Legal Briefing

Cookies cut? Complying with the UK’s implementation of new EU rules on cookie use

The In-House Lawyer Logo

TMT | 01 September 2011

Mid-July saw the chill winds of EU infringement procedures blow across much of Europe. The European Commission took first steps in proceedings against twenty EU member states for their failure to fully implement into their national laws new telecoms rules that amend Directive 2002/58/EC (the 2002 Directive) in relation to the use of technologies that store information on internet users, such as cookies1.

Alongside the UK, only Denmark, Estonia, Finland, Ireland, Malta and Sweden were able to bask in the warm glow of having implemented the new rules in full by 25 May 2011. Given the fundamental changes relating to the use of cookies required by the amended directive, meeting the deadline was no mean feat.

The UK government has implemented the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (the Regulations)2. However, on closer examination, compliance with this new UK legislation is not as settled as might be hoped, with the outlook uncertain and liable to change. The UK government has implemented the amended 2002 Directive provisions in good time. However, at the government’s request, the UK Information Commissioner’s Office (ICO) has provided a 12-month moratorium on the use of its enforcement powers in relation to the use of cookies, while organisations try to establish means of conforming to the new requirements of the regulations3.

LEGISLATURE CONCERNS

Since the introduction of the 2002 Directive, internet use has increased rapidly4. This increase is mirrored by the rise of technologies that store information on users to facilitate website personalisation, such as targeted advertising. Cookies underpin many of these technologies. These are small files of letters and numbers downloaded on to a user’s computer on accessing a website. Cookies do not collect information but they do allow websites or advertising serving networks to recognise:

  • a user’s computer as they browse;
  • a user’s computer on subsequent visits to that website; and
  • a profile of other sites that the user has visited5.

For Europe’s lawmakers, concerns arise that users’ privacy is being infringed by the rising use of recorded data relating to their activity on websites.

E-PRIVACY DIRECTIVE CHANGE

As was the case prior to its revision, the revised 2002 Directive permits cookie use that is ‘strictly necessary’ to the provider of an ‘information society service’, such as a website, which is explicitly requested by a user to provide that service. However, the 2002 Directive has been revised to give users notice – and the ability to opt out – of all other cookie use. Addressing concerns about user privacy, the revised 2002 Directive now requires all other uses of cookies to be contingent on a user’s consent, ‘having been provided with clear and comprehensive information… about the purposes of the processing’6.

UK IMPLEMENTATION

The revised 2002 Directive is implemented into UK law through the Regulations. When drafting the Regulations, the Department for Culture, Media and Sport (DCMS) remained consistent with its intentions as set out in its September 2010 consultation by ‘copying out the relevant wording of the article’ requiring users to consent to cookies that are not strictly necessary7. This move from opt-out to opt-in cookie use highlights the issue of how the necessary consent of users can be obtained. Previously, this was achieved through a combination of explanations in website privacy policies and users’ ability to set browsers to block cookies, choose private browsing and manually delete cookies. The challenge now faced by all website operators is how to ensure that cookie use is consensual.

USER CONSENT

Exceptions

As counsel to organisations offering websites to consumers or business users, readers’ organisations now face this challenge. Some comfort can be taken from the continuing exemption where cookies are ‘strictly necessary’ for a service requested by the user. However, in its (non-binding) guidance on the Changes to the Rules on Using Cookies, the ICO has confirmed that what is ‘strictly necessary’ has a narrow definition8. Firstly, the cookie must be necessary to the service and not ancillary or used to optimise the service. Secondly, the cookie must relate to a service requested by the user. From this, functionality such as tracking a user’s progress through a website purchase path is likely to have the necessary characteristics to fall under the exemption. Cookies that collect analytical data for use by the website provider’s operating purposes is not.

