At one point it looked like “opt-in” for all EU cookies, but just-published draft regulations under the EU Directive on Privacy and Electronic Communications say different.
Who: Department of Trade & Industry
When: March 2003
The DTI published its consultation document on implementation of the EU Directive on Privacy and Electronic Communications. The plan is to implement the directive by way of rules currently called “The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”) and to bring these into force by 31 October 2003. The consultation period in respect of the current proposals expires 19 June 2003.
Here we focus on the proposals in the PECRs in respect of the regulation of the operation of tracking devices such as cookies, which are designed to be sent to the terminal equipment of a user for tracking or recognition purposes. The device acts as a marker or identifier that can be recognised automatically by the service provider. It can be used for a wide range of purposes: some operators use them to log how many visits a particular website or page of a website is getting or the order in which visitors navigate around a site. They can be used to monitor how attractive a site is, for design or advertising purposes. They can also be used to monitor repeat visits from the same terminal, enabling site providers to record their language preferences or vary the banner adverts sent to that visitor. They may also be used in conjunction with other information provided by the visitor to provide a picture of what a web visitor has previously bought or expressed an interest in, or to facilitate on-line purchasing procedures or a security/identity checks. Also they can be used to send a return message – to prompt the visitor to buy from the site, for instance.
Controls are available for use by internet users so as to restrict their operation. Users can for example choose to set browser controls to alert to or reject certain forms of cookies automatically.
The EU Privacy Directive recognises that there are good and bad uses of cookies and similar devices and that some internet functions will be either impossible or very difficult to use without them. The aim of the Directive is to address devices used in a way which may seriously intrude upon the privacy of terminal users and subscribers and to ensure that users are aware when such devices are used and to have a chance to refuse, although cookie free access does not have to be provided where the cookie is essential to an on-line service that has been requested or is being used for “a legitimate purpose” on a website.
All of the above is taken direct from the DTI’s consultation paper, which is generally refreshingly clear and helpful on all of the issues which it tackles, both as regards the existing legal provisions that are relevant and on the proposals for implementation of the EU Directive.
The DTI goes on to remind readers that there are existing legal controls which might well already impact on the operation of cookies. These include the Data Protection 1998 and its requirement that all processing of personal data should be fair whatever the technology involved, and the Computer Misuse Act 1990, which makes unauthorised access to computers illegal. Against this backdrop, the DTI expresses the belief that the key aim in implementing the relevant provisions of the Directive should be to “enable internet users to make an informed choice about cookies, without placing unnecessary constraints on the technical development of on-line services”.
Here the DTI expresses appreciation for the work done in this area recently by the Interactive Advertising Bureau, the on-line marketing trade body which develops standards and guidelines to support on-line business processes and increase consumer confidence in the e-commence environment. It refers to the specialist IAB team (in which marketinglaw editor Stephen Groom played a part) set up to develop a practical approach to compliance with the requirements of the Privacy Directive, including advice for on-line service providers on how to identify whether cookies are being used, how they can be categorised and how to explain to site visitors how they can be switched off. At the heart of the IAB’s cookie initiative is the creation of an accessible and impartial source of information for users about cookies, the technology involved, their benefits and potential abuses. This resource will be in the form of a website to which service providers will be able to link their own cookie or privacy statements. A draft version of the contents of this project is available at http://www.iabuk.net/index.phb?class=news@view=688.
Looking at the draft PECRs, these specify that certain disclosures are given. They do not currently specify where and how this information should be set out, but the DTI envisages that it will be included in a clearly signposted privacy or cookie statement on the on-line service provider’s website.
Regulation 5 of the draft PECRs provides that cookies and other such tracking devices may not be used at all unless (1) subscribers are provided with clear and comprehensive information about the purposes of the storage of or access to such information and (2) given the opportunity to refuse the storage of or access to such information. The Regulation goes on to state that where cookies and other similar devices are used on more than one occasion, it is enough for the purposes of this regulation that the above disclosure requirements are met in respect of the initial use.
As for how users should be given the opportunity to refuse the operation of a cookie, Regulation 5 does not specify this. The DTI currently envisages however two broad options: service providers could make their own switch-off facilities available or they could explain to users how to use the switch-off and alert facilities provided independently in browser programmes. Of course operators may, if they wish, offer opt in consent rather than simply the opportunity to refuse a cookie, but this is not a legal requirement. The DTI also reminds readers that aside from the PECRs, wherever cookies involve the processing of personal data, they will have to ensure compliance under the Data Protection Act 1998.
Why this matters: