New legal regime for website cookies to be implemented in May 2011

New legal regime for website cookies to be implemented in May 2011

A need for some clarification for website operators and marketers

Implementation deadline on 25 May 2011

The deadline for implementation of the revised ePrivacy directive (directive 2002/58/EC) in Member State national laws, 25 May 2011, is rapidly approaching. Belgium will most likely not make this deadline. In the meantime, website operators and providers of marketing services are left with a number of questions creating confusion and uncertainty in relation to the use of website cookies. It is therefore time to have a look at the new legal regime and guidelines for its interpretation, so that companies can develop a best practice in view of the actual implementation of the directive.

The new regime and its practical concerns

The new regime imposes, amongst others, stricter transparency requirements on the use of website cookies. As a reminder, cookies are small text files used by internet browsers to allow websites to store some personal information, such as contact and identity information, preferences, payment details and passwords, on the user’s terminal equipment. Each time the user’s browser requests a page from the same website server, the cookie can verify the stored information without any need for the user to provide it again. Cookies can therefore be a legitimate and useful tool to facilitate the provision of information society services. Without cookies, the internet as we know and like it today would not even function anymore.

The stricter rules for cookies are inspired by a number of developments in recent years, which were considered to weaken the original directive’s aim of protecting the confidentiality of electronic communications. First of all, it has become clear that internet users are usually not adequately informed about what information is stored by the cookie, especially if standard browser settings accept cookies by default. Secondly, cookies may be used by advertising companies to monitor online behaviour of consumers and build profiles on the basