Thursday, April 24, 2014

ANALYSIS: How to Do Cookies Without Clear Directions: What Organizations Can Do to Prepare for the Looming Implementation of the EU ePrivacy Directive

EU Cookie Requirements

Internet Tracking
The May 25 deadline for European nations to transpose online cookie consent provisions of the amended EU e-Privacy Directive into their own national law is closing in, but implementation approaches vary. Not only is the deadline unlikely to be met in most countries, there is no clear indication of whether user notice and consent should be given before cookies are set, and it is unclear whether user consent must be explicit or implied. While it is not possible to fully assess what shape implementing legislation will take across Europe, the authors summarize efforts to date in nine countries, and offer suggestions on how organizations can modify policies and practices to prepare for the new requirements.

By Karin Retzer and Joanna Lopatowska

Karin Retzer is of counsel to Morrison & Foerster, Brussels, where her practice focuses on electronic commerce and data protection, technology licensing, and intellectual property law. Joanna Lopatowska is an associate in the Privacy and Data Security Group in Morrison & Foerster’s Brussels office.

The amendments to the ePrivacy Directive made at the end of 2009 mark a shift toward user consent for tracking cookies and similar technologies. Cookies are small text files that are placed on a user’s computer when visiting a website. When the user revisits the site, his or her browser returns the information collected by and stored in the cookie to the site, providing a “memory” of what the user did on the site. This information may be used for security purposes, or to facilitate navigation, or to personalize the user experience while visiting a site, e.g., by recording products in an online shopping cart, or storing language preferences. Cookies may also be used to facilitate the creation of user profiles based on Internet navigation or user segmentation for purposes of targeted advertising campaigns.

Under Article 5(3) of the amended ePrivacy Directive, users must be provided with “clear and comprehensive information” about the storage of information, or access to information stored, on their terminal equipment, and users must provide their “specific” and “freely given” consent. What is clear from the new language is that consent is required, and thus the mere right to object is insufficient. The different language versions of the text do, however, give no clear indications as to whether notice and consent should be provided before cookies are set, and it is unclear what type of consent is required. In particular, it is unclear whether consent must be explicit (opt-in), or whether implied or tacit consent would be sufficient.

In light of these ambiguities, industry stakeholders have raised concerns about the ePrivacy Directive’s impact on electronic services. To date, the approaches to implementation across Europe represent a multitude of different requirements and interpretations. In addition, the implementation process is slow, and the May 25, 2011 deadline is not likely to be met by most EEA Member States.

Although it is not yet possible to fully assess what shape the implementation legislation will take, below we summarize transposition of the ePrivacy Directive to date, and provide suggestions for organizations on how modify policies and practices in order to prepare to face the new requirements.

1. Who must comply?

One of the fundamental questions concerning the interpretation of Article 5(3) is its scope of application: who must comply with the requirements? In general terms, the ePrivacy Directive applies to “providers of publicly available electronic communications services.” But there is no clear indication on how to interpret these terms in the context of services that use cookies; national legislation or guidance from data protection authorities will need to clarify the wording. EU-wide implementation of the ePrivacy Directive does not mean harmonization of rules; the types of entities covered by the broad understanding of such “providers” will not be the same in all Member States.

Recent guidance from the U.K. Information Commissioner’s Office (“ICO”) indicates that all U.K. businesses and organizations running websites in the U.K. should comply. Documentation in Poland only makes vague references to “internet service providers.” The French data protection authority, the CNIL, understands that all “data controllers” who control the collection and use of information through cookies or similar technologies are covered, ranging from web publishers, web analytics providers, online advertising firms, and advertising network providers. German guidance places requirements squarely on web publishers, as well as analytics and advertising network providers. The Article 29 Working Party (“WP 29”), the EU advisory body composed of the national EU data protection authorities, finds that the obligations in Article 5(3) apply to advertising network providers), but that web publishers (websites cooperating with network providers) have limited obligations as well.

In addition, national legislators have entered into discussions with browser manufacturers regarding modifying default settings so that cookies would be rejected automatically; cooperation between the different parties will be crucial.

Despite these different interpretations, it is clear that website operators will not be able to shift the compliance burden to service providers such as advertising networks, behavioral advertising, web analytics, or other services.

2. Which technologies are covered?

Article 5(3) of the ePrivacy Directive applies to the storage of or access to “information” stored in the device of a subscriber or user. This means the use of cookies and similar technologies for storing information, such as Locally Stored Objects (commonly referred to as “Flash Cookies”).

In order to answer the question of how to comply with Article 5(3), it is further necessary to examine the purposes for which cookies are used. Article 5(3) distinguishes cookies that are “strictly necessary” to the operation of a website or its services from other types of cookies that can be considered as merely complimentary. Cookies that are “strictly necessary” to provide the service requested by the user will be exempt from the requirements set out in Article 5(3).

What is meant by “strictly necessary” has not been explained, and therefore Member States will need to provide their own interpretations. Such “strictly necessary” cookies may be understood as cookies aimed at allowing users to better navigate websites and manage their accounts, for example, by storing passwords and language preferences. The CNIL reportedly considers that web analytics could be covered by this exemption. The Düsseldorfer Kreis, the assembly of the German data protection authorities, does not consider cookies used for web analytics to be covered by the exemption. In the U.K., guidance suggests that the exemption should be interpreted narrowly and may only cover the use of cookies with respect to “traditional” online services, such as shopping or banking.

Users must provide their consent to the deployment of cookies used for other purposes. Such cookies may be used to track and analyze users’ online behavior, create user profiles, etc., most often in the delivery of behavioral advertising and analytics services. Other cookies may be used to track user behavior and merge that data with other user information with a view to improving services. Cookies may also be used to deliver a specific type of targeted advertising that distinguishes between prospects and customers, or to measure online marketing activity.

