With weeks to go before the deadline for implementation of “Directive 2009/136/EC”, which requires key changes to UK laws controlling the use of cookies on websites, the DCMS has still not published any draft Regulations, but has indicated its thinking in a consultation results paper. Stephen Groom reports.
Topic: On-line advertising
Who: Department for Culture, Media & Sport, HM Government and the IAB, European Advertising Standards Alliance, World Federation of Advertisers, ASA, ISBA and DMA
When: April 2011
Where: UK
Law stated as at: 4 May 2011
What happened:
The Department for Culture, Media & Sport ("DCMS") published a consultation response document entitled "Implementing the revised EU Electronic Communications Framework". The document (the "Paper") dealt with transposing EU Directive 2009/136/EC into UK law. This is due by 25 May 2011.
This Directive has a long title and no consensus has been arrived at as to what to call it for short. This may be because it makes changes to a range of electronic communications directives. In this article we will call it the "Directive."
Amongst the EU measures the Directive updates is the Privacy and Electronic Communications Directive 2002/58/EC ("PECD"). This article will focus on such of those changes as impact the use of cookies online. Elsewhere on marketinglaw we report on other changes to the PECD made by the Directive.
The DCMS was not the Government body which initially had carriage of transposing the Directive. This was Vincent Cable's Department for Business, Innovation and Skills ("DTI" in old money). Following a certain local difficulty with comely constituents bearing hidden microphones, Mr Cable lost responsibility for the Directive to the DCMA and given the pickle the Government have got into over it, he may not have been mortified to wave it goodbye.
Key change to Article 5.3 of the PECD
The change made by the Directive which impacts the use of cookies (the "Change") is quite short. Article 5.3 of the PECD is amended to introduce an express consent requirement, viz (key new words in bold):
"Member states shall ensure that the storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ….about the purposes of the processing."
This wording has been interpreted as requiring that no web user wishing to access a website which uses cookies (which means most websites) can do so unless and until suitable disclosures have been made as to all the cookies used by the site and the user has ticked a box to confirm they consent to these cookies being deployed.
Recital 66 to the rescue?
Such a state of affairs has not surprisingly caused alarm, but to the rescue, possibly, comes Recital 66 to the Directive. As this forms the lynchpin of HM Government's get out of jail solution to the threat of the Change we set it out in full below (our bold script emphasises the key words) :
"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information where engaging in any activity which could result in such storing or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."
In September 2010 the UK Government published a consultation paper including suggestions as to how to set about implementing the Change. Great play was made of Recital 66 as indicating a browser-based way forward that would not bring the net grinding to a halt in a mass of pop up disclosures and tick boxes.
April 2011 paper continues with "browser-based" approach
The Paper is the official response to this consultation. The plan remains to simply copy out the Directive in the implementing UK legislation and rely on guidance published by the Information Commissioner's Office and/or the DCMS to provide clarity as to how cookie users and owners of websites using cookies can be sure they are compliant with the new regime.
Working group looking at browser based solutions
The elephant in the room is the technical solution which will make it possible for suitable consent to be given, taking into account the new Article 5.3 and Recital 66. On this, the Paper says that the Government will work with browser manufacturers to see if these can be enhanced to meet the Directive's new requirements. The aim will be to provide users with more information about the use of cookies and offer easily understandable choices with regard to the import of cookies on to their machine.
To help this process, the DCMS has formed a working group with browser manufacturers to look into the issue in more detail.
Self regulation initiative welcomed
The Paper also voices support for recent cross industry work on developing a self-regulatory system for controlling the use of cookies for behavioural advertising.
This has been spearheaded by bodies such as the Internet Advertising Bureau. In April 2011 the IAB went public with its Online Behavioural Advertising Framework. (the "Framework")" The Paper comes right out and says that the Framework meets the requirements of the amended Article 5.3 and also indicates that the European Commission is supportive (though to date no clear statement to this effect by the Commission has been sighted by the author).
Designed to ward off the threat of a more restrictive interpretation of the Change than that of the UK, the Framework has been signed up to by the IAB, the World Federation of Advertisers, the Advertising Standards Authority, the European Advertising Alliance and ISBA, amongst others.
