19 December 2003

Mark O'Conor

New Law on Cookies

Any website which uses cookies will have to comply with a new European Union Directive which was supposed to be implemented by 31 October 2003. This special IT Law Bulletin looks at how Member States in which Bird & Bird is based have implemented or are going about implementing the Directive into their national law and what you will have to do to comply with the Directive’s provisions on cookies.

What is a cookie?

A cookie is a small file of letters and numbers that act as an identifier on a website. They allow the website server that sent the cookie to recognise the user when s/he returns to the site, or browses from page to page. The numbers identify the name of the server that sent the cookie, the lifetime of the cookie and, possibly, other information such as the time the cookie was placed. Cookies are primarily used to allow websites to be customised, as they allow the website’s server to recognise that it is the same user returning to it.

What is SPAM?
This is the practice of blindly posting commercial messages or advertisements to a large number of unrelated and uninterested newsgroups, and bulk e-mailing unsolicited commercial messages.

EC’s Directive on Privacy and Electronic Communications (2002/58/EC) (the “Directive”)

In July 2002, the Directive was adopted and was due to be implemented by Member States by 31 October 2003. The Directive replaced the Telecommunications Data Protection Directive (97/66/EC) and, amongst other things, added specific new rules and controls over the use of cookies as outlined above.

United Kingdom

The UK has implemented the Directive by way of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Regulations”) and which also replace the existing Telecommunications (Data Protection and Privacy) Regulations. The Regulations will come into force on 11 December 2003.

The Regulations state that organisations are not allowed to use cookies unless the subscriber or user of the relevant terminal equipment is provided with clear and comprehensive information about the purposes for which the cookie is used and is given the opportunity to refuse the cookie (Regulations 6(1) and (2)).

In the DTI’s paper; The Implementation of the Directive on Privacy and Electronic Communications, Government’s Response to Consultation, 18 September 2003, the DTI made it clear that it wanted to be as un-prescriptive as possible about the ways in which organisations comply with the information and rejection provisions. For example, one possibility that was mentioned in the DTI’s consultation document that preceded the Regulations was that organisations could include information in their cookie policies explaining how users could configure their browsers so as to reject cookies. (For example, some versions of Internet Explorer allow you to reject cookies).

There was a certain degree of controversy as to whether or not the information requirements would require organisations to use pop-up boxes to alert users that a cookie was going to be placed. This suggestion arose out of the Common Position adopted by the European Council on 28 January 2002, which stated that subscribers and users must receive information “in advance” about cookies. The direct marketing industry lobbied extensively against this – on the grounds that this would be extremely disruptive for users. The final text of the legislation omits this requirement as does the Directive. Existing guidance from the Office of the Information Commissioner on this issue (Website: Frequently Asked Questions, 26 June 2001, FAQ 6) is therefore still valid. This is that data controllers could either provide the cookie statement via a pop-up box or in the website’s privacy statement, provided this contained some clear notice that tracking technology would be used. In line with general data protection requirements, any privacy policy must be drawn to users’ attention before personal data are collected.

There are some exceptions and limitations to the information and rejection provisions, namely:-

(1) if an organisation wishes to use a cookie whenever an individual visits its site, it must provide the visitor with the information and opportunity to reject a cookie only on the initial visit;

(2) there is no need to provide either the information or the opportunity to reject a cookie where use of a cookie or similar technology is (a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or (b) strictly necessary for the provision of an information society service requested by the subscriber or user.

In relation to SPAM, the Regulations only apply to unsolicited commercial communications sent to individual subscribers. Consideration has been given to extending the provisions to corporate entities and this area is being kept under DTI review.

Prior to the Regulations, the Data Protection Acts of 1994 and 1998 required organisations to provide for recipients to opt-out of marketing or promotional campaigns by e-mail.

The Regulations introduce a new opt-in regime, which requires organisations to get the recipient’s consent before carrying out such campaigns. This rule applies to much B2B (business to business) marketing. It is also retrospective and applies to existing databases of e-mail contacts.

There is a limited exception to this new regime, referred to as the “Soft opt-in” which allows unsolicited emails to individual subscribers where:

i) there has been as sale or negotiation with the individual;

ii) the direct marketing is to be carried out by the same legal person who obtained the original details;

iii) the direct marketing relates to similar products and services; and

iv) the individual was offered an opt-out when the details were originally obtained (as they were required to do under the Data Protection acts of 1994 and 1998).

