New EU cookie rule - a practical way forward

This article was first published in Privacy and Data Protection in January 2010.

Internet cookies have been in the spotlight for quite some time in terms of EU data privacy law. When the European Parliament was formally asked to consider the original draft of the Privacy and Electronic Communications Directive by the European Commission in August 2000, nobody envisaged the extent to which the requirements would apply to cookies, one of the most frequently used tools on the web. However, when in October 2001, the European Parliament issued a substantially revised version of the draft directive incorporating a prior consent requirement for the use of cookies, it became clear that this was a sensitive and controversial issue. The move also represented a departure from the technology-neutral approach of the original Data Protection Directive (Directive 95/46/EC).

Eventually, the final text of the Directive on Privacy and Electronic Communications (‘the E-Privacy Directive’) was adopted in July 2002. Article 5(3) allowed the use of cookies and similar devices provided that users received clear and comprehensive information (not necessarily in advance) about the use of that type of technology, and were offered the right to refuse it. The E-Privacy Directive never prevented the use of cookies for the sole purpose of carrying out (or facilitating) the transmission of a communication over an electronic communications network, or where they are strictly necessary to provide a service explicitly requested by the individual.

The ‘notice and choice’ requirement mentioned above has worked well, and sections in the privacy policies of European websites dealing with fairly detailed information about cookies have become the norm. Further, though the use of cookies has become more sophisticated in the past seven years, the level of awareness about the use of cookies and how to manage them has also increased. So on the whole, the use of cookies is not perceived as a threat to people’s privacy. Therefore, it was somewhat surprising - to say the least - when as part of the review of the E-Privacy Directive, the EU institutions agreed in the Spring of 2009 to change the wording of article 5(3).

Revised wording

The revised wording regarding cookies in the new directive - formally adopted on 24 November 2009 - requires careful analysis. The reason for this is that, depending on how this revised wording of article 5(3) is interpreted, its potential effect on the use of cookies and on Europe’s information society is very significant.

Article 5(3) now says that the storing of information (or the gaining of access to information already stored) in the terminal equipment of a subscriber or user is only allowed on the condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/ EC. The exceptions to this are where the technical storage or access is

a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

b) strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.

In order to understand this provision, it is also important to consider recital 66 of the E-Privacy Directive ( ‘the Recital’), which acknowledges that third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes. According to the Recital, these purposes will range from the legitimate, to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). The Recital goes on to say that it is therefore of paramount importance that users are provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access.

The Recital demands that the methods of providing information and offering the right to refuse should be as user-friendly as possible. Significantly, the Recital points out that where it is technically possible and effective, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.

Bearing all of these points in mind will be very important in order to determine accurately the practical obligations arising from the revised directive, and assess the actual effect on the use of cookies.

Cookies and the Information Society

Technology-wise, cookies are actually very basic. They are plain text files and usually very small in terms of the amount of information they store. However, despite their simplicity, they perform essential functions that are taken for granted on the internet. The common feature of cookies is that they are used to distinguish one browser from another. This feature can be used for a number of purposes, such as:

Personalisation purposes - Each time a user revisits a website, the user’s cookie will be retrieved
by the website which originally stored it on the user’s hard disk. This enables the websites to remember that user, making it unnecessary for him to re-enter registration data on each visit. Cookies also allow websites to log and restore user preferences. For example, a website may offer content in a number of languages and, on a user’s first visit, they will be asked to select a language. Upon selection, a cookie may be stored on the user’s equipment to enable the website to log the language preference and ensure that content is delivered as selected when the user next visits.

Transactional purposes - The use of cookies to maintain data related to a user as the user navigates a website enables e-commerce websites to store items in electronic shopping baskets. Websites’ shopping baskets store the contents in a database located on a server, rather than in a cookie. However, a web server will typically send a cookie to the user’s computer containing a unique identifier which is used by the website to follow that customer through the purchase process.

Analytical purposes - Cookies also allow website operators to monitor traffic on their sites and to identify browsing patterns. The statistics generated by this monitoring can then be used to inform the development of the site, making the website more interesting to users.

Advertising - Cookies are used for online advertising as they enable the collation of browsing-related information about a specific user (as long as he or she uses the same browser). Advertisers can then serve specific ads or types of advertisements on the basis of that information.

In the context of advertising, it is useful to distinguish between ‘first party’ cookies and ‘third party’ cookies. First party cookies are cookies placed by the operator of the website visited by the user. These cookies enable the website’s operator to advertise its own products and services to the user based on the information gathered by its own cookies. Conversely, third party cookies are cookies sent by an entity other than that which operates the website visited by the user. Third parties can be providers of embedded content such as weather reports, videos from streaming sites or social networking tools that make a web 2.0 site truly interactive.

To function well, such third party providers will set cookies. Third parties can also be advertising networks that have entered into agreements with a number of partner websites to enable them to serve advertisements on the basis of cookies from those advertising networks that collect information about visitors. The advertising network may then use the information obtained from its cookie to work out a specific interest by an anonymous user so that a visitor to one partner website who later visits a different partner website can be presented with relevant adverts.

