New rules on the use of cookies will soon become law by virtue of amendments to the EU Privacy and Electronic Communications Directive 2002. Member States have until 25 May to implement the changes, which in the UK will mean revisions to the Privacy and Electronic Communications Regulations 2003.

For the uninitiated, 'cookies' are short strings of data which websites upload to your browser containing information like login credentials or the contents of your shopping cart. The basic idea is that cookies make web surfing easier by storing passwords and site preferences. But they are also the essential component behind 'behavioural targeting', a means of serving more personalised (and therefore more profitable) web advertising. Visit a retail fashion website for example, and a tracking cookie from an advertising network will register your interest in clothes. Later, when visiting other websites that are part of the same ad network, the information in that cookie will be used to serve you advertisements for other brands.

The rules as they currently stand allow the use of cookies provided users receive clear and comprehensive information (not necessarily in advance) about how they will be used. Users must also be given the opportunity to refuse them. This ‘notice and choice’ requirement has worked well and most European companies' privacy policies include sections dealing comprehensively with cookies.

The new rules (set out in revised wording to Article 5(3) of the Directive) state that cookies may only be used on condition that the user has consented in accordance with the Data Protection Directive. In other words, consent must be freely given, specific and informed.

At first sight, this may appear harmless enough, but the changes are highly controversial. The EU's Article 29 Working Party, an influential committee of national data protection regulators, issued an opinion on the consent issue last year. It stated that the new rules will not be satisfied by default browser settings, bulk consents, web user inactivity or the use of opt-outs. This is because (in its view):

1. •Most web browsers default to the acceptance of cookies.
   

2. •The ‘average’ web user doesn't understand how to change their browser settings.
   

3. •Some cookies can bypass browser settings (Adobe's Flash cookies, for example, and Microsoft's Silverlight cookies).
   

4. •Accepting cookies by active one-off adjustment of one's browser isn't consistent with an ongoing understanding of how one's data will be used in the future.
   

5. •Opt-outs falsely assume web users fully understand what their data will be used for.
   

6. •Opt-outs rely on users' inaction, rather than positive re-action.
   

Needless to say, companies are deeply troubled by the prospect of having to get consent every time they upload a cookie. At a micro level this could mean endless pop-up windows as users browse the web. At the macro level some fear it will put European companies at a competitive disadvantage.

In fact, European companies won't be the only ones that will have to comply: US businesses with European offices will also be subject to the rules. Potentially, they will also apply to any company that interacts with customers inside the EU. A spokesman for EU justice commissioner Viviane Reding was recently quoted as saying companies “can’t think they’re exempt just because they have their servers in California or do their data processing in Bangalore. If they’re targeting EU citizens, they will have to comply with the rules.”