In particular this will heavily impact and restrict the practice of using contacts lists to cross-market broader ranges of products and services.

The Information Commissioner’s guidance addresses the impact of the Regulations on legacy data and advises that the Commissioner will be “pragmatic” in this area. Organisations that have collected legacy data fairly (usually by offering an opt-out) and which have used the marketing lists recently can continue to market similar goods and services without needing to get new opt-in consent.

Copies of the Commissioner’s guidance are available from at Guidance/Compliance Advice.


The provisions of the Directive concerning cookies are the subject of the draft law on the protection of individuals with regard to personal data processing. They also implement the Data Protection Directive (95/46/EC) of 24 October 1995 and modifies the law of 6 January 1978 concerning computer systems, files and freedoms. The rest of the Directive will be implemented in France through the law on “confidence in the digital economy” (confiance dans l'économie numérique), which will soon be adopted.

The draft law was adopted by the Assemblée Nationale at the first reading on 30 January 2002 and was submitted to the Senate on the 1 April 2003, which amended the draft. In line with the French legislative process, the further draft, as amended by the Senate, will be re-submitted at the beginning of 2004 to the Assemblée Nationale for final adoption.

The new article 32 of the law of 6 January 1978, as amended by the Senate, states that the data controller must clearly and comprehensively inform every person using electronic communications networks of (i) the purpose of the storage of information or the access to information stored in its terminal equipment; and (ii) the means by which users may refuse such storage or access.

It is then specified that these provisions are not applicable if the exclusive purpose of such practice either exclusively aims at facilitating the transmission of a communication over an electronic communications network, or is strictly necessary in order to provide an information society service explicitly required by the user.

The provisions of the draft law are, therefore, very close to the provisions of the Directive.

Note that the previous version, as adopted by the Assemblée nationale on 30 January 2002, the new article 32 prohibited organisations from making acceptance of a cookie part of their terms and conditions of use. In addition, failure to provide sufficient information led to a five-year imprisonment sentence and a €300,000 fine. These two points have however been withdrawn in the last version adopted by the Senate on 1 April 2003.

Under the current law, the French data protection authority (the CNIL) has, on several occasions, stated its position concerning the use of cookies by an Internet service provider with regard to the French data protection regulation, which is similar to the provisions of article 5.3 of the Directive. In order to comply with the current French data protection regulation, the CNIL recommends that Internet Service Providers using cookies should inform the Internet users that they are doing so and give them an ability to opt-out. Therefore, the obligation of information mentioned in the Directive when Internet service providers using cookies is already required by the CNIL.


The Directive has not yet been implemented in Germany. In November 2001 an expert opinion by Roßnagel/Pfitzmann/Garstka proposed the modernisation of German data protection law in one single codification. It is, however, presumed that the German legislator will not follow this recommendation. Instead the legislator is likely to codify three different Acts, the most important of which are, a modification of the Telecommunications Act (TKG) and the codification of a new act, named “Tele Media Data Protection Act” (TMDSG). Currently, the Federal Legislator is in discussions with the regions, which will have to assign legislative competences for this purpose. A first draft on the TMDSG is expected to be published at the end of this year.

The TMDSG shall unify the data protection provisions in two different Acts. This will be done by replacing the “Tele Services Data Protection Act” (TDDSG) and incorporating the data protection provisions of the “Media Services Treaty” (MDStV).

Due to the discussions currently taking place, the provisions that will be applicable on cookies within the TMDSG are not sufficiently advanced yet to allow forecasts on the future legal frame.

However, as the TMDSG will replace the TDDSG it is likely that the legislator will generally adopt its structure. With regard to the use of cookies, this decision would make sense because the Directive does not differ significantly from the current German regime, which contains the following rules:

  • Generally, following the prevailing opinion, cookies are lawful under the “Opt-out” regime of Sect. 6 para. 3 TDDSG. According to this clause, the provider may compile pseudonym-based user profiles for purposes of advertising, marketing research, and structuring of the tele-services provided the user does not raise objections. This diverges from Art. 5 para. 3 of the Directive only in so far as the opt-out lawfulness is restricted by the pseudonym-based information.

  • However, the provider shall inform the user on his right to opt-out according to Sect. 6 para. 3 sent. 2 TDDSG. Besides this, in case of “automated processes that allow the identification of the user” (cookies), the user must be informed about this process from the outset (Sect. 4 para. 1 sent. 2 TDDSG).


