The fight goes on against new cookie restrictions in the latest version of the proposed EU Communications Data Protection Directive, while it could be prison for cookie abusers if recent French proposals are adopted.
Who: The European Commission, The IAB and the French Government
Where: Brussels and Paris
When: April 2002
For the benefit of marketinglaw readers who have been on the moon over the last few months, cookies are short pieces of computer text generated by a web server and stored in the user’s computer to facilitate his/her movement between pages. This helps the website by, for example, removing the need to re-enter information already provided or selected by the consumer. Cookies can also be used to profile users for marketing purposes. This is where the European Commission comes in, by way of the draft Communications Data Protection Directive. Amongst other proposals in this directive is a provision of which, if it becomes law, would oblige all websites operating cookies to introduce a “pop up” on the home page of their sites. This would have to give those visiting the site “prior notification” of the existence of the cookie and its implications. It will also have to provide the individual with a clear opportunity to opt-out of that cookie being put into operation. The marketing industry is up in arms about this. Two bodies which have recently been lobbying hard against the adoption of this proposal are the Interactive Advertising Bureau (“IAB”) and representing most UK websites selling advertising space, and UNICE, representing more than 16 million small medium and large companies across 26 European countries. The concern is that the introduction of the proposal would create barriers to the user-friendliness of websites. It is also felt rather than “prior notification,” it ought to be sufficient to have a rule that somewhere on the site information about cookies is provided together with an opt-out facility.
The job of the IAB, UNICE and others like them will not be helped by recent developments in France. Here, the French legislation designed to belatedly implement the EU Data Protection Directive has recently been amended so as to include a provision relating to cookies. The amendment specifically targets cookies which are useable for establishing profiles of internet users for marketing purposes. These will only be permissible, the bill provides, where the internet user receives a full explanation of the purpose of the data processing and the chance to opt out of the cookie being put into operation. Any infringement of the provision could lead on conviction to a fine of up to around €50,000 and a term of up to 5 years’ imprisonment.
Why this matters:
In practice it is unlikely that the French courts will dish out penalties approaching the maximum specified above in cases where these proposed cookie restrictions are breached. It is worth noting, however, that the essential drift of this legislation is not fundamentally different from the position taken by the UK’s own Information Commission on cookies. The big difference is that the Information Commission has severely limited resources and does not so far have a record of handing out significant penalties. Other EU member states’ equivalent authorities take a much more proactive and strict approach. One such example is the Spanish Data Protection Agency, who have already featured in marketinglaw.co.uk reports. The latest data emanating from Madrid is that in the course of 2001 the Spanish DPA imposed a total of no less than €12.02 million in sanctions in over 500 infraction procedures. These were brought against Spanish firm’s websites which were not complying with data protection rules. This appears to average out at €24,000 or £14,400 in fines for each prosecution!