These different uses of cookies evidence how fundamental they are for the day-to-day use of the internet. In particular, cookies are vital to the online advertising industry which funds much of the ‘free’ content available on the web. Websites’ reliance on cookies is not an isolated and restricted practice. Virtually all commercial websites, as well as many non-commercial websites, use cookies and deliver them to their users. This pretty much happens at the speed of light as a web page is called up by a browser, so there is no time delay between the page appearing and the cookie being set.

Therefore, it is obvious that if the consent requirement under the new article 5(3) were to be interpreted as an absolute opt in-type consent obligation in respect of cookies, it would simply collapse the normal downloading process of billions of websites on the internet, annoy users and ultimately damage such a crucial pillar for the future of Europe as the Information Society.

Interpreting the new wording

This (above) suggests that the new wording affecting the storing of information, or the gaining of access to information already stored in the terminal equipment of an internet user, must allow for a purposive interpretation of such wording.

Article 5(3) not only regulates cookies but has a much wider scope covering all types of information stored on, or accessed from, a device, including software. The rationale is to tackle the problem that unwanted software such as adware, junk, or even viruses and spyware may be installed on a user’s hard drive without their knowledge and consent. This can be done, for instance, by bundling this software together with a piece of software that a user actually wanted to install. While the revised law generally calls for the user’s consent, the Recital treats cookies as a special case within the scope of Article 5(3).

There is clear evidence of the need for this differentiation in the first sentence of the Recital, which refers to the different purposes for which third parties may wish to store or gain access to information. These purposes will range from the legitimate - in particular, cookies - to those involving an unwarranted privacy intrusion, such as spyware or viruses. Therefore, it makes sense for the rules to be applied in a way that addresses those different purposes.

In the context of cookies, it will be crucial to interpret the meaning of giving consent in the light of the content of the Recital. In particular, anyone interpreting the rule set out by Article 5(3) of the revised E-Privacy Directive should take into account:

• the ‘legitimate purposes’ justification. As mentioned above, the Recital makes a fundamental distinction in terms of the purposes for which third parties may wish to store or gain access to information. The use of cookies will certainly fall within the ‘legitimate purposes’ category, and should not be subject to an unduly burdensome regime.
• the right to refuse. The Recital goes on to refer to the right to refuse, which should be as user-friendly as possible. This confirms that, in relation to all remote information storage mechanisms covered by Article 5(3), the universally applicable obligation is to offer such right, rather than to require a strict opt-in consent. Furthermore, legislative history makes it clear that the EU legislator wanted to avoid including an opt-in for Article 5(3). The notion of ‘prior’ consent had been proposed by the European Parliament in its second reading position, but the word ‘prior’ was subsequently removed during the legislative process.
• methods of controlling cookies. When the European Data Protection Supervisor recently referred to this point in a press release, he indicated that, under the new directive, users should be offered better information and easier ways to control whether they wanted cookies stored in their terminal equipment. Again, the ability to control the deployment of cookies does not necessarily mean prior consent, but a practical mechanism to determine the role of the cookies.
• using appropriate settings of browsers and other applications. In line with this practical approach to controlling cookies, the Recital states that the user’s consent may be expressed by using the appropriate settings of a browser or other application. This is a clear and visible sign in support of technological solutions that follow the ‘privacy by design’ approach (the notion of embed ding privacy into the design of technology) and it also confirms that EU lawmakers are prepared to allow internet users to rely on the technology itself to define their privacy preferences. In practice, this means that internet-users will be increasingly expected to employ technological means to decide which types of cookies they are prepared to accept and which ones they are not.

This provision has clarified a blind spot in the 2002 directive. The latter did not explicitly recognise cookie control tools as a way to comply with the law’s requirement to provide users with a means to refuse cookies. However, in practice websites normally rely on browsers and other applications to provide the required opt-out for the cookies they set.

The new directive explicitly recognises this role played by browsers. For specific cookies that cannot be controlled by browsers, such as Adobe’s Flash cookies and Microsoft’s Silverlight cookies, the Recital also recognises the role of ‘other applications’ (e.g. Adobe’s web based storage settings panel for Flash cookies).

the legislation’s emphasis on transparency. Finally, it must be stressed that the emphasis of Article 5(3) and the Recital is actually on transparency. The provision of clear and comprehensive information about the use of cookies should be seen as the cornerstone of the E-Privacy regime. This is clear from the wording of Article 5(3) and the various references to the provision of this information in the Recital, and further validates the argument for a purposive interpretation of the revised requirement.

The way forward

There is already an early positive outcome of the revised directive: it provides an opportunity to debate and clarify a crucial issue of our time. The focus will now be on how each individual Member State interprets the revised text. The logical way forward would be for the national legislators to adopt a purposive interpretation of the new wording affecting cookies. This interpretation should lead to a universally accepted position where, in the case of cookies, the user’s consent may be deemed from the relevant browser settings provided that there is genuine transparency.

In the meantime, providers of websites deploying cookies should devise a realistically compliant strategy based on the points made in the recitals of the directive, and use that to make representations to those with the responsibility for implementing the directive in the EU countries where they operate.

For further information, please contact Eduardo Ustaran.