Who: Article 29 Working Party
Where: European Union
When: October 2013
Law stated as at: November 2013
What happened:
The Article 29 Working Party issued a Working Document (Opinion) providing guidance on how to obtain consent for the use of cookies and similar tracking technologies (“cookies”). The Working Party guidance is non-binding but represents the view of the Data protection authorities across the EU.
Background
The e-Privacy Directive 2002 was amended in 2009 and one key provision impacting marketers was Article 5.3 requiring consent to be obtained for the storage of cookies and similar technologies.
This replaced the previous practise of merely notifying users that cookies were used (usually in privacy policies) and explaining to users how to opt out from the use of cookies. The ICO was one of the first regulators to provide guidance and allowed for a period for implementation to May 2012. The UK Guidance accepts that some form of implied consent may be acceptable for the use of non-intrusive cookies e.g. those used for analytics of aggregated data. A number of other countries have slowly been implementing and after various interpretations many have now followed the UK in allowing for implied consent.
A range of practical implementations has been developed by websites in order to obtain consent for the use of cookies used for various purposes (from enhanced functionalities, to analytics, targeted advertising and product optimisation, etc., by the website operators or third parties).
Conclusions from the Working Party
The Opinion states that for consent to be effective web site operators should include specific information, prior consent, indication of wishes expressed by the user’s active behaviour and an ability to choose freely.
1. Specific information
• The mechanism for consent should provide for a clear, comprehensive and visible notice on the use of cookies, at the time and place where consent is requested e.g. on the webpage where a user begins a browsing session (the entry page).
• Users must be able to access all necessary information about the different types or purposes of cookies being used by the website. The website could prominently display a link to a designated location where all the types of cookies used by the website are presented. Information should be included about the purpose(s) of the cookies and, if relevant, an indication of possible cookies from third parties or third party access to data collected by the cookies on the website.
• Information such as the retention period (i.e. the cookie expiry date), typical values, details of third-party cookies and other technical information should also be included to fully inform users.
• The users must also be informed about the ways they can signify their wishes regarding cookies i.e. how they can accept all, some or no cookies and to how change this preference in the future.
2. Timing for Consent
Consent has to be given before the processing starts. A website should deliver a consent solution in which no cookies are set to a user’s device (other than those that may not require user’s consent as they are strictly necessary) before that user has signalled their wishes regarding such cookies.
3. Active behaviour
In addition to information about the types and purpose of cookies, the website must also present clear and comprehensive information to the users on how they may signify their consent, most likely on the page where the users start their browsing experience. Consent tools can include banners, splash screens or dialog boxes. Information should be present on the website and not disappear until the user has expressed consent. Absence of any behaviour cannot be regarded as valid consent.
The process by which users could signify their consent for cookies would be through a positive action or other active behaviour, provided they have been fully informed of what that action represents. Therefore the users may signify their consent, either by:
• clicking on a button or link; or
• by ticking a box in or close to the space where information is presented (if the action is taken in conjunction with provided information on the use of cookies); or
• by any other active behaviour from which a website operator can unambiguously conclude the user has consented. In any case it must be clearly presented to the user, which action will signify consent to cookies and that cookies will be set due to this action. The information should be presented in such a way that the user is most likely to acknowledge it as such (and not mistake it for advertising, for example). Therefore ensuring that the button, link or box which indicates the active behaviour is within or close to the location where information is presented is essential to be confident that the user can refer the action to the information prompted; or
• where the website operator can be confident that the user has been fully informed and actively configured their browser or other application then, in the right circumstances, such a configuration, would signify an active behaviour and therefore be respected by the website operator.
If the user enters the website where shown information on the use of cookies, and does not initiate an active behaviour, such as described above, but rather just stays on the entry page without any further active behaviour, it is difficult to argue that consent has been given unambiguously. The user action must be such that, taken in conjunction with the provided information on the use of cookies, it can reasonably be interpreted as indication of his/her wishes.
4. Real choice – freely given consent
• The consent mechanism should present the user with a real and meaningful choice regarding cookies on the entry page.
• In some Member States access to certain websites can be made conditional on acceptance of cookies, however generally, the user should retain the possibility to continue browsing the website without receiving cookies or by only receiving some of them.
• Recital 25 of e-Privacy Directive 2002/58 (EC) provides that access to specific website content may be made conditional on the well- informed acceptance of a cookie or similar device, if it is used for a legitimate purpose. Websites should not make conditional “general access” to the site on acceptance of all cookies and can only limit certain content if the user does not consent to cookies (e.g. for e-commerce websites, whose main purpose is to sell products, not accepting (non-functional) cookies should not prevent a user from buying products on this website).
• If certain cookies are not needed in relation to the purpose of provision of the website service, but only provide for additional benefits to the website operator, the user should be given a real choice regarding those cookies. The types of cookies that might be disproportionate in relation to the purpose of the website may vary depending on the context.
• Users should also be offered a real choice regarding tracking cookies. Tracking cookies are generally used to follow individual behaviour across websites, create profiles based on that behaviour and take decisions affecting people individually. When tracking cookies are being used to single out people in this way, they are likely to be personal data.
Why this Matters:
The Opinion on first reading appears to be consistent with the approach taken in the UK and other European countries in that it recognises some form of active behaviour as a mechanism for consent and not just tick boxes.
On further review however, some of the comments could call into question the validity of some consent mechanisms currently used.
One obvious concern relates to statements on websites that by continuing to use the website users are consenting. The Opinion questions whether merely staying on the entry page “without further active behaviour” can really amount to consent.
Many websites will include a cookies statement which disappears after a short time. The Opinion states that information should not disappear until the user has expressed consent.
Many websites do not list every cookie but instead describe the categories of cookies (often following the ICC categories). In such cases the retention period would not be specified, whilst the Opinion states that this should be included.
In practice it is questionable whether website operators will change their current approaches based on this Opinion, particularly as there has been very little enforcement action and the ICO has indicated in earlier reports that it does not see this as a high priority.