Cookie Confusion and Clarifications

May 10, 2011

The new cookies rules[1] focus on what kind of consent a user has to give before a web site operator can deploy a cookie on the user’s machine. Is it necessary to obtain prior consent for example? Does that consent have to be explicit or can it be implied from, say, clear markings on a web site or a user’s browser settings?

In the medium term, these proposals clearly support the development of a browser-led solution in which browser settings are used to determine if a user consents to the use of cookies. However, the Information Commissioner’s view[2] is that current browsers do not provide sufficient privacy protection and, until they do, web site owners will need to obtain consent by some other means. The Information Commissioner’s guidance suggests that there is flexibility over the means of obtaining consent, depending on how intrusive that cookie is likely to be, and that prior consent may not be needed. Moreover, no formal enforcement action will be taken until May 2012. Business will however need to review their current practices in order to ensure compliance with these new rules.

Cookie basics and background to the new rules

Cookies are small text files placed on your computer when you visit a web site. That web site can access that cookie, and recognise you, each time you look at a page on that web site. This technology is important and has a number of legitimate uses, including allowing secure web site access and shopping cart functionality. However, there is also a concern that this technology can be used in a way that infringes users’ privacy.

The original 2002 ePrivacy Directive regulated the use of cookies through a notice and opt-out approach. These rules were amended in November 2009 to require web site operators to obtain consent to the use of cookies, unless they are strictly necessary for the use of that web site. This requirement was supplemented by the recitals to the amending Directive which, in an important concession, said it might be possible to infer consent from browser settings.

The drafting of the provisions, and the recitals in particular, is the product of compromise between the EU Parliament, the Commission and the Council. The Parliament had proposed that the language that now forms part of the Recitals should sit in the operative provisions, making it plain that the consent requirements of the new law were neither for ‘explicit consent’ or ‘prior consent’. The movement of text, in negotiations between the Council and Commission, to the Recitals has made the demands of the Directive much less clear.[3] Some commentators, and the Article 29 Working Party, have advocated that the new proposals require prior, specific, informed opt-in based consent, whatever the difficulties of that in practice, and that browser-derived consent will rarely be possible to achieve.[4]

So is it possible to rely on browser settings or not? This is one of the issues Member States have been grappling with when trying to implement these new rules.

The proposals

The Department for Culture, Media and Sport issued proposals in April to deal with these new rules. It decided that:

·         The new regulations would copy out the requirement for consent for cookies from the amended ePrivacy Directive, whilst also directly referring to the fact that consent can be obtained through browser settings.

·         Current browser settings are unlikely to be sufficient to provide consent. This makes it clear that the law is changing and, in the short term, it will not be possible to rely on browser settings and consent must be obtained by other means. In the medium term, the Government will work with browser manufacturers to improve their privacy settings: ‘users will be provided with more information as to the use of cookies and will be presented with easily understandable choices with regard to the import of cookies on to their machine‘. This should make it possible to rely on those settings. and

·         Online behavioural advertising could be made compatible with these new requirements. The Government is supporting the cross-industry work, in particular the IAB’s recent paper on European Self-regulation for Online Behavioural Advertising, to provide users with more information on the use of cookies in behavioural advertising that can be accessed through an easily recognisable Internet icon. This industry-led work should satisfy the new requirements for cookies.

Most importantly, the Government recognises that these developments will take time and that work on enhanced browser settings and online behavioural advertising will not be complete by the formal implementation deadline (25 May 2011). Therefore, the Government’s proposals suggest the implementation of these rules should be phased. This position is reinforced by the open letter from the Department for Culture, Media and Sport which expressly states that no enforcement action should be taken until the work on enhanced browser settings is complete.

This grace period is not formally recognised in the implementing regulations but the Information Commissioner’s guidance on enforcement states he will not take formal enforcement action for breach of these new rules for 12 months. However, he does expect organisations to be “taking steps to ensure they can properly comply with the revised rules for cookies by May 2012“.

 

Compliance in the short term

So what might these steps be?

The Information Commissioner’s guidance sets out a three-step process. First, carry out an audit to identify what cookies are currently used and why. For example, some cookies may be strictly necessary for the use of that web site (e.g. cookies used for shopping carts) and thus exempt from the new consent requirement. It may be possible to simply remove others altogether.

Secondly, assess the extent to which the remaining cookies could infringe a user’s privacy. The UK takes a flexible approach to consent, so this analysis will determine how far you need to go in order to get consent to the use of cookies.

Thirdly, obtain consent in an appropriate manner. As discussed above, current browsers cannot be relied upon to provide consent so the Information Commissioner provides a number of other options:

·         Pop-up windows. This is one means to obtain consent (so long as sufficient information is provided in the pop-up) but is likely to spoil a user’s experience and may not be effective as many browsers block the use of pop-ups. Accordingly the guidance makes it clear that other alternatives may be used.

