At one point it looked like “opt-in” for all EU cookies, but just-published draft regulations under the EU Directive on Privacy and Electronic Communications say different.
Topic: Cookies
Who: Department of Trade & Industry
When: March 2003
Where: London
What happened:
The DTI published its consultation document on implementation of the EU Directive on Privacy and Electronic Communications. The plan is to implement the directive by way of rules currently called “The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”) and to bring these into force by 31 October 2003. The consultation period in respect of the current proposals expires 19 June 2003.
Here we focus on the proposals in the PECRs in respect of the regulation of the operation of tracking devices such as cookies, which are designed to be sent to the terminal equipment of a user for tracking or recognition purposes. The device acts as a marker or identifier that can be recognised automatically by the service provider. It can be used for a wide range of purposes: some operators use them to log how many visits a particular website or page of a website is getting or the order in which visitors navigate around a site. They can be used to monitor how attractive a site is, for design or advertising purposes. They can also be used to monitor repeat visits from the same terminal, enabling site providers to record their language preferences or vary the banner adverts sent to that visitor. They may also be used in conjunction with other information provided by the visitor to provide a picture of what a web visitor has previously bought or expressed an interest in, or to facilitate on-line purchasing procedures or a security/identity checks. Also they can be used to send a return message – to prompt the visitor to buy from the site, for instance.
Controls are available for use by internet users so as to restrict their operation. Users can for example choose to set browser controls to alert to or reject certain forms of cookies automatically.
The EU Privacy Directive recognises that there are good and bad uses of cookies and similar devices and that some internet functions will be either impossible or very difficult to use without them. The aim of the Directive is to address devices used in a way which may seriously intrude upon the privacy of terminal users and subscribers and to ensure that users are aware when such devices are used and to have a chance to refuse, although cookie free access does not have to be provided where the cookie is essential to an on-line service that has been requested or is being used for “a legitimate purpose” on a website.
All of the above is taken direct from the DTI’s consultation paper, which is generally refreshingly clear and helpful on all of the issues which it tackles, both as regards the existing legal provisions that are relevant and on the proposals for implementation of the EU Directive.
The DTI goes on to remind readers that there are existing legal controls which might well already impact on the operation of cookies. These include the Data Protection 1998 and its requirement that all processing of personal data should be fair whatever the technology involved, and the Computer Misuse Act 1990, which makes unauthorised access to computers illegal. Against this backdrop, the DTI expresses the belief that the key aim in implementing the relevant provisions of the Directive should be to “enable internet users to make an informed choice about cookies, without placing unnecessary constraints on the technical development of on-line services”.
Here the DTI expresses appreciation for the work done in this area recently by the Interactive Advertising Bureau, the on-line marketing trade body which develops standards and guidelines to support on-line business processes and increase consumer confidence in the e-commence environment. It refers to the specialist IAB team (in which marketinglaw editor Stephen Groom played a part) set up to develop a practical approach to compliance with the requirements of the Privacy Directive, including advice for on-line service providers on how to identify whether cookies are being used, how they can be categorised and how to explain to site visitors how they can be switched off. At the heart of the IAB’s cookie initiative is the creation of an accessible and impartial source of information for users about cookies, the technology involved, their benefits and potential abuses. This resource will be in the form of a website to which service providers will be able to link their own cookie or privacy statements. A draft version of the contents of this project is available at http://www.iabuk.net/index.phb?class=news@view=688.
Looking at the draft PECRs, these specify that certain disclosures are given. They do not currently specify where and how this information should be set out, but the DTI envisages that it will be included in a clearly signposted privacy or cookie statement on the on-line service provider’s website.
Regulation 5 of the draft PECRs provides that cookies and other such tracking devices may not be used at all unless (1) subscribers are provided with clear and comprehensive information about the purposes of the storage of or access to such information and (2) given the opportunity to refuse the storage of or access to such information. The Regulation goes on to state that where cookies and other similar devices are used on more than one occasion, it is enough for the purposes of this regulation that the above disclosure requirements are met in respect of the initial use.
As for how users should be given the opportunity to refuse the operation of a cookie, Regulation 5 does not specify this. The DTI currently envisages however two broad options: service providers could make their own switch-off facilities available or they could explain to users how to use the switch-off and alert facilities provided independently in browser programmes. Of course operators may, if they wish, offer opt in consent rather than simply the opportunity to refuse a cookie, but this is not a legal requirement. The DTI also reminds readers that aside from the PECRs, wherever cookies involve the processing of personal data, they will have to ensure compliance under the Data Protection Act 1998.
Why this matters:
In the earlier stages of the drafting of the EU directive, there appeared to be a very real prospect of a blanket “opt in” regime for the operation of cookies. It is thanks to vigorous lobbying on the part of bodies such as the IAB and the DMA that the debate is now at the level of an opt-out approach. If the regulations remain in their current form on this topic, then all those involved in the use of cookies will need to ensure that the requisite information about their operation, as well as an opportunity to refuse them, is provided in the clear and comprehensive manner required by the regulations.