New European Union rules to ensure privacy have been ignored by the vast majority of EU member countries, according to Jonathan Todd, European Commission spokesman for Digital Agenda.
Only Denmark, Estonia and the UK have so far notified measures to implement the revisions to the ePrivacy Directive, Todd said on Wednesday.
The new law, which aims to give Internet users more information about the data stored about them, was supposed to be implemented by all EU countries by May 25. However it is not clear whether even the three countries that have taken measures are fully compliant with the law, leading to speculation that better protection of personal data online for customers is far from a priority.
Member states have had two years to implement the revised rules against tracking cookies. Under the new law, before being asked for their consent, users must be given information on the use of the collected data. The so-called "Cookies Directive" requires companies to obtain "explicit consent" from web users before storing cookies.
Cookies are small pieces of software that are installed on the user's computer to remember login details and other preferences relating to a particular website. But they can be used to target advertising based on browsing history. The only exception to the cookie rule is when they are necessary for a service requested by the user, for example, when a user clicks "add to basket" button to buy goods from a website.
The slow implementation of this directive highlights the difficulty of framing legislation to protect consumer privacy. What "consent" to cookies requires in practice is not defined in detail in the directive, and some counties are hoping that, in principle, a browser set to "accept cookies" implies consent.
However, even UK Information Commissioner Christopher Graham acknowledges that his office's guidelines are "a work in progress." But he warned that browser settings alone may not be enough for compliance with the directive.
"The circumstances in which such settings can be considered appropriate for expressing the user's consent depends on how well they meet the general requirements in the legislation," said European Digital Agenda Commissioner Neelie Kroes.
The European Commission, the EU's executive body, will consider opening infringement procedures against the 24 member states that have failed to transpose the directive into national law, said Todd.