The European Parliament has voted in favour of the Data Protection Directive, clarifying some of the rights and duties of online firms regarding data protection, unsolicited emails and the use of cookies.

The directive, which will eventually be incorporated into the laws of the EU member states, covers unsolicited emails and SMS spam, disclosure of personal information such as email and home addresses, the use of location data, and cookies.

Simon Halberstam, head of IT law at Sprecher Grier Halberstam, said that, as with previous laws such as the UK Data Protection Act, firms might be given a grace period of a year or so to comply. But he added that deterrents would also be needed to ensure compliance.

The European Parliament said that the directive means Europeans will have to opt in before their personal details can be used by firms or individuals sending unsolicited email. The same will apply to unsolicited SMS and any other electronic messages.

This is a turn-around for the EU, which previously said that it should be left up to member states to decide whether people would have to opt in or opt out.

Email filtering software company Brightmail predicted that the directive would not eliminate spam. Marten Nelson, director of business development at the company, said: "It will only address 10 per cent of the problem. The largest amount of spam comes from outside Europe, and most spammers are not likely to abide by the laws."

EU citizens will also have the right to decide whether their mobile or fixed-line phone numbers, home and email addresses are shared in public directories.

Location-sensitive information, like that gathered by some mobile phone companies, should also only be kept with the consent of the individuals concerned.

Under the directive, cookies should only be used if the consumer is properly informed of their purpose. If their use is deemed unsuitable, consumers will have the right to refuse them.

Cookies are already covered in UK law by the Data Protection Act. Although this law has yet to be tested in court, the UK Information Commission believes that cookies that gather personal information will be in contravention of the law if people are not told that they are in use, and are not told what information is being gathered.

Lawyers welcomed the harmonisation that should follow the directive but said that many of its measures were already enshrined in UK law. Andrew Horrocks, of law company Barlow, Lyde and Gilbert, questioned the wisdom of having just one directive covering all kinds of communications.

However, he insisted that the EU was in a difficult position. "There is a tension between not wanting to restrict businesses in the EU and respecting the interests of people who do not want to receive unsolicited email," he said.