New EU regulations on the use by British websites of cookies have been watered down by the UK's information commissioner just hours before they were due to come into force.
But they could mean that Britain is out of step with EU law in its implementation of the continent-wide directives, and lead to fights with European courts.
In an updated version of its advice for websites on how to use cookies – small text files that are stored on the user's computer and can identify them – the Information Commissioner's Office (ICO) has said that websites can assume that users have consented to their use of them.
The advice was only updated on Thursday, 48 hours before the deadline for implementing the new rules, and published the next day.
"This is a striking shift," said Stephen Groom, head of marketing and privacy law at the law firm Osborne Clarke. "Previously the ICO said that implied consent would be unlikely to work. Now it says that implied consent is a valid form of consent."
The use of "implied consent" shifts responsibility to the user rather than the website operator, and will come as a relief to thousands of website operators who have been struggling to comply with new EU directives which came into law a year ago.
Those required sites to make it clear when they were saving a cookie on the user's computer which many sites complained was simply impractical. Sites rely on cookies to store data such as online shopping baskets, identification and other user preferences, and requiring users to agree to each instance would subject them to a blizzard of decisions about acceptance or refusal.
"Just six months ago the ICO said general awareness of the functions and use of cookies was simply not high enough for websites to look to rely entirely in the first instance on implied consent," said Groom. "Now it tells us that 'implied consent has always been a reasonable proposition in the context of data protection law' and that it remains so in the context of storage of information or access to information using cookies and similar devices."
Michael Ross, former CEO of the online retailer figleaves.com, had come out against those proposals. "The EU cookie law is simply a bad law and a restraint to trade online at a time when business needs all the help it can get. Trading online without using cookies for analytics or various types of marketing tracking is analogous to asking a retailer to trade blindfolded. It's simply not possible."
According to a recent KPMG study, 95% of companies have yet to comply with the legislation and any business implementing the law in its entirety risks going bust, some had warned. The ICO is able to exact a fine of up to £500,000.
In May 2011 Brussels introduced amendments to the 2003 EU e-privacy directive requiring websites to gain user consent for the use of tracking technologies, the most common of which are 'cookies'. The guidance issued on the updated rules encourages companies to be more open about what these cookies are and how they might be used. In the UK, the ICO gave companies a year-long grace period to implement these changes, which comes to an end on 26 May 2012.
Bur analysts say a number of grey areas remain. For example, a website might sell some of its space for marketing, which is auctioned in real time to advertisers, making it near-impossible to show users immediately which cookies are going to be used.
UK websites had also complained that it would put them at a disadvantage against European sites which had taken a more laissez-faire attitude to implementing the directive. Vinod Bange, data privacy specialist at the law firm Taylor Wessing, said: "Given that the rest of mainland Europe is yet to take this directive seriously, it is a shame that UK Plc's online economy is being jeopardised. If the new cookie law were fully enforced by the ICO, it could make Europe – and the UK specifically – a less attractive place to do business, and less competitive globally."
Groom noted that "although this new, pragmatic approach is undoubtedly more business-friendly, ideally it would have been good to have had earlier visibility of this dramatic change. It also remains to be seen whether this puts the UK out of step with Brussels and most other EU states."
Non-EU businesses without assets in the region could theoretically circumvent the directive and use cookies to provide targeted services, while EU-based businesses doing so would risk prosecution. That would put UK online retailers in particular at a severe disadvantage.