Topic: On-line advertising
Who: Department for Culture, Media & Sport, HM Government and the IAB, European Advertising Standards Alliance, World Federation of Advertisers, ASA, ISBA and DMA
When: April 2011
Law stated as at: 4 May 2011
The Department for Culture, Media & Sport ("DCMS") published a consultation response document entitled "Implementing the revised EU Electronic Communications Framework". The document (the "Paper") dealt with transposing EU Directive 2009/136/EC into UK law. This is due by 25 May 2011.
This Directive has a long title and no consensus has been arrived at as to what to call it for short. This may be because it makes changes to a range of electronic communications directives. In this article we will call it the "Directive."
The DCMS was not the Government body which initially had carriage of transposing the Directive. This was Vincent Cable's Department for Business, Innovation and Skills ("DTI" in old money). Following a certain local difficulty with comely constituents bearing hidden microphones, Mr Cable lost responsibility for the Directive to the DCMA and given the pickle the Government have got into over it, he may not have been mortified to wave it goodbye.
Key change to Article 5.3 of the PECD
"Member states shall ensure that the storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ….about the purposes of the processing."
Recital 66 to the rescue?
Such a state of affairs has not surprisingly caused alarm, but to the rescue, possibly, comes Recital 66 to the Directive. As this forms the lynchpin of HM Government's get out of jail solution to the threat of the Change we set it out in full below (our bold script emphasises the key words) :
"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information where engaging in any activity which could result in such storing or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."
In September 2010 the UK Government published a consultation paper including suggestions as to how to set about implementing the Change. Great play was made of Recital 66 as indicating a browser-based way forward that would not bring the net grinding to a halt in a mass of pop up disclosures and tick boxes.
April 2011 paper continues with "browser-based" approach
The Paper is the official response to this consultation. The plan remains to simply copy out the Directive in the implementing UK legislation and rely on guidance published by the Information Commissioner's Office and/or the DCMS to provide clarity as to how cookie users and owners of websites using cookies can be sure they are compliant with the new regime.
Working group looking at browser based solutions
To help this process, the DCMS has formed a working group with browser manufacturers to look into the issue in more detail.
Self regulation initiative welcomed
This has been spearheaded by bodies such as the Internet Advertising Bureau. In April 2011 the IAB went public with its Online Behavioural Advertising Framework. (the "Framework")" The Paper comes right out and says that the Framework meets the requirements of the amended Article 5.3 and also indicates that the European Commission is supportive (though to date no clear statement to this effect by the Commission has been sighted by the author).
Designed to ward off the threat of a more restrictive interpretation of the Change than that of the UK, the Framework has been signed up to by the IAB, the World Federation of Advertisers, the Advertising Standards Authority, the European Advertising Alliance and ISBA, amongst others.
Users regularly receiving behaviourally targeted and retargeted ads will be alerted by a privacy icon. When clicked, this will give information on what "OBA" is, how it works and what users can do to opt out of receiving such ads through a central website. The regime will apparently be policed by the ASA, who say that inappropriate or sensitive OBA will be penalised by naming and shaming and removal of a trading seal to be developed.
The IAB has also stated that the Framework has the support of the European Commission, which is by all accounts working as we speak to devise stringent KPIs for the Framework that will include an online education programme raising awareness of OBA.
Second working group to investigate flexible solutions
Having said this, the Paper admits that because of the multiplicity of different types and uses of cookies, a "one size fits all" approach will "not be appropriate for the UK." A "flexible and responsive ecology of solutions" is needed, the Paper goes on, and to this end a second working group is being set up to explore other options with industry to complement the guidance to be published by ICO.
Now all the above will take time, as even the Framework has only recently been officially launched and will need to gain recognition, acceptance and most importantly adoption by stakeholders.
The Paper accepts that none of these three strands (the development of enhanced browser-settings based solutions to notice and consent, the development of flexible responses as developed by the second working group and the Framework) will be in place by 25 May 2011.
Because of this, the Paper proposes that "the implementation of technical solutions is phased and tied to the development and availability of appropriate technical solutions" over an unspecified period of time.
Consistent with this, the Paper closes:
If individual organisations are uncertain as to the requirements of the Directive, we encourage them to seek advice from [ICO]…[who]…will be providing advice on compliance with Article 5 (3) ahead of the formal deadline [of] 25 May 2011. Formal guidance will be produced in a manner which reflects the phased approach to implementation."
Why this matters:
The final position taken by the Paper on how businesses using cookies should order their affairs in the immediate future is not a model of clarity.
Apart from being an ambulance pass to ICO, it clearly indicates, having previously admitted that more work is needed on technical solutions and a "phased" approach needed to take the UK towards full implementation, that cookie users will be taking risks if they adopt an attitude of doing nothing for the moment and waiting to see what technical solutions the government comes up with and what Guidance is produced by ICO.
International concerns not addressed
The Paper also makes no mention of the international dimension of the Change.
All the indications are at present that the UK will be in a small minority (along perhaps with Finland, Luxembourg, Netherlands and Sweden) in going down the route of "browser settings-based consent." What if a visit by a resident of France to a website on a UK server results in a cookie being dropped onto the French resident's terminal?
Assuming that the UK site is compliant with UK laws and relevant ICO Guidance (as and when this appears) will this be enough to save the UK site from French enforcement action if French law takes a stricter approach to implementing the Directive?
This begs the question of which country's law applies here, the law of the country in which the website releasing the cookie is located or the law of the country in which the terminal receiving the cookie is sited?
The Directive offers no clarity on this point, neither does the Paper, so all in all, it seems that despite the Coalition's best efforts, UK cookie users face an uncertain and uncomfortable few months, both domestically and beyond.