·         Acceptance of terms and conditions. If the user signs up to the web site terms and conditions (eg by making a purchase on a web site), it should be possible to get consent to the use of cookies at the same time. However, not every user who visits a web site will go through a sign up process.

·         Web site settings and features. If the user makes a choice about how a web site works for them, eg personalising the layout of the page or setting a location, it should be possible to get consent to the use of a cookie to support those settings.

·         Implied consent through web site notices. Finally, the guidance suggests that in some cases it may be possible to rely on notices on the web site referring to the use of cookies. The guidance is slightly equivocal on this point but certainly suggests that this might be a solution if the cookie is not used in an intrusive manner – one example perhaps being Google Analytics cookies. However, to obtain consent in this manner, web site operators will need to ensure such notices are very prominent (perhaps by adding ‘Cookies’ to the ‘Terms & Conditions’, ‘Privacy Policies’ etc links at the bottom of each web page with further details about those cookies) and highlighting the notice when a cookie is set. This solution is supported by the open letter from the Department for Culture, Media and Sport which expressly states that “prior” consent is not needed – i.e. it can be given after or during processing. Is more required?  The guidance does not make this clear.

The position could have been worse for third-party cookies. Who should get consent for cookies from third party behavioural advertiser networks such as DoubleClick? Doubleclick? You? If so, how? Fortunately, the Department for Culture, Media and Sport has provided a fairly clear steer that industry-led work should satisfy the new requirements for cookies. The Information Commissioner’s guidance describes this as a challenging area and is working with other data protection authorities to come to a solution. In the meantime, those allowing third-party cookies on their web site should do all they can to get the right information to users to allow them to make an informed decision – a notice and opt-out approach largely reflecting the current rules. That is a very sensible approach from a business perspective until better browsers and the IAB Scheme are complete.

It is also important to note this all involves a degree of risk assessment. Cookies are simply not a concern for the vast majority of the public (see below), so most complaints are likely to come from privacy activists.[5] Organisations who have had run-ins with these activists in the past will clearly need to do a lot more to show they have a ‘realistic plan’. to comply Other organisations may want to take some steps now but otherwise wait and see while the situation develops. In particular, the Information Commissioner expressly states the guidance may be amended in due course and may provide further examples of different ways to obtain consent.

A medium-term browser-led solution

In the medium term, the Government appears to have a preference for a browser-led solution in which enhanced browser settings are primarily used to determine if users consent to cookies. This is sensible, though problems remain. For example:

·         consent will still be needed to use cookies on unapproved or previous versions of browsers (and remember there are still a lot of users stuck on Internet Explorer 6); and

·         by the time these changes are made, will many web site operators have re-engineered their web site to obtain consent by other means in any event?

Wider issues

These new rules have been very controversial and raise questions about the EU’s ability to develop sensible privacy regulation – a real concern given the upcoming amendments to the Data Protection Directive. For starters, there are approximately 50 million web sites across the EU[6] and just five web browsers.[7] Is it simpler and more efficient for the five browser manufacturers to upgrade the privacy settings on their browsers or for millions of web site owners to have to consider complex new regulations, re-engineer their web sites and ultimately face regulatory penalties for failing to do so?

Even more fundamentally, why was it necessary to change the cookie rules in the first place? In the year ending October 2010, the Information Commissioner received 5,410 complaints about the Privacy and Electronic Communications (EC Directive) Regulations 2003.[8] None of those complaints were about cookies.

While doing nothing no longer appears to be an option, it is at least heartening to know the Information Commissioner also regards these changes as unwelcome and unhelpful: ‘I am under no illusion that in the absence of further detail in the law a likely outcome is that my officials will spend a disproportionate amount of time dealing with complex complaints and enquiries that revolve around questions that do not raise genuine privacy concerns’[9]

Richard Cumbley is a partner and Peter Church is an associate in the Technology, Media & Telecommunications practice at Linklaters LLP.



[1] See ‘Implementing the revised EU Electronic Communications Framework, HMG response to its consultation on proposals and overall approach including its consultation on specific issues’ and The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, SI 2011/1208

[2] See ‘Changes to the rules on using cookies and similar technologies for storing information’ available from the Information Commissioner’s web site.

 

[3]               See the interview with the EU Parliament Rapporteur on the e-Privacy Directive, Alex Alvaro, in Privacy & Security Law Oct. 2010.

[4]               See Article 29 Working Party Paper WP 171 at para 4 onwards.

[5] Who will almost certainly have heavily tailored cookie settings on their browsers in any event.

[6] This is a guesstimate based on Netcraft’s web survey that there are 266,848,493 web sites around the world

[7] The top five browsers (including old versions and mobile versions) make up 99.08% of the market. Netscape makes up the bulk of the others (0.73%) – see April 2011 figures from www.netmarketshare.com.

[8] This regulates cookies as well as a number of other activities such as direct marketing by telephone, fax and e-mail.

[9] Letter from the Information Commissinoer to Ed Vaizey MP dated 26 August 2010