With the 25 May implementation deadline for new cookie laws looming ever closer, the picture is still unclear on pretty much all fronts including whether cookie users will have to comply with new laws from that date and whether self regulatory solutions will save the industry from “opt in.” Stephen Groom browses the digital entrails.
Topic: On-line advertising
Who: Department for Culture, Media & Sport, the Information Commissioner's Office and the IAB
When: mid March 2011
Where: UK
Law stated as at: 1 April 2011
What happened:
UK businesses finally got more visibility on how and when the UK planned to change cookie laws, while behavioural advertising stakeholders bickered over where the buck stopped when it came to self-regulatory solutions.
The key date in this story is, or rather was 25 May 2011. This is the deadline for transposing into UK law the new cookie rules contained in EU Directive 2009/136/EC (the "Directive").
Part of the so-called "Telecoms Reform Package," the Directive amends a number of EU laws, but the cookie-related changes are to the Privacy and Electronic Communications Directive 2002/58/EC ("PECD").
On the face of it, these change cookie laws radically.
Instead of having to give users and subscribers a "right to refuse" their operation on their terminals, from 25 May 2011, site operators will only be able to legally deploy cookies if the subscriber or user "has given his or her consent."
The $64,000 question is how should this consent be obtained.
Basically there have been two different approaches to this conundrum so far.
Two approaches to "consent"
One approach has been to regard the consent needed as equivalent to the definition of "the data subject's consent" in Data Protection Directive 95/46/EC. If this is right, then this is very high level of consent as the definition is:
any freely given, specific and informed indication of wishes by which the data subject signifies his agreement to personal data relating to him being processed.
In the context of cookies, this would mean, for example, that websites where cookies were used could not be visited until the prospective visitor had explicitly opted in to such use after being given suitable information about all the cookies that might be triggered.
Some stakeholders such as the Article 29 Working Party (a group comprising the data protection enforcement authorities of all 27 EU states) have opted for this approach and by all accounts this seems currently to be the preference of a most EU state legislatures.
The other approach has been to take a more pragmatic approach and latch onto one of the Recitals to the Directive, Recital 66. This states:
…where it is technically possible and effective… consent to processing may be expressed by using the appropriate settings of a browser…
So far, the UK Government has given a clear indication that it is inclined to go down this route. This is on condition that the behavioural targeting industry shows a responsible attitude and develops workable and observed self regulatory mechanisms which deliver suitable transparency and notice for users.
"Advertising Option Icon" gains traction
Recent reports indicated that the Netherlands was of a similar view and industry bodies such as the Internet Advertising Bureau and FEDMA were actively pushing a self regulatory solution of the kind the UK government probably had in mind. This has gained traction and is already operating in one form in the US. It features an "advertising option icon." This appears together with suitable disclosures whenever a mouse hovers over ads on sites which are served through retargeting or behavioural targeting. The icon also enables direct access to a site "Your Online Choices" which allows users to opt out of tracking.
So far so good for the more flexible Recital 66 approach, but this was early 2011. Since then time has slipped by and the 25 May 2011 implementation deadline has drawn closer, with no further government pronouncement, no draft regulations, no draft guidance and no official launch of the "Advertising Option Icon" self regulatory system.
DCMS and ICO finally break cover
Then with just ten weeks or so to go before the "in force" deadline, both the Department for Culture Media and Sport and the Information Commissioner's Office finally broke cover in various announcements. What we have gleaned from these is as follows:
- draft Regulations implementing the Directive are likely to appear in early April 2011;
- at the same time the DCMS will publish its final response on the consultation process, which will hopefully offer more visibility on how to comply with the new cookie laws;
- after this, ICO will publish its own guidance;
- the DCMS says it accepts the importance of ensuring that the new laws "don't make using the internet more difficult." To that end, it is consulting with browser manufacturers with a view to developing new, enhanced settings that will help businesses comply with the new rules;
- neither the DCMS nor ICO expect the new regime to take effect until Autumn 2011.
So based on this, there is still no absolute clarity on whether the UK will finally opt for the "Recital 66" approach to "cookie consent", but the DCMS statements suggest this is still the more likely scenario.
Self regulatory solution falters
Meanwhile, the news on the self-regulatory front is not quite so encouraging. The advertising option icon-based system is apparently being tested on a pilot basis on a small number of sites, but disappointingly no consensus appears to have yet been reached on whose responsibility it should be to actually place the icon. Debate rages as to whether the icon should be delivered by those serving the ads, while servers don't see why they should shoulder the extra cost.
Under the similar model already up and running in the US, placing the icon is down to the media agencies as they are responsible for delivering the ads, but whatever the ultimate UK solution, this needs to be arrived at urgently given the importance of the icon to the scheme.
Why this matters:
Clearly it is vital that UK businesses know as soon as possible exactly what is happening with regard to implementation of these new rules, what shape they will take, what steps will need to be taken to ensure compliance and when the new regime will start to be enforced.
There is no finality on any of these aspects as yet, and as long as the self regulatory strand falters, there can be no real confidence that the more pragmatic "Recital 66", browser-based approach will be adopted in the UK or elsewhere in Europe.
Our assessment is, however, that whatever the final shape of the regime, there will have to be a delay well beyond May 2011 before it is enforced. Therefore given the continuing uncertainty, businesses could not be criticised for sitting tight, continuing to comply with the existing cookie laws (clear and comprehensive information about cookie purposes and an opportunity to refuse their operation) and keeping a whether eye out for further developments.