Why the Web Became Illegal in Europe Yesterday

At midnight last Wednesday most websites based inside the European Union became illegal.

From that moment, using a website based in the EU was supposed to be much less creepy. The law requires sites based in any nation of the political and economic club to ask people’s permission before installing a “cookie” onto their computers that can identify when they return to a site, or even track their movements across the Web.

As Bloomberg explained earlier this week, the goals of the legislation are worthy:

“The EU is cracking down on companies invading Web users’ privacy, by promising people more control over their data and harsher sanctions, including criminal penalties, against violations.”

Yet cookies come in many shapes and sizes and are ubiquitous online. Sites that offer shopping or carry advertising use it particularly heavily, to track products a person looked at or data that helps targets ads. As a result, the EU law has the Web’s biggest companies worried, reported the FT:

“[C]ompanies such as Facebook and Google are particularly concerned that the new laws could put their businesses in jeopardy, and advertisers are worried that the market for highly targeted Internet advertising–worth nearly £100m a year in the UK alone– could be damaged.”

Despite the passing of this week’s deadline, those companies likely won’t face prosecution for foisting cookies on unsuspecting users yet. All EU nations were supposed to have implemented the law by midnight Wednesday, but as the Register reported, hardly any have done so:

“At the end of yesterday, only Estonia and Denmark had notified the Commission, with officials in those states confirming that they had transposed all of the EC measures on internet cookies into their national law.”

That leaves 25 nations that have not, and website operators in a tailspin of uncertainty about whether or how they should change their cookie-pushing behavior. Some countries, such as the U.K., have stated they will delay implementing the new law and wish to cause minimum disruption to the Web as we know it. But the underlying EU law cannot now be turned back.

Its rules do allow cookies “strictly necessary for a service requested by a user” to be foisted on people without their knowledge. That would seem to cover the cookies that help online stores track the contents of your shopping baskets. But what about the targeted ads that support the existence of websites of all kinds?

One blogger created a joking-but-serious preview of what requests for cookie installs might look like, hitting visitors with popups with warnings such as:

“Posts on this site sometimes carry videos from third party sites such as YouTube, which use cookies to record your interest in LOLCATS and people skiing into trees. Don’t you not agree to us not storing this information?”

A less shrill attempt to obey the new rules can be seen on this U.K. government website, but the warning is still intrusive and confusing. One alternative is for the cookie negotiation process to be handled by browsers to offer users a smoother experience, reported the BBC, saying the U.K. government had turned to browser makers for help.

One option would be to fold the EU rules into the “do not track” features being developed for every major browser, which certain kinds of cookie. Unfortunately, technology that can track people online without using cookies is already being created and may leave both the EU’s law and “do not track” toothless.