The Dutch Find a Lighter Touch on Internet Privacy Laws
The Netherlands takes one of the strictest approaches to online data protection, but the government has relaxed its policy on cookies following protests by consumers fed up with constantly being asked for cookie approval every time they visited a website.
The heavy-handed effort by the authorities to impose what they thought was best for their people has now been softened by a much lighter-touch regime that provides control to consumers without overburdening them with requests for consent.
It all began in June 2011, when the Dutch government incorporated article 5(3) of the European Union's e-Privacy Directive ("the cookie law") into its national Telecommunications Act. As of June 2012, websites were required to ask users for permission before dropping or retrieving cookies that recorded their data or browsing behavior. Websites also had to prove that users had approved the use of their data.
Frustration had been growing, and consumer organizations claimed the law failed to find a balance between privacy protection and user-friendliness. The issue also became a political one, with both the center-right and center-left parties speaking out against the burdensome number of pop-ups.
Eight months after it first became law, the Dutch minister for economic affairs announced plans to soften the rules for analytics, which help publishers understand user behavior and adapt content accordingly. Under the plan, consent would no longer be required if analytics cookies were used only for the website's own purposes and data not sold to or shared with third parties.
Most importantly, for those cookies that still require consent (typically, third-party cookies, or cookies that are not essential to the operation of a website) the new proposal replaces explicit consent with "implicit" consent. If websites inform the user that continuing to browse the website constitutes consent, the website will be allowed to place cookies after the user clicks a link.
The new rules should be in place later this year and effectively align the Netherlands with the light-touch "implied" consent approach that has been put in place by the United Kingdom.
The consumer backlash that has led to the adoption of a more pragmatic and less intrusive regime will be a serious blow to privacy advocates who believe "explicit" consent is the only solution to all data protection issues.
The fact that the Netherlands is now aligning its rules with the more liberal approach of the UK sets a strong precedent. Data protection authorities in France and Spain have also opted against an excessive interpretation of the law.
Unfortunately, this is not the end of the story. Regulators in Brussels are discussing how best to revise the EU Data Protection Framework, legislation written in 1995 before the internet looked anything like it does today. The issue of explicit consent for all kinds of data, irrespective of whether they are personal or not, is again on the table.
European regulators are rightly and justifiably seeking to ensure that people's private information is not misused by the private sector -- or by public authorities. Yet, too many European policymakers seem determined to continue to ignore the evidence.
Microsoft and Mozilla, meanwhile, are threatening to make their Explorer and Firefox browsers hostile to some or all cookies by default.
Companies do not require personal information for the purposes of advertising. They rely on consumer data based on your demographic profile and behavior, but they don't care about your name, address or religious persuasion. If they know you are male, 18-30 years of age and a keen sports fan, companies can deliver you ads designed to be more relevant and less haphazard (and, yes, sometimes annoying).
According to McKinsey, the use of such data could be worth a trillion euros to the European economy -- 8% of the region's gross domestic product -- in a region that desperately needs an economic boost. And, of course, advertising pays for so much of the free content and services online that we often take for granted. McKinsey found that for every euro spent on an online ad, consumers get three euros' worth of services.
The precedent of the Netherlands shows how inflexible solutions can prove unworkable. But the risks of getting this wrong are far greater than just a clunky user experience. Overly prescriptive rules could see an opportunity pass for business to help get the region on the path to economic recovery and fundamentally threaten the quality and breadth of services available to EU consumers.
The Dutch have sent a message. Regulators in Brussels and others should sit up and take note.