3. Notice and consent: In search of a pan-European standard

As stated, there is currently no general approach to interpretation of the notice and consent requirement will be; the interpretations of Member States, data protection authorities, and the EU institutions vary. The Communications Committee set up to advise Member States on implementation (composed of Member State and European Commission representatives) made an attempt to clarify the concept of consent. However, while it explained in detail what informed, specific, and freely given consent is, the Committee did not explicitly state that consent should be prior and opt-in. Instead, the Committee seems to suggest that browser settings or other application settings could be sufficient as a form of consent.

In contrast, for cookies used in online behavioral advertising, the WP 29 strongly advocates an opt-in consent requirement, stating that users must affirmatively consent to cookies before cookies are placed on their computers. The WP 29 stresses that informed consent can only be obtained if prior information about the placing and purposes of the cookie has been provided. The WP 29 states that obtaining consent via browser settings would only apply in “very limited circumstances,” and would have to conform to the general requirements of the EU Data Protection Directive. The WP 29 considers that the average user is not aware of the tracking of their online behavior, the purposes of the tracking, or how to use browser settings to reject cookies, even if the information is included in a privacy policy.

The WP 29′s role is advisory and aims to guide Member States in their implementation of the ePrivacy Directive. In practice, however, the WP 29′s position will not lead to a unified EU-wide approach, and some Member States have already adopted or are moving towards less restrictive legislation.

4. Different Member States’ approaches

The Member States have until May 25 to transpose the ePrivacy Directive into national law. Only days from the deadline, most Member States have still not completed implementation. One of the biggest concerns is that Member States will implement the cookie requirements in different ways. This would lead to myriad requirements across the EU, with some Member States following the WP 29 position and imposing “hard” opt-in consent, and others choosing a more pragmatic, business friendly approach by allowing user consent through browser settings. Currently, the default settings of major browsers generally allow cookies, and as such the ePrivacy Directive’s impact on electronic communications service providers could be relatively minor. Browsers may need to be adapted to better inform users and to be more user-friendly in general, shifting some of the practical burden from the web operators setting cookies to those creating and offering browsers.

Below we provide an overview of the approaches to implementation in key Member States:

  • France: In France, a relatively restrictive draft law to implement the ePrivacy Directive was adopted by the Senate in March 2010, but the draft has not been approved by the National Assembly. One year later, a law was adopted to enable the French government to legislate by ordinance to transpose the ePrivacy Directive into French law. The government has presented a draft ordinance, Article 37 of which requires data controllers to clearly and comprehensively inform users, and obtain their consent for any use of cookies or similar technologies. There is no need for consent to be express; implied or tacit consent may suffice. An exception is provided where the cookies are used to facilitate a communication, or are “strictly necessary” to deliver a service expressly requested by the user. The CNIL has given indications that browser settings could provide one solution to obtaining prior notice and consent for cookies. But the CNIL has also asserted that most browser settings are not detailed or comprehensive enough to sufficiently inform the user about the different types of cookies set. Rather, users should be informed through an easily accessible notice, for example via a clearly displayed notice outside the privacy policy. It would be the responsibility of the web publisher, and not the web analytics provider, to provide notice.
  • Germany: Although case law is inconsistent, the German data protection authorities view any use of IP addresses as processing “personal data.” Based on this wide interpretation of “personal data,” the authorities already require web publishers to obtain prior notice and opt-in consent for the use of tracking technologies under general data protection laws. In late 2010, the Düsseldorfer Kreis published guidance on the use of web analytics which states that user notice and opt-in consent is required unless IP addresses are truncated. The amendments to the ePrivacy Directive will therefore not likely lead to significant changes in German legislation; what has changed is the attitude of the German data protection authorities. The German authorities are now much more active in enforcing their initial interpretation of “personal data” and regularly audit websites, but to date no fines have been imposed on any non-compliant sites.
  • United Kingdom: U.K. implementation legislation, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“Regulations”), which should come into force May 26, copies the wording of Article 5(3). Although there is a reference to browser settings as a means to obtain consent in the text, according to a government communication and guidance from the ICO, current browser settings that accept cookies by default are not sufficient for consent. The government therefore intends to work with browser manufacturers with a view to enhancing browser settings. The government has also expressed its support for an industry initiative to provide information on the use of cookies via an easily recognizable internet icon. Such an icon would link to information about: each specific Internet advert; the advertiser; the server; by whom the advert has been selected; and an option to refuse those and other cookies (including an option to refuse all cookies from that server). On May 9, the U.K.’s data protection authority, the ICO, issued a guidance paper on the new framework for cookies. It stresses that website owners should seek consent for using cookies through other means than current browser settings or terms and conditions, for example through footer language on web pages, pop-ups, or language provided to users requesting particular services or features. The only exemption is for cases where the use of cookies is “strictly necessary” for a service requested by the user. In the paper, the ICO states that it expects all “UK businesses and organizations running websites in the UK” to conduct a comprehensive audit, and to “set out how they have considered the points above and [ensure] that they have a realistic plan to achieve compliance.”…
  1. Read this entire article for free, simply activate your free 7 day trial access to Privacy & Security Law Report now.
  2. (required)
  3. (required)
  4. (required)
  5. (required)
  6. (valid email required)
  7. (required)
  8. (required)
  9. (required)
  10. (required)
  11. (required)
  12. (required)
  13. Captcha
 

cforms contact form by delicious:days

Did you like this? Share it:

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.