Critics were worried that the European Union's privacy directive on browser cookies could make virtually every website in Europe illegal. But most EU member countries ignored the May 25 deadline to implement the directive, so e-commerce didn't skip a beat.
Only Denmark, Estonia and the U.K. have taken steps to implement the privacy directive, said Jonathan Todd, a spokesman for the European Commission, and even those efforts may not be fully compliant with the policy.
EU countries have had two years to establish laws implementing the so-called cookies directive, which requires companies to obtain "explicit consent" from Web users before storing the small pieces of code that are often installed on a user's computer when visiting websites.
The directive makes an exception for cookies "strictly necessary for a service requested by a user," such as placing an online shopping order. But it requires permission for storing cookies that are used for targeted advertising and tracking Web behavior.
The slow implementation of the directive highlights the difficulty of crafting effective legislation to protect consumer privacy. What constitutes "consent" to store cookies is not defined in detail in the directive, and some countries are hoping that, in principle, having a browser set to "accept cookies" implies consent.
U.K. Information Commissioner Christopher Graham recently issued guidelines for implementing the law, although he said the U.K. will give companies one year to "get their house in order" before enforcement begins.
Graham acknowledged that his office's guidelines are "a work in progress." But he warned that browser settings alone may not be enough for compliance with the directive.
The 24 EU member states that have failed to turn the directive into national law could face sanctions from the European Commission, the EU's executive body, Todd said.