This solution has some international backing. Last year, the U.S. Federal Trade Commission said it supported the idea of “do not track” services that make it easier for Web users to stay private, which led to the efforts from Google and Mozilla. And while consumers may not understand the technical details, they seem to support the idea of greater control: a 2009 study by the University of Pennsylvania and the Berkeley Center for Law and Technology found that 66 percent of U.S. adults did not want their private online information tracked.
But some within the European Internet industry are far from pleased. “This is the sort of crap that makes me want to move my business to the U.S.,” says Nick Halstead, chief executive of the U.K.-based Internet company Mediasift. Halstead has been one of the directive’s most vocal critics. “The U.K. tech Web industry will suffer massively if this goes through,” he says.
The question of implementation has yet to be tackled, however. European directives are not laws in and of themselves. They’re merely recommendations intended to harmonize national laws across the continent. They specify an “end state”—but how that state is achieved in law is up to each of the 27 national governments. Signs so far are that these national laws won’t be in place this year, and even when they are, the laws are likely to be sympathetic to the needs of online businesses in those countries.
In a consultation paper by the British government, for example, E.U. officials suggested that “it is important that this provision is not implemented in a way which would damage the experience of U.K. Web users or place a burden on U.K. or E.U. companies that use the Web.”
But Lee of Field Fisher Waterhouse points out that these methods would also be subject to the European rules. “The directive isn’t just about cookies; it’s about keeping any sort of tracking data. I don’t think industry can operate on the assumption that they have a right to own users’ data.”
Whatever solution does arrive, regulators will need to make sure that asking for consent doesn’t hamper the experience of using the Web—or cost companies so much that they try alternative techniques instead.
“There is a cost to regulatory compliance,” says Arvind Narayanan , a postdoctoral researcher at Stanford University who researches online privacy. “The smaller the number of entities affected by a law or regulation, the more likely it is that companies will fall in line—and the less the negative impact on innovation.”