The end of the internet as we know it was predicted by digital law pundits when the EU announced that come May 2011 consent would be needed before cookies were deployed on websites. But has the Coalition Government come to the rescue? Stephen Groom deciphers the regulatory speak.
Topic: Online advertising
Who: UK Government (Department for Business Innovation and Skills)
When: September 2010
Law stated as at: 6 October 2010
The UK Government launched a consultation on implementation of the "Citizens Rights Directive" 2009/136 ("CRD") which amongst other things amends the E-Commerce Directive (2002/58/EC).
The key point which UK marketers were waiting to hear about was cookie consent. Would the UK be following the apparently clear thrust of the CRD and introducing "cookie opt-in" into UK law with effect from 25 May 2011 (the deadline imposed by Brussels for transposition of the CRD into the local laws of all EU states)?
On the face of it, the UK had little option but to do just that given the wording of the new, revised Article 5 (3) of the Privacy and Electronic Communications Directive. Here is a mark up of the operative part of the new 5 (3) with the new wording in italics:
"Member States shall ensure that the use of electronic communications networks to store storing of information or to gain the gaining of access to information stored in the terminal equipment of a subscriber or user should only be allowed on condition that the subscriber or user concerned has given his or her consent, having been is provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electrmic communications network, or as strictly necessary in order to provide for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
Although the wording of the old and new Article clearly extended well beyond cookies to creatures such as web bugs and clear gifs, the main focus of all stakeholder reaction was cookies and would this mean having to display pop-up consent windows every time a consumer came to their site? And would more pop-ups be needed for consent to third party advertising cookies?
Wiggle room around explicit prior consent?
The Article 29 Working Party (the group of all EU state data privacy regulators) certainly seemed to be of this view, but others such as marketinglaw suspected there was wiggle room in the wording of this and other parts of the Directive that would allow an "opt out" interpretation.
For instance there is para 66 of the preamble to the CRD.
Having foreshadowed Article 5 (3) by referring to the "paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in [access to or storage of information on a user's computer]" the recital goes on to say "Where it is technically possible and effective…the user's consent to processing may be expressed by using the appropriate settings of a browser or other application."
This has been seized on by the UK Government in its consultation document as the basis for its preferred approach to implementing Article 5 (3). Likewise the closing limb of 5(3) and its indication that prior consent will not be required if the cookie is strictly necessary to deliver a service which has been requested by the user.
The preferred implementation strategy
So what is the Coalition Government's preferred implementation strategy?
The main BIS consultation document makes its position clear by expressing the view that "The internet as we know it today would be impossible without the use of …cookies …so it is important that this provision is not implemented in a way which would damage the experience of UK web users or place a burden on UK or EU companies that use the web."
So much is acknowledged, the consultation paper goes on, by 5 (3)'s acceptance that consent is not required when the cookie is needed to provide a requested service. An example of this would be where a cookie is needed in order to provide the audio elements of audio visual content being accessed online.
The accompanying Impact Assessment document goes even further by stating:
Based on this thinking, the currently favoured mode of implementation is to simply copy out the new 5(3), perhaps with some additional wording reflecting the browser setting reference in Recital 66, thus "leaving ICO (or any future regulators) the flexibility to adjust to changes in usage and technology."
Why this matters:
So UK Plc has nailed its colours firmly to the mast of a new cookie regime which on the face of it will not be significantly different in practice to the current position.
Some have said this is not a done deal by any means. First BIS may change its tune once it sees the consultation responses. Secondly, by simply leaving it to ICO to interpret the directive's wording, they say, the Government has done a Pontius Pilate and dumped the problem in the lap of ICO, who might well toe the Article 29 express prior opt in line.
However all ICO's public pronouncements on the issue to date have indicated a preference for the BIS line, provided the industry takes a responsible approach, while bodies such as the Internet Advertising Bureau are working at pushing at this open door by building a head of steam behind industry self regulation and an agreed set of online behavioural advertising standards.
So all looks fair for a pragmatic and workable solution in the UK. The big question, however, is whether the rest of the EU will go the same way. The word is that Denmark is minded to take a leaf out of the UK's book, but if others do not, who knows where this will leave the Single Online Market.