Users regularly receiving behaviourally targeted and retargeted ads will be alerted by a privacy icon. When clicked, this will give information on what "OBA" is, how it works and what users can do to opt out of receiving such ads through a central website. The regime will apparently be policed by the ASA, who say that inappropriate or sensitive OBA will be penalised by naming and shaming and removal of a trading seal to be developed.
The IAB has also stated that the Framework has the support of the European Commission, which is by all accounts working as we speak to devise stringent KPIs for the Framework that will include an online education programme raising awareness of OBA.
Second working group to investigate flexible solutions
Having said this, the Paper admits that because of the multiplicity of different types and uses of cookies, a "one size fits all" approach will "not be appropriate for the UK." A "flexible and responsive ecology of solutions" is needed, the Paper goes on, and to this end a second working group is being set up to explore other options with industry to complement the guidance to be published by ICO.
Timing issues
Now all the above will take time, as even the Framework has only recently been officially launched and will need to gain recognition, acceptance and most importantly adoption by stakeholders.
The Paper accepts that none of these three strands (the development of enhanced browser-settings based solutions to notice and consent, the development of flexible responses as developed by the second working group and the Framework) will be in place by 25 May 2011.
Because of this, the Paper proposes that "the implementation of technical solutions is phased and tied to the development and availability of appropriate technical solutions" over an unspecified period of time.
During this period it does not expect ICO to enforce the new regulations implementing the Change from 25 May 2011. Instead it expects ICO to take a flexible view of cookie users who are clearly working to address their use of cookies or are engaged in development work on browsers and/or other solutions.
Consistent with this, the Paper closes:
"In the meantime it is important that businesses and organisations abide by the spirit of the Directive and develop best practice ahead of full implementation. The UK Government therefore encourages servers of cookies to look at their own use of cookies and take steps to ensure that these meet with the requirements of the Directive ahead of roll out of appropriate technical solutions.
If individual organisations are uncertain as to the requirements of the Directive, we encourage them to seek advice from [ICO]…[who]…will be providing advice on compliance with Article 5 (3) ahead of the formal deadline [of] 25 May 2011. Formal guidance will be produced in a manner which reflects the phased approach to implementation."
Why this matters:
The final position taken by the Paper on how businesses using cookies should order their affairs in the immediate future is not a model of clarity.
Apart from being an ambulance pass to ICO, it clearly indicates, having previously admitted that more work is needed on technical solutions and a "phased" approach needed to take the UK towards full implementation, that cookie users will be taking risks if they adopt an attitude of doing nothing for the moment and waiting to see what technical solutions the government comes up with and what Guidance is produced by ICO.
The Paper "encourages" cookie users to take action in such a way as to suggest that they will be in difficulty as of 26 May 2011 if ICO comes knocking on their door (perhaps in exercise of ICO's brand new audit rights courtesy of the Directive, as to which see separate marketinglaw reports) and they are not able to show ICO that steps have been taken to examine the business's cookie use across the board and appropriate measures adopted, ahead of any new "technical solutions" developed by the two working groups, such as the giving of enhanced notice as to use of cookies and user friendly options for consumers to express their preferences.
International concerns not addressed
The Paper also makes no mention of the international dimension of the Change.
All the indications are at present that the UK will be in a small minority (along perhaps with Finland, Luxembourg, Netherlands and Sweden) in going down the route of "browser settings-based consent." What if a visit by a resident of France to a website on a UK server results in a cookie being dropped onto the French resident's terminal?
Assuming that the UK site is compliant with UK laws and relevant ICO Guidance (as and when this appears) will this be enough to save the UK site from French enforcement action if French law takes a stricter approach to implementing the Directive?
This begs the question of which country's law applies here, the law of the country in which the website releasing the cookie is located or the law of the country in which the terminal receiving the cookie is sited?
The Directive offers no clarity on this point, neither does the Paper, so all in all, it seems that despite the Coalition's best efforts, UK cookie users face an uncertain and uncomfortable few months, both domestically and beyond.