Who: Article 29 Working Party
Where: European Union
When: October 2013
Law stated as at: November 2013
The e-Privacy Directive 2002 was amended in 2009 and one key provision impacting marketers was Article 5.3 requiring consent to be obtained for the storage of cookies and similar technologies.
Conclusions from the Working Party
The Opinion states that for consent to be effective web site operators should include specific information, prior consent, indication of wishes expressed by the user’s active behaviour and an ability to choose freely.
1. Specific information
• Users must be able to access all necessary information about the different types or purposes of cookies being used by the website. The website could prominently display a link to a designated location where all the types of cookies used by the website are presented. Information should be included about the purpose(s) of the cookies and, if relevant, an indication of possible cookies from third parties or third party access to data collected by the cookies on the website.
• Information such as the retention period (i.e. the cookie expiry date), typical values, details of third-party cookies and other technical information should also be included to fully inform users.
• The users must also be informed about the ways they can signify their wishes regarding cookies i.e. how they can accept all, some or no cookies and to how change this preference in the future.
2. Timing for Consent
Consent has to be given before the processing starts. A website should deliver a consent solution in which no cookies are set to a user’s device (other than those that may not require user’s consent as they are strictly necessary) before that user has signalled their wishes regarding such cookies.
3. Active behaviour
In addition to information about the types and purpose of cookies, the website must also present clear and comprehensive information to the users on how they may signify their consent, most likely on the page where the users start their browsing experience. Consent tools can include banners, splash screens or dialog boxes. Information should be present on the website and not disappear until the user has expressed consent. Absence of any behaviour cannot be regarded as valid consent.
The process by which users could signify their consent for cookies would be through a positive action or other active behaviour, provided they have been fully informed of what that action represents. Therefore the users may signify their consent, either by:
• clicking on a button or link; or
• by any other active behaviour from which a website operator can unambiguously conclude the user has consented. In any case it must be clearly presented to the user, which action will signify consent to cookies and that cookies will be set due to this action. The information should be presented in such a way that the user is most likely to acknowledge it as such (and not mistake it for advertising, for example). Therefore ensuring that the button, link or box which indicates the active behaviour is within or close to the location where information is presented is essential to be confident that the user can refer the action to the information prompted; or
• where the website operator can be confident that the user has been fully informed and actively configured their browser or other application then, in the right circumstances, such a configuration, would signify an active behaviour and therefore be respected by the website operator.
4. Real choice – freely given consent
• The consent mechanism should present the user with a real and meaningful choice regarding cookies on the entry page.
• In some Member States access to certain websites can be made conditional on acceptance of cookies, however generally, the user should retain the possibility to continue browsing the website without receiving cookies or by only receiving some of them.
• Recital 25 of e-Privacy Directive 2002/58 (EC) provides that access to specific website content may be made conditional on the well- informed acceptance of a cookie or similar device, if it is used for a legitimate purpose. Websites should not make conditional “general access” to the site on acceptance of all cookies and can only limit certain content if the user does not consent to cookies (e.g. for e-commerce websites, whose main purpose is to sell products, not accepting (non-functional) cookies should not prevent a user from buying products on this website).
• If certain cookies are not needed in relation to the purpose of provision of the website service, but only provide for additional benefits to the website operator, the user should be given a real choice regarding those cookies. The types of cookies that might be disproportionate in relation to the purpose of the website may vary depending on the context.
• Users should also be offered a real choice regarding tracking cookies. Tracking cookies are generally used to follow individual behaviour across websites, create profiles based on that behaviour and take decisions affecting people individually. When tracking cookies are being used to single out people in this way, they are likely to be personal data.
Why this Matters:
The Opinion on first reading appears to be consistent with the approach taken in the UK and other European countries in that it recognises some form of active behaviour as a mechanism for consent and not just tick boxes.
On further review however, some of the comments could call into question the validity of some consent mechanisms currently used.
One obvious concern relates to statements on websites that by continuing to use the website users are consenting. The Opinion questions whether merely staying on the entry page “without further active behaviour” can really amount to consent.
Many websites will include a cookies statement which disappears after a short time. The Opinion states that information should not disappear until the user has expressed consent.
Many websites do not list every cookie but instead describe the categories of cookies (often following the ICC categories). In such cases the retention period would not be specified, whilst the Opinion states that this should be included.
In practice it is questionable whether website operators will change their current approaches based on this Opinion, particularly as there has been very little enforcement action and the ICO has indicated in earlier reports that it does not see this as a high priority.