Third-party cookies

Unlike cookie use necessary to the provision of services, no exemption from the need for user consent applies to the serving of third-party cookies. Just as a user must consent to a website operator’s cookies, they must also consent to any cookies placed by third parties through that website. This is especially relevant for website displays of advertising, network content and the growing use of behavioural advertising by online advertisers to target relevant audiences. In this regard, the DCMS has publicly stated its support for cross-industry work on third-party cookies in behavioural advertising9. Initiatives such as IAB Europe’s European Self-Regulatory Framework for Online Behavioural Advertising (the Framework) outline good practice through websites providing transparent user control10. The Framework establishes obligations that all online behavioural display advertisements must contain an icon that alerts users to the use of cookie-based online advertising. Clicking on the icon directs users to a website with information on how to turn off these advertisements. While the Framework is currently binding only on signatory companies, compliant firms include many of the main players in this type of advertising. All companies of this type are obliged to implement the icon by June 2012. The Framework is complemented by the European Advertising Standards Alliance’s (EASA) Best Practice Recommendations (the Recommendations), which set out cross-industry best practice for online cookie-based advertising11. Website operators may wish to confirm their advertising provider partners’ compliance with the Framework and Recommendations as part of offering compliant websites to users.

Browsers

As discussed, prior to the Regulations, website providers often relied on users opting out of cookie use through their browser settings. Privacy policies commonly directed users to find out how to do this if they did not want cookies or other identifying technologies to be used on them. Browser-based consent has not disappeared with the revisions to the 2002 Directive. Recital 66 of the revised 2002 Directive states that:

‘The user’s consent to processing may be expressed by using the appropriate settings of a browser or other application12’.

Recital 66 has intensified the debate about browser consent to cookie use. The revised 2002 Directive’s silence on whether consent must be explicit allows for the argument that consent can be implicit in browser settings. Perhaps unsurprisingly, this interpretation is favoured by pan-European advertising industry bodies, such as IAB Europe, which seeks to support this view through educational materials, sessions and resources, such as its Your Online Choices website13. However, it is difficult to align much of what is available to website users with the revised 2002 Directive’s requirements to provide clear and comprehensive information.

The Article 29 working party has singled out the matter of informed consent in the debate about browser consent14. Its opinion, Online Behavioural Advertising15, revisits the Data Protection Directive. It confirms that its members believe that such consent should be given freely, specific, informed, and a clear and positive indication of the user’s wishes. Taking these criteria together, it is easy to conclude that the working party’s position on browser settings is that they may only deliver consent in very limited circumstances that are far removed from normal browser operation.

Alongside implementing the Regulations, the DCMS issued an open letter on the new regime relating to cookies16. It discussed browser consent and recognised that:

  • users need to be provided with appropriate information on how browsers operate to allow informed consent;
  • if such information is present, users may signify consent through:
  • the choices that they make on their browser settings or controls; or
  • choosing not to amend the settings or controls of a browser.

The DCMS has acknowledged that even if a browser-based solution to the issue of user consent is possible, many users may not understand how to adjust their browser settings. In recognising the possibility of browser consent in the future, the DCMS also acknowledged that current browsers will need to be enhanced to meet the requirements of the revised 2002 Directive. Development of this kind of browser utility, such as that being undertaken by Microsoft in relation to its Internet Explorer (version 9) and Google for the latest edition of its Chrome browser, will be pursued by the government in collaboration with the industry. Evidently, browser consent is one option that the DCMS would like to be available but, for now, the DCMS is aligned with the ICO in stating that:

‘At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie17’.

So for the time being, browser consent should not be relied on for non-essential cookie use.

Considerations

Counsel advising their business colleagues must therefore consider alternate means of ensuring they have users’ consent to cookie use. Key considerations for the ICO in this regard are that the means adopted to obtain user consent:

  • provide information about the cookies;
  • obtain consent when a cookie is set for the first time; and
  • are appropriate for the use being made of the cookie information.

The ICO also confirms its opinion that once consent to a particular cookie use is obtained, it need not be requested again for use of the same cookie for the same purpose.

Other means

The ICO acknowledges that the following techniques are legitimate means of obtaining user consent to cookie use18.

Pop-up/interstitial screens

Making users consent to cookies in a separate screen before progressing with their browsing session. This method has the benefit of a high degree of certainty as to consent granted but is likely to suffer an equally high degree negative impact on the user experience on any website.

Websites’ terms of use

Mirroring the way that many websites require users to agree to terms on first use or registration, similar techniques could be adopted for cookie consent. However, the ICO has made it clear that users would have to provide consent to any revised terms relating to cookie use and that these cannot merely be added to previously accepted terms of use. The ICO expects a ‘positive indication that users understand and agree to the changes’19.

