There are just 24 hours left to respond to a public consultation on the EU’s so-called Cookie Law. The European Commission plans an overhaul of the more correctly named ePrivacy Directive before the end of the year to bring it into line with the new General Data Protection Regulation.

The use of cookies in the UK is governed by the Privacy and Electronic Communications Regulations (PECR), based on the ePrivacy Directive, which require organisations to provide clear information about how cookies are used on their website and allow people to opt in or opt out from having non-essential cookies placed on their device.

According to a February 2015 study carried out by national data protection authorities, including the UK’s Information Commissioner’s Office (ICO), British websites place more cookies on users’ computers than any other. But they also give out more information about those cookies than any other country surveyed.

The average UK website placed 44 cookies on a device during a person’s first visit. The average cookie is set to expire after one to two years, but some cookies were being set for as long at 10, 100 or even nearly 8,000 years, according to the report.

The 33-question consultation acknowledges that “the practice of websites to deny access to those users who refuse to accept cookies (or other technologies) have generated critics that citizens do not have a real choice,” and asks for possible solutions.

One proposal is that “information society services should be required to make available a paying service (without behavioural advertising), as an alternative to the services paid by users' personal information” or that “information service providers should not have the right to prevent access to their non-subscription based services” if users refuse non-essential cookies—i.e. those not necessary for the functioning of the service.

The survey also asks whether there is a need for updated legislation on notification of personal data breaches, confidentiality of electronic communications, specific traffic and location data, and spam.

Specifically the Commission wants to know whether respondents believe that widening the scope of the law on spam, amongst other things, to over-the-top service providers (OTTs) is a good idea.

Currently the ePrivacy Directive rules to protect an individual’s privacy apply to publicly available electronic communication services, but not to OTT services such as unmanaged voice-over-IP, instant messaging, e-mail, and messaging in social networks. “This may result in both a void of protection for citizens and in an uneven playing field in this market,” says the Commission.

The consultation also specifically asks whether the current law is compatible with the Network and Information Security Directive, the General Data Protection Regulation, the Radio Equipment Directive, and the framework directive for electronic communications providers—although surely that’s one for the Commission’s own legal team rather than the general public. The consultation closes tomorrow, July 5, at midnight.