From 1 January 2004 a new data protection code (the “Code”) will enter into force and replace the provisions currently strewed in several set of rules. The Code is an overall review of the way to manage data processing: it is partly a collection of existing provisions but it also provides new simplified regulation of existing requirements as well as new regulation on matters previously lacking any specific provisions.

The Code also gives the Italian legislator the opportunity to implement the Directive within the Code. In particular, the Code will partially bridge the gap in Italian legislation which has, up to now, been lacking in specific rules on data processing via the Internet (based on the legislation currently in force, general rules on data protection apply).

To this extent, a specific section of the Code is dedicated to Electronic Communications, the provisions of which substantially replicate the Directive. Within this section there is chapter titled “Internet and Electronic Networks” which sets out general principles to be applied when providers of communication and information services, supplied by means of electronic communications networks, process personal data and, in particular, when subscribers’ or users’ information is collected.

The general principles contained therein will be implemented by codes of conduct and professional practice, to be drawn up in the near future. Such codes of conduct and professional practice shall be encouraged by the Garante (the Italian Supervisory Authority) within the framework of the categories concerned, by adhering to the guidelines set out in Council of Europe recommendations on personal data processing.

The codes and their compliance with the laws and regulations, will be verified by the Garante. The codes will be valid and enforceable upon their publication in the Official Journal of the Italian Republic and the compliance with the provisions contained therein will be a prerequisite for the personal data processing to be lawful.

In particular, based on the Code and without prejudice to the code of conduct mentioned below to be drawn up in the future, on the use of an electronic communication network to gain access to information stored in the terminal equipment of a subscriber or user, to store information or monitor operations performed by the user (e.g. cookies), will be prohibited.

The code of conduct and professional practice applies to the processing of personal data by providers of communication and information services, supplied by means of electronic communications networks. It will identify the criteria to ensure and streamline adequate information and awareness by users of public and private electronic communications networks as to the categories of personal data processed and the mechanisms for such processing. In particular, the information notices will be provided online using simple and interactive means. This will enhance openness and fairness in respect of the users as well as full compliance with the principles governing data processing with a view to certifying the quality of the implemented mechanisms and the security level afforded.

This code of conduct will also lay down prerequisites and limitations for a provider of an electronic communication service to use the network in the manner described above for specific, legitimate purposes related to technical storage. Storage should be for no longer than is strictly necessary to transmit a communication or provide a specific service as requested by a subscriber or user that has given his/her consent based on prior information


The Swedish Electronic Communications Act, which entered into force on 25 July 2003 (the “Act”), requires visitors/users of a website to be informed about the use of cookies on the website. If such information is not presented, the website will be violating the Act.

Section 18, Chapter 6 of the Act states as follows:

“Electronic communication networks may be used to store or gain access to information that is stored in the subscriber’s or user’s terminal equipment only if the subscriber or user receives information from the controller of personal data about the purpose of the processing and is given an opportunity to impede such processing. This does not prevent such storage or access that is required to perform and facilitate the transfer of electronic messages via an electronic communications network or which is necessary to provide a service that the user or subscriber has expressly requested.”

The Act does not prohibit the use of cookies and does not require any approval of the visitor to the use of cookies. However, it does require the visitor to the website to be informed of the following:

  • whether the website uses cookies,
  • what the cookies are used for, and

  • how the cookies can be avoided.

The Act requires this information to be clearly stated on the website. It does not require the information to be presented to visitors before entering the website.

Further to the implementation of the Act, it has been reported in the Swedish press that, inter alia, some of the Swedish parliamentary parties and even the National Swedish Judiciary Administration have failed to provide information regarding the use of cookies on their websites and have consequently failed to comply with the provisions in the Act.

The Swedish National Telecom Agency has been given the task of supervising the market’s compliance with the Act. In order to be able to fulfil its role as the supervising authority, the Telecom Agency has been given the power to issue injunctions in relation to websites not complying with the Act. Such injunctions may be combined with fines. As a final measure, in case of non-compliance, the Telecom Agency has been authorised to prohibit non-compliant operators in pursuing their activities over the Internet. However, such prohibitions may not be issued if the violation of the Act is deemed to be of lesser importance. A violation of the provision in the Act requiring websites to provide information regarding cookies may, in cases of wilful misconduct or negligence, be considered as a criminal offence resulting in an obligation to pay fines.

