The draft data protection directive now features a new delight in the form of proposed blanket opt-in before any cookie is activated. But our Information Commission thinks this is the law anyway.
Topic: Cookies
Who: European Parliament (“EP”)
Where: Strasbourg
When: November 2001
What happened:
The continuing saga of the draft Communications Data Protection Directive has taken another controversial twist. We last reported that in the area of unsolicited commercial e-mail (“UCEM”) , a compromise seemed to be on the cards allowing a measure of continued “opt-out” rather than blanket “opt-in” across Europe. The picture here has now slightly altered, with yet another change to the draft. This allows member states to decide for themselves whether to introduce UCEM opt-in or opt out, but opts for compulsory EU wide “opt-in” for direct marketing by fax, SMS or automated calling systems. So far as UCEM is concerned this represents no movement away from the present unsatisfactory situation under the Distance Selling Directive. This allows member states to choose opt-in or opt-out and in consequence some member states have gone for opt-in while others have chosen opt-out.
So marketinglaw’s take on this is that the weight-challenged person has not yet sung on UCEM controls, but more on this as the draft grinds further through the EU legislative process.
In the meantime a brand new issue raised by another amendment to the draft directive is that of cookies (data tags on PCs that hold user information on specific websites which is fed to that website automatically each time the user visits it). It is now proposed by the so-called “van Velsen” amendment that these should only be legally permissible if the user has given express prior consent, before they are triggered, to their coming into operation, in other words “cookie opt-in” or “COI”. The DMA, IPA, IAB and the ISBA to name but a few are going into high lobbying mode to persuade Euro MPs of the error of their ways, and time will tell whether they are successful.
Why this matters:
Behind all the COI brouhaha, two points might be worth making. First, we reported earlier this year in marketinglaw on rumours of a stitch-up by legislators and interest groups whereby COI would be traded for some kind of opt-out regime for UCEM. Perhaps here we are seeing the materialisation of this, and the inevitability that there is going to be opt-in for either cookies or UCEM, come what may. Secondly, the UK’s Information Commission (“IC”) has long held the view that cookies involve the processing of personal data and are therefore caught by existing data protection legislation. This view is confirmed by the IC’s recently published new edition of their “Legal Guidance”, reported in more detail elsewhere on marketinglaw. The effect of the Guidance comment is essentially that in the IC’s opinion we already have compulsory “opt-in” for cookies as a matter of law.
This view has not of course been tested in the courts, but who knows, the IC may be limbering up for a test case against an unsuspecting victim even as we speak!