On the eve of amendments to the EU ePrivacy Directive coming into force, the DCMS Minister Ed Vaizey has published a unique “Open Letter”. The letter puts “beyond doubt”, it says, the position on the interpretation and enforcement of the new rules. Stephen Groom asks if the letter does what it says on the tin or puts the cat even more amongst the digital pigeons.
Topic: Online advertising
Who: Ed Vaizey, UK Government Minister for Culture, Media & Sport
When: 24 May 2011
Where: Whitehall
Law stated as at: 6 June 2011
What happened:
Just 48 hours before the coming into force of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, implementing the "ePrivacy Directive 2009/136/EC, Her Majesty's Government published an extraordinary "Open Letter".
The letter focused on just one part of the new regulations. This was the part that amended the laws on the use of so-called cookies. These are text files that can be attached to your PC, laptop, mobile phone or tablet by a website which that device visits or by other means such as the sending of marketing emails. The cookie can be used for various purposes including tracking the online activity of all persons subsequently using the device and using this to serve targeted advertising.
There has been little or no mention by the enforcement authorities or commentators of the dropping of cookies on devices by marketing emails and marketinglaw will be reporting on this separately anon. However the focus of this report is the said "Open Letter" from DCMS Minister Ed Vaizey. This followed hot on the heels of an ICO document giving advice on how to comply with the new cookie laws and preceded by 24 hours another ICO publication on the new cookie law, which was Guidance on its policy as regards enforcement of the new law.
Given that he must have known at that point of the forthcoming ICO enforcement Guidance, what could the Right Honourable Minister have possibly thought he could usefully add?
It is soon quite clear that the Minister has been rattled by understandable confusion amongst stakeholders over the new law. This has been caused by pronouncements that the law will not be fully enforced for a year. It will take this long, we are told, for the government and stakeholders to come up with a "technical solution" to the obtaining of consent to the use of cookies that the new rules require.
The Minister repeatedly tells us that it is making the position clear, putting it "beyond doubt" and making the position "clear beyond reasonable doubt" as if repeating the assertion will do the trick, regardless of whether the rest of the letter does the job.
Does the letter do the job? Er … yes in some ways but no in others. Amongst its pronouncements are:
- other ways of getting the required consent from customers ("customers"??) apart from by way of browser settings are not ruled out;
- the Government fully supports the "cross industry work on third party cookies" which is the IAB-led OBA self regulatory Framework using inter alia the OBA icon;
- in direct contrast to views expressed to date by such as the Article 29 Working Party, the Government believes the OBA Framework "fully addresses one of the uses of cookies of most concern to users";
- enforcement action will not be taken until appropriate technical solutions are available. This unqualified assertion cuts across clear ICO indications that it expects cookie users to start taking action towards compliance now and may well take forms of enforcement action against those shown to be taking no action whatsoever where the circumstances suggest they should be doing otherwise;
- to interpret the new cookie law as requiring consent before the cookie is deployed demonstrates a misreading of the relevant law. This is not expressly required by the ePrivacy Directive. This contrasts with the change made by the ePrivacy Directive to the rules on the use of traffic data in Reg. 7, which refers expressly to "users being "previously notified." This approach to consent, which is interesting to say the least, supports the self regulatory Framework supported by the IAB as in the context of third party cookies it does not obtain prior consent;
- the new regulations allow for the giving of consent by a user by "leaving his browser settings as they are," again an interpretation that does not quite mesh with ICO's comments on the issue;
- this is supported, the Minister tells us, by the new Regulation 6 (3A). This says that "consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent" The Minister draws our particular attention to the use of the word "may" in that sentence, clearly indicating, he says, that doing nothing with one's browser settings may in some circumstances connote consent. Hmmm…
- the Minister is concerned by the reference in that Regulation 6 (3A) wording to only the subscriber amending or setting the browser settings (the person who is billed for the electronic communications service which enables internet access) and not the user as well. This contrasts with all other references in the cookie related provisions of the amended regulations which are "subscriber or user" Despite the fact that the terms "subscriber" and "user" are clearly defined in the Regulations as different entities, the Minister suggests extraordinarily that the court "would read subscriber as including user" but it is clear that there has been an error in drafting the instrument and the Minister concludes on the point that amending legislation may be needed.
Why this matters:
This Open Letter is extraordinary. It betrays that HM Government is in something of a funk over this botched piece of implementation and may prove to be a stick that those defending themselves from ICO enforcement action will gladly pick up and use. Its is debatable whether the communication achieves the clarity it claims and on the contrary it sets off a number of hares that had not even started running before this appeared.
