Are cookies outside the long arm of the data privacy police? Not according to no less than two separate Commissions.
Topic: Data Protection
Who: The Information Commission and the European Commission
When: February 2001
Where: Wilmslow and Brussels
What happened:
"Cookies" are small files written to the hard drive of a computer. They allow the cookie instigator to track the interaction of that computer with particular sites and collect such "navigation data." The ise of cookies recently came under regulators’ scrutiny. First came the UK’s Information Commission ("IC") (up until 29 January 2001 the "Data Protection Commission") of Wilmslow. They were involved in the issuing of a "Data Protection Guide to Developing an Electronic Commerce Policy" published by the British Standards Institute. This reported the IC’s view that navigation data was "personal data" within the definition of that phrase in the Data Protection Act 1998. This meant that the "fair processing" requirements of that Act applied. This in turn obligated all cookie operators, the IC said, to give individuals the opportunity to "opt out" of hosting a cookie on their computer before the cookie went into action. This could be done, the report went on, by means of pop-up boxes.
In a parallel development, an EU Working Group looking at EU data privacy directives published a report on Internet privacy. It stated that under existing data privacy directives individuals should be told before any cookie was activated and started collecting navigation data. They should also be given an opt-out opportunity. In addition, individuals’ rights to access their data had to be complied with by allowing them sight of their own navigation data on request.
Why this matters:
Marketers on-line have up until now taken the view that cookies do not involve the use of "personal data". This is because, the argument goes, the cookie uses basic recognition information to identify the computer to whose hard drive it is attached. This uses computer ID numbers etc which do not identify the individual. In any event, the cookie proponents (and many site privacy policies) say that navigation data is used primarily for general traffic monitoring purposes, not in order to make intrusive use of individuals’ private data. The IC and the EU working group clearly take a different view. This is no doubt because data which does not on its face identify an individual could still classify as "personal data" and be caught by data protection legislation. This can occur if the information is capable of identifying the individual when combined with other data in the possession of the website operator responsible for the cookie.
If this interpretation of the Data Protection Directive is correct, it will have enormous implications for e commerce. Cookies are an increasingly ubiquitous on-line marketing tool. In many cases more than one is introduced on visiting a particular site, one to drive third party content, another to drive advertising, another to track general interaction with the site, such as products purchased during a site visit to facilitate bill totalising. If consumers are faced with multiple pop-up boxes each time they visit a site, this is hardly likely to encourage a longer stay.
Trade bodies such as the Internet Advertising Bureau are voicing industry concerns, and with further EU e commerce/data privacy legislation in the pipeline there could be scope for clarifying rules. For the present, however, it is surely only a matter of time before the first cookie-related regulatory action is taken.