New EU cookie rule - a practical way forward
22 January 2010
This article was first published
in Privacy and Data Protection in January 2010.
Internet cookies have been in the
spotlight for quite some time in terms of EU data privacy law. When
the European Parliament was formally asked to consider the original
draft of the Privacy and Electronic Communications Directive by the
European Commission in August 2000, nobody envisaged the extent to
which the requirements would apply to cookies, one of the most
frequently used tools on the web. However, when in October 2001,
the European Parliament issued a substantially revised version of
the draft directive incorporating a prior consent requirement for
controversial issue. The move also represented a departure from the
technology-neutral approach of the original Data Protection
Directive (Directive 95/46/EC).
Eventually, the final text of the
Directive on Privacy and Electronic Communications (‘the E-Privacy
Directive’) was adopted in July 2002. Article 5(3) allowed the use
of cookies and similar devices provided that users received clear
and comprehensive information (not necessarily in advance) about
the use of that type of technology, and were offered the right to
refuse it. The E-Privacy Directive never prevented the use of
cookies for the sole purpose of carrying out (or facilitating) the
transmission of a communication over an electronic communications
network, or where they are strictly necessary to provide a service
explicitly requested by the individual.
The ‘notice and choice’ requirement
mentioned above has worked well, and sections in the privacy
policies of European websites dealing with fairly detailed
information about cookies have become the norm. Further, though the
is not perceived as a threat to people’s privacy. Therefore, it was
somewhat surprising - to say the least - when as part of
the review of the E-Privacy Directive, the EU institutions agreed
in the Spring of 2009 to change the wording of article 5(3).
The revised wording regarding cookies in the new
directive - formally adopted on 24 November 2009 -
requires careful analysis. The reason for this is that, depending
on how this revised wording of article 5(3) is interpreted, its
society is very significant.
Article 5(3) now says that the storing of information (or the
gaining of access to information already stored) in the terminal
equipment of a subscriber or user is only allowed on the condition
that the user concerned has given his or her consent, having been
provided with clear and comprehensive information, in accordance
with Directive 95/46/ EC. The exceptions to this are where the
technical storage or access is
a) for the sole purpose of carrying out
the transmission of a communication over an electronic
communications network; or
b) strictly necessary for the provision
of an information society service explicitly requested by the
subscriber or user.
In order to understand this provision, it is also important to
consider recital 66 of the E-Privacy Directive ( ‘the Recital’),
which acknowledges that third parties may wish to store information
on the equipment of a user, or gain access to information already
stored, for a number of purposes. According to the Recital, these
purposes will range from the legitimate, to those involving
unwarranted intrusion into the private sphere (such as spyware or
viruses). The Recital goes on to say that it is therefore of
paramount importance that users are provided with clear and
comprehensive information when engaging in any activity which could
result in such storage or gaining of access.
The Recital demands that the methods of providing information
and offering the right to refuse should be as user-friendly as
possible. Significantly, the Recital points out that where it is
technically possible and effective, the user’s consent to
processing may be expressed by using the appropriate settings of a
browser or other application.
Bearing all of these points in mind will be very important in
order to determine accurately the practical obligations arising
from the revised directive, and assess the actual effect on the use
Cookies and the Information Society
Technology-wise, cookies are actually very basic. They are plain
text files and usually very small in terms of the amount of
information they store. However, despite their simplicity, they
perform essential functions that are taken for granted on the
internet. The common feature of cookies is that they are used to
distinguish one browser from another. This feature can be used for
a number of purposes, such as:
Personalisation purposes - Each time a
user revisits a website, the user’s cookie will be retrieved
by the website which originally stored it on the user’s hard disk.
This enables the websites to remember that user, making it
unnecessary for him to re-enter registration data on each visit.
Cookies also allow websites to log and restore user preferences.
For example, a website may offer content in a number of languages
and, on a user’s first visit, they will be asked to select a
language. Upon selection, a cookie may be stored on the user’s
equipment to enable the website to log the language preference and
ensure that content is delivered as selected when the user next
Transactional purposes - The use of
cookies to maintain data related to a user as the user navigates a
website enables e-commerce websites to store items in electronic
shopping baskets. Websites’ shopping baskets store the contents in
a database located on a server, rather than in a cookie. However, a web
server will typically send a cookie to the user’s computer
containing a unique identifier which is used by the website to
follow that customer through the purchase process.
Analytical purposes - Cookies also allow
website operators to monitor traffic on their sites and to identify
browsing patterns. The statistics generated by this monitoring can
then be used to inform the development of the site, making the
website more interesting to users.
Advertising - Cookies are used for online
advertising as they enable the collation of browsing-related
information about a specific user (as long as he or she uses the
same browser). Advertisers can then serve specific ads or types of
advertisements on the basis of that information.
In the context of advertising, it is useful to distinguish
between ‘first party’ cookies and ‘third party’ cookies. First
party cookies are cookies placed by the operator of the website
visited by the user. These cookies enable the website’s operator to
advertise its own products and services to the user based on the
information gathered by its own cookies. Conversely, third party
cookies are cookies sent by an entity other than that which
operates the website visited by the user. Third parties can be
providers of embedded content such as weather reports, videos from
streaming sites or social networking tools that make a web 2.0 site
To function well, such third party providers will set cookies.
Third parties can also be advertising networks that have entered
into agreements with a number of partner websites to enable them to
serve advertisements on the basis of cookies from those advertising
networks that collect information about visitors. The advertising
network may then use the information obtained from its cookie to
work out a specific interest by an anonymous user so that a visitor
to one partner website who later visits a different partner website
can be presented with relevant adverts.
These different uses of cookies evidence how fundamental they
are for the day-to-day use of the internet. In particular, cookies
are vital to the online advertising industry which funds much of
the ‘free’ content available on the web. Websites’ reliance on
cookies is not an isolated and restricted practice. Virtually all
commercial websites, as well as many non-commercial websites, use
cookies and deliver them to their users. This pretty much happens
at the speed of light as a web page is called up by a browser, so
there is no time delay between the page appearing and the cookie
Therefore, it is obvious that if the consent requirement under
the new article 5(3) were to be interpreted as an absolute opt
in-type consent obligation in respect of cookies, it would simply
collapse the normal downloading process of billions of websites on
the internet, annoy users and ultimately damage such a crucial
pillar for the future of Europe as the Information Society.
Interpreting the new wording
This (above) suggests that the new wording affecting the storing
of information, or the gaining of access to information already
stored in the terminal equipment of an internet user, must allow
for a purposive interpretation of such wording.
Article 5(3) not only regulates cookies but has a much wider
scope covering all types of information stored on, or accessed
from, a device, including software. The rationale is to tackle the
problem that unwanted software such as adware, junk, or even
viruses and spyware may be installed on a user’s hard drive without
their knowledge and consent. This can be done, for instance, by
bundling this software together with a piece of software that a
user actually wanted to install. While the revised law generally
calls for the user’s consent, the Recital treats cookies as a
special case within the scope of Article 5(3).
There is clear evidence of the need for this differentiation in
the first sentence of the Recital, which refers to the different
purposes for which third parties may wish to store or gain access
to information. These purposes will range from the
legitimate - in particular, cookies - to those involving
an unwarranted privacy intrusion, such as spyware or viruses.
Therefore, it makes sense for the rules to be applied in a way that
addresses those different purposes.
In the context of cookies, it will be crucial to interpret the
meaning of giving consent in the light of the content of the
Recital. In particular, anyone interpreting the rule set out by
Article 5(3) of the revised E-Privacy Directive should take into
- the ‘legitimate purposes’ justification. As mentioned above,
the Recital makes a fundamental distinction in terms of the
purposes for which third parties may wish to store or gain access
‘legitimate purposes’ category, and should not be subject to an
unduly burdensome regime.
- the right to refuse. The Recital goes on to refer to the right
to refuse, which should be as user-friendly as possible. This confirms
that, in relation to all remote information storage mechanisms
covered by Article 5(3), the universally applicable obligation is
to offer such right, rather than to require a strict opt-in
consent. Furthermore, legislative history makes it clear that the
EU legislator wanted to avoid including an opt-in for Article 5(3).
The notion of ‘prior’ consent had been proposed by the European
Parliament in its second reading position, but the word ‘prior’ was
subsequently removed during the legislative process.
- methods of controlling cookies. When the European Data
Protection Supervisor recently referred to this point in a press
release, he indicated that, under the new directive, users should
be offered better information and easier ways to control whether
they wanted cookies stored in their terminal equipment. Again, the
ability to control the deployment of cookies does not necessarily
mean prior consent, but a practical mechanism to determine the role
of the cookies.
- using appropriate settings of browsers and other applications.
In line with this practical approach to controlling cookies, the
Recital states that the user’s consent may be expressed by using
the appropriate settings of a browser or other application. This is
a clear and visible sign in support of technological solutions that
follow the ‘privacy by design’ approach (the notion of embed ding
privacy into the design of technology) and it also confirms that EU
lawmakers are prepared to allow internet users to rely on the
technology itself to define their privacy preferences. In practice,
this means that internet-users will be increasingly expected to
employ technological means to decide which types of cookies they
are prepared to accept and which ones they are not.
This provision has clarified a blind spot in the 2002 directive.
The latter did not explicitly recognise cookie control tools as a
way to comply with the law’s requirement to provide users with a
rely on browsers and other applications to provide the required
opt-out for the cookies they set.
The new directive explicitly recognises this role played by
browsers. For specific cookies that cannot be controlled by
browsers, such as Adobe’s Flash cookies and Microsoft’s Silverlight
cookies, the Recital also recognises the role of ‘other
applications’ (e.g. Adobe’s web based storage settings panel for
the legislation’s emphasis on transparency.
Finally, it must be stressed that the emphasis of Article 5(3) and
the Recital is actually on transparency. The provision of clear and
seen as the
cornerstone of the E-Privacy regime. This is clear from the
wording of Article 5(3) and the various references to the provision
of this information in the Recital, and further validates the
argument for a purposive interpretation of the revised
The way forward
There is already an early positive outcome of the revised
directive: it provides an opportunity to debate and clarify a
crucial issue of our time. The focus will now be on how each
individual Member State interprets the revised text. The logical
way forward would be for the national legislators to adopt a
purposive interpretation of the new wording affecting cookies. This
interpretation should lead to a universally accepted position
where, in the case of cookies, the user’s consent may be deemed
from the relevant browser settings provided that there is genuine
In the meantime, providers of websites deploying cookies should
devise a realistically compliant strategy based on the points made
in the recitals of the directive, and use that to make
representations to those with the responsibility for implementing
the directive in the EU countries where they operate.
For further information, please contact Eduardo Ustaran.