• United States

Web bugs and cookies considered illegal

Jul 14, 20042 mins
Enterprise Applications

* French data protection authority declares e-mail tracking system illegal

You may have read the recent Gearhead columns in Network World (see links below) about DidTheyReadIt, a service that tracks whether e-mail you send is opened. This tracking system uses Web “bugs,” tiny images loaded by HTML content that are tagged with serial numbers to identify the intended target.

Now whatever you might think of this technique and its intrusiveness and ethicality, a bigger issue has emerged. It turns out that under French law, this technique is actually illegal.

According to a report in a European privacy newsletter called EDRI-GRAM the French data protection authority, CNIL, has declared DidTheyReadIt illegal.

The basis of CNIL’s decision is the French privacy legislation of 1978, which applies because the recipients do not have a choice whether to accept or refuse the sending of information back to the message originator using DidTheyReadIt and because they aren’t informed after the fact.

CNIL further judged that because the information is “detailed” the data is sensitive, which also makes the service illegal in France.

Should any French resident subscribe to DidTheyReadIt they face a fine of 300,000 euro (about $372,000) and a prison sentence of 5 years.

Apparently, any other use of Web bugs, for example, in content provided by Web servers, has yet to be considered by CNIL.

But the French aren’t the only ones who don’t approve of these techniques. In the U.K. a government body, the Information Commissioners’ Office (ICO), published a revised version of its “Guidance to the Privacy and Electronic Communications (EC Directive) Regulations 2003.”

The ICO published the changes in a document titled “Appendix 1: Summary of

Changes to Version 2.”  This adds a new section to the Guidance concerning not only Web bugs but also cookies. In the case of Web bugs in e-mail, recipients must be informed about their existence in the body text of the message and instructions on how to switch off the Web bugs must be included.

The ICO has yet to take action to enforce the regulations but the possibility is there.

The implications of the French and U.K. legislation for e-commerce are significant as the consequences on what information can be gathered and how should not be underestimated. If there is enough political will in Europe you can expect such legislation to be adopted by the EU under the umbrella of its privacy legislation. Keep an eye on this topic – it could change the way you do business.


Mark Gibbs is an author, journalist, and man of mystery. His writing for Network World is widely considered to be vastly underpaid. For more than 30 years, Gibbs has consulted, lectured, and authored numerous articles and books about networking, information technology, and the social and political issues surrounding them. His complete bio can be found at

More from this author