The Netherlands

The Dutch legislator has not yet implemented the new regime for cookies under the Directive.

On the 28th of October 2003, the lower house of the Dutch parliament adopted the legislative proposal which will amend the Dutch Telecommunications Act of 1998 (the “Proposal”). Following this amendment, the new EC’s telecommunication Directives including the Directive, will be implemented. Before the new law can enter into force the Proposal will also have to be adopted by the upper house. This may take place before the end of this year, but early 2004 is viewed to be more realistic.

Moreover, the provisions of the Proposal do not cover all of the subjects dealt with in the Directive. Most relevant in the present context is the fact that article 5, section 3, of the Directive is not implemented by the present Proposal because the legislator requires additional consultation/study for that. According to the relevant ministry, the Ministry of Economic Affairs, a draft text for the implementation of the new regime for cookies and the like is ready for consultation. In the coming weeks, this draft text will be discussed with the Ministry of Justice, the Data Protection Authority and the Dutch national regulator, OPTA. Following this, the text will be amended and implemented, which, depending on the chosen method of legislation, might be at the same time as the Proposal or shortly after that.


Belgium has no specific legislation on the use of cookies. Whether Belgium will implement specific legislation relating to cookies remains to be seen because the telecommunications directives will not be implemented before March or April 2004. The current legal status of cookies has to be seen in the light of the current data protection legislation.

The applicability of the data protection legislation to the use of cookies

The Data Protection Law applies to the processing of personal data wholly or partly by automatic means, as well as to the processing other than by automatic means of personal data that form part of or are intended to form part of a filing system (article 3, §1).

(a) Is information collected by cookies personal data?

Personal data is defined as any information relating to an identified or identifiable natural person (i.e. the data subject). An identifiable person is one who can be directly or indirectly identified, in particular by using an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

According to the Belgian legislation, all information concerning physical persons shall be considered to be personal data, as long as either the controller or any other person is able to identify the data subject by whatever means are likely to be reasonably used. This has serious consequences for the processing of data on the Internet, as generally the internet service provider will be able to identify the data subject using reasonable means.

Generally speaking, a cookie will not be able to identify a person independently. Cookies, as such, serve to identify a computer. However, the data collected through a cookie can be linked to other information, e.g. information provided through registration forms, surfing habits or purchase habits, IP-address. As such, the collected data become personal data, thus making the data subject identifiable.

(b) May the use of cookies be considered “processing by automatic means”?

The definition of processing is very broad. It is defined as, any operation or set of operations performed on personal data, whether by automatic or manual means, such as; collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of personal data.

The storage of a cookie and collection of information therewith falls under this definition.

(c) Conclusion

The information collected through the use of cookies will most likely qualify as personal data. As cookies are used as automatic means to process information about physical persons, the Data Protection Law will apply.

Comparison of the current Belgian legal situation with the conditions imposed by Directive 2002/58

The Directive on privacy and electronic communications provides that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on the condition that: the subscriber or user concerned is provided with clear and comprehensive information and is offered the right to refuse such processing by the data controller. This is with the exception of any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

This framework does not really differ from the Data Protection Law, provided the cookies are used to process personal data. In this case the use of cookies will be subject to the same conditions as other processing of personal data.

As a matter of principle, personal data may not be processed without the clear and unambiguous consent of the data subject. This consent requires clear and comprehensive information about the data processing and its purposes.

In view of the principles of data quality (article 5 of the Data Protection Law), the data subject must be provided the opportunity to reject the cookies and, unless the cookies are strictly necessary for the access of the website, he must still be able to access the website if he has rejected the cookies. Refusing access to a website on the grounds that the data subject has refused cookies is contrary to the principles of data quality if the acceptance of the cookies is not strictly necessary for the access of the website.

Overall Conclusion

Provided the cookies are used to process personal information, the current Belgian data protection legislation does not differ from the rules proposed by the Directive on privacy and electronic communications on cookies. The Belgian Commission for Data Protection has clearly reiterated the consequences of the principles of data quality relating to the use of cookies and came to the conclusion that, on the basis of current Belgian legislation, the data subject must be provided with clear and comprehensive information and must be offered the right to refuse such processing (the use of cookies) by the data controller.

Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.