this by introducing an opt-in regime, requiring consent before (tracking) cookies may be installed.
Particularly in the Netherlands, a heated debate is underway regarding the cookie law. The first Dutch legislative proposal referred to “unambiguous consent,” which caused considerable uproar. With such wording, only a dialogue box stating “This cookie tracks your browsing behavior. Do you want to install it?” would actually comply with the law. It should be clear that this will not work and is not desired by anyone.
The current legislative proposal sticks to “consent”, noting that this consent can be given via browser settings. This therefore offers possibilities, as the DDMA points out:
According to the Personal Data Protection Act, consent can also be expressed through behavior. In other words, through browser settings. Provided that a web visitor is well informed.
The real sting, however, lies in those browser settings. The minister has already said
In a situation where the end user is properly informed on the website regarding the cookies offered on the website, a browser set by default not to place cookies unless the user has indicated in the browser to accept cookies for the specific website could be used to grant consent. … It should be noted that most current browsers are currently not suitable for granting consent.
So we are back to square one: if the browser says “no” by default, the user must be asked for “yes” every time. And how you are going to implement that in a user-friendly way is a very difficult question.
The DDMA further describes the model being promoted by the industry at the European level. By linking every behavior-based advertisement to a central opt-out page (with a universal icon) and clearly informing people, users can easily choose what they value. This proposal appears to have been positively received by the European Commission. Emerce has already discovered the opt-out site that will also be used for the Netherlands.
However, there is a major drawback to this model: it is once again based on opt-out. Legally, therefore, it remains questionable whether this will be deemed legal if the bill is passed in its unchanged form. We would not know how one could comply with a law requiring opt-in by offering an opt-out. We are certainly sympathetic to the opt-out mechanism, to be sure, but a (European) legislative amendment does seem necessary.
The bill is now on the agenda of the House of Representatives. So hopefully, we will get more clarity soon.