Website set-up

As with the acceptance of terms of use on initial website use, website operators often interact with users to provide them with a customised website set-up.

This interaction provides another opportunity for website operators to give users choices, explain how these choices are brought about by cookies, and obtain their consent to that functionality.

Specific website features

If a website has specific features that require the download of a cookie, this point of interaction also creates the opportunity to get users’ informed consent to the relevant cookie. Consent can accompany several user actions, as long as users are informed that they are enabling a cookie. For example, a user may provide consent by clicking ‘yes’, pressing play, opening a link or activating a feature.

COMPLIANCE TIMING

Both the DCMS and the ICO have recognised that, regardless of the methods adopted by website operators to obtain consent, implementing the necessary cookie consent changes is not a simple matter, nor one that should be undertaken without due consideration. As a consequence, the DCMS has agreed that the ICO should not fully exercise its powers under the Regulations until May 201220. However, neither the government nor the ICO view this period as one in which parties offering websites should be inactive. The limits of the ICO’s enforcement actions only apply to:

‘Organisations that are working to address their use of cookies, or are engaged in development work on browsers and/or other solutions21.’

If the ICO receives a complaint about a website’s current use of cookies, it expects the website’s operator to be able to explain what efforts have been taken to comply with the Regulations. The ICO has confirmed that it may issue warnings to website operators that cannot provide an explanation. All such warnings will then be taken into consideration should any ICO enforcement action be necessary against the operators after May 2012.

WHAT NOW?

It is evident that organisations operating websites that are subject to the Regulations should not wait until May 2012 to take action. The ICO clearly wants website operators to immediately consider how to comply with the Regulations. It has proposed the following three-step process22.

Understanding the organisation’s use of cookies (auditing)

Organisations should consider where and why cookies are used, and whether they are necessary.

Reviewing the impact of cookies on users

The ICO believes that as the intrusions on a user’s privacy by a cookie from a website increase, so the website’s operator must give a greater priority to obtaining user consent. For example, the ICO regards the creation of detailed user browsing profiles as intrusive, making obtaining consent a higher priority.

Selecting the appropriate consent collection mechanism

Having taken the first two steps, website operators must choose how to meet the requirements for user consent to cookie use. Operators must consider the purpose of the cookies and make more effort to obtain consent for those that are more intrusive.

All website operators would be well advised to undertake this process as, come next spring, websites that do not comply with the Regulations may find the chill winds of regulation turning their way.

Notes

  1. See: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/905&format;=HTML&aged;=0&language;=EN&guiLanguage;=en and http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML
  2. See: http://www.legislation.gov.uk./U.K.si/2011/1208/contents/made
  3. See http://www.culture.gov.uk/images/publications/cookies_open_letter.pdf andhttp://www.ico.gov.uk./for_organisations/privacy_and_electronic_communications/~/media/documents/library/Privacy_and_electronic/Practical_application/enforcing_the_revised_privacy_and_electronic_communication_regulations_v1.pdf
  4. Increasing 353% between 2000 and 2011. See http://www.internetworldstats.com/stats4.htm
  5. For more information about cookies, see: http://www.allaboutcookies.org/
  6. See Article 5(3) at http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf
  7. Ibid.
  8. Seehttp://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf
  9. See footnote 4 on p2.
  10. See http://www.iabeurope.eu/media/51925/iab%20europe%20oba%20framework_merged%20ii.pdf
  11. See http://www.epceurope.org/presscentre/archive/easa_bpr_oba_12_april_2011.pdf
  12. See Recital 66 at http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf
  13. See http://www.youronlinechoices.eu/
  14. The forum of European data protection regulators set up under Article 29 of the Data Protection Directive (Directive 95/46).
  15. Opinion 2/2010 on online behavioural advertising issued 22 June 2010. See: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf and http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
  16. See footnote 4 of the letter (dated 24 May 2011).
  17. See footnote 10 on p5.
  18. See footnote 10 on p6 et seq.
  19. Ibid, p7.
  20. See footnote 5 on p4.
  21. Ibid, p5.
  22. See footnote 10 on p5.