Time to get to grips with cookies

This article was first published in Data Protection Law & Policy in December 2011.

Without a doubt, figuring out how to comply with the notice and consent requirements affecting the use of cookies in Europe is going to be at the top of the New Year's resolutions of many data protection officers and privacy counsels.  Despite being a nearly three year old debate, inaction has so far prevailed amongst European website operators to the frustration of the data protection authorities.  A frustration which is only too visible in the latest Working Party Opinion on online behavioural advertising.  We are now well past the deadline to implement these requirements and it is time to start doing something other than burying our head in the sand.

There is no much point in going back to the decision to change the law from notice and objection to notice and consent, unless someone is going to seriously and legally challenge it.  Until that happens, we may as well try and comply with the law.  However, relying on users' consent to use cookies is a bit like asking people to confirm that they are willing to allow electrons to flow before turning on the light – we don't fully understand the relevance of moving electrons to lit up a light bulb but we know we don't want to be in the dark.  So whilst the humble Internet cookie has become a bit of a media star beyond techies and online advertising experts, it is fair to assume that the cookie consent requirement needs a bit of flexibility in its interpretation.

The most obvious way of allowing for that flexibility is to accept that consent will often need to be implied.  An accepted principle under data protection law is that where data processing is not intrusive in nature and there is no foreseeable risk or harm to individuals, the standard of consent required is lower than where the sensitivity of the processing is greater.  So to the extent that the use of Internet cookies has only minimal impact on people's privacy, it is logical to assume that such use may be based on individuals' implied consent.  The UK Information Commissioner has taken a slightly cautious view but essentially accepts this approach.  For the UK regulator, it is all about consumer awareness, since implied consent must be based on a definite understanding of what is going to happen.

A more contested issue in this context is whether the consent must be prior to the serving of cookies.  Despite the fact that the e-privacy directive makes no reference to the word 'prior' – unlike in the case of e-mail marketing – and that such a word was indeed removed from the directive during the legislative process, the Article 29 Working Party is adamant that consent must be obtained before a cookie is served or information stored in the user's terminal equipment is collected.  The Information Commissioner on the other hand acknowledges that currently many websites set cookies as soon as a user accesses the site and that this makes obtaining consent before the cookie is set difficult.  The UK Government has gone even further and stated that it is possible that consent may be given after or during processing.

Taking all this into account, what should a website operator or advertiser that relies on cookie technology do?  The time for pondering is certainly running out and so is the patience of the regulators.  Cookies which are strictly necessary for the provision of an online service requested by an Internet user are exempt from the notice and consent requirements, but what about the two most popular types of cookies around: analytics and advertising cookies?  Are these cookies so intrusive and harmful that only explicit and prior consent will justify their use from now on?  Not necessarily, but achieving legal compliance will require some clever thinking and visible action.

Data privacy compliance is not a matter of scientific precision but an exercise of common sense and legal vision.  In the context of Internet cookies, this means bending over backwards to make it crystal clear what cookies are being used and for what purposes.  If implied and real-time consent is going to be relied upon, it is going to have to be pretty obvious to the average user what is going on.  At the very least, it has to be reasonable to assume that someone can easily find out and exercise effective control over the cookies being served on their terminal equipment.  A prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way, but only if they move from a wish list to action.

Eduardo Ustaran, Partner, head of Privacy and Information Law Group at Field Fisher Waterhouse.