ANALYSIS: How to Do Cookies Without Clear Directions: What Organizations Can Do to Prepare for the Looming Implementation of the EU ePrivacy Directive
EU Cookie Requirements
By Karin Retzer and Joanna Lopatowska
The amendments to the ePrivacy Directive made at the end of 2009 mark a shift toward user consent for tracking cookies and similar technologies. Cookies are small text files that are placed on a user’s computer when visiting a website. When the user revisits the site, his or her browser returns the information collected by and stored in the cookie to the site, providing a “memory” of what the user did on the site. This information may be used for security purposes, or to facilitate navigation, or to personalize the user experience while visiting a site, e.g., by recording products in an online shopping cart, or storing language preferences. Cookies may also be used to facilitate the creation of user profiles based on Internet navigation or user segmentation for purposes of targeted advertising campaigns.
Under Article 5(3) of the amended ePrivacy Directive, users must be provided with “clear and comprehensive information” about the storage of information, or access to information stored, on their terminal equipment, and users must provide their “specific” and “freely given” consent. What is clear from the new language is that consent is required, and thus the mere right to object is insufficient. The different language versions of the text do, however, give no clear indications as to whether notice and consent should be provided before cookies are set, and it is unclear what type of consent is required. In particular, it is unclear whether consent must be explicit (opt-in), or whether implied or tacit consent would be sufficient.
In light of these ambiguities, industry stakeholders have raised concerns about the ePrivacy Directive’s impact on electronic services. To date, the approaches to implementation across Europe represent a multitude of different requirements and interpretations. In addition, the implementation process is slow, and the May 25, 2011 deadline is not likely to be met by most EEA Member States.
Although it is not yet possible to fully assess what shape the implementation legislation will take, below we summarize transposition of the ePrivacy Directive to date, and provide suggestions for organizations on how modify policies and practices in order to prepare to face the new requirements.
1. Who must comply?
Recent guidance from the U.K. Information Commissioner’s Office (“ICO”) indicates that all U.K. businesses and organizations running websites in the U.K. should comply. Documentation in Poland only makes vague references to “internet service providers.” The French data protection authority, the CNIL, understands that all “data controllers” who control the collection and use of information through cookies or similar technologies are covered, ranging from web publishers, web analytics providers, online advertising firms, and advertising network providers. German guidance places requirements squarely on web publishers, as well as analytics and advertising network providers. The Article 29 Working Party (“WP 29”), the EU advisory body composed of the national EU data protection authorities, finds that the obligations in Article 5(3) apply to advertising network providers), but that web publishers (websites cooperating with network providers) have limited obligations as well.
In addition, national legislators have entered into discussions with browser manufacturers regarding modifying default settings so that cookies would be rejected automatically; cooperation between the different parties will be crucial.
Despite these different interpretations, it is clear that website operators will not be able to shift the compliance burden to service providers such as advertising networks, behavioral advertising, web analytics, or other services.
2. Which technologies are covered?
In order to answer the question of how to comply with Article 5(3), it is further necessary to examine the purposes for which cookies are used. Article 5(3) distinguishes cookies that are “strictly necessary” to the operation of a website or its services from other types of cookies that can be considered as merely complimentary. Cookies that are “strictly necessary” to provide the service requested by the user will be exempt from the requirements set out in Article 5(3).
Users must provide their consent to the deployment of cookies used for other purposes. Such cookies may be used to track and analyze users’ online behavior, create user profiles, etc., most often in the delivery of behavioral advertising and analytics services. Other cookies may be used to track user behavior and merge that data with other user information with a view to improving services. Cookies may also be used to deliver a specific type of targeted advertising that distinguishes between prospects and customers, or to measure online marketing activity.
3. Notice and consent: In search of a pan-European standard
As stated, there is currently no general approach to interpretation of the notice and consent requirement will be; the interpretations of Member States, data protection authorities, and the EU institutions vary. The Communications Committee set up to advise Member States on implementation (composed of Member State and European Commission representatives) made an attempt to clarify the concept of consent. However, while it explained in detail what informed, specific, and freely given consent is, the Committee did not explicitly state that consent should be prior and opt-in. Instead, the Committee seems to suggest that browser settings or other application settings could be sufficient as a form of consent.
The WP 29’s role is advisory and aims to guide Member States in their implementation of the ePrivacy Directive. In practice, however, the WP 29’s position will not lead to a unified EU-wide approach, and some Member States have already adopted or are moving towards less restrictive legislation.
4. Different Member States’ approaches
The Member States have until May 25 to transpose the ePrivacy Directive into national law. Only days from the deadline, most Member States have still not completed implementation. One of the biggest concerns is that Member States will implement the cookie requirements in different ways. This would lead to myriad requirements across the EU, with some Member States following the WP 29 position and imposing “hard” opt-in consent, and others choosing a more pragmatic, business friendly approach by allowing user consent through browser settings. Currently, the default settings of major browsers generally allow cookies, and as such the ePrivacy Directive’s impact on electronic communications service providers could be relatively minor. Browsers may need to be adapted to better inform users and to be more user-friendly in general, shifting some of the practical burden from the web operators setting cookies to those creating and offering browsers.
Below we provide an overview of the approaches to implementation in key Member States:
- Germany: Although case law is inconsistent, the German data protection authorities view any use of IP addresses as processing “personal data.” Based on this wide interpretation of “personal data,” the authorities already require web publishers to obtain prior notice and opt-in consent for the use of tracking technologies under general data protection laws. In late 2010, the Düsseldorfer Kreis published guidance on the use of web analytics which states that user notice and opt-in consent is required unless IP addresses are truncated. The amendments to the ePrivacy Directive will therefore not likely lead to significant changes in German legislation; what has changed is the attitude of the German data protection authorities. The German authorities are now much more active in enforcing their initial interpretation of “personal data” and regularly audit websites, but to date no fines have been imposed on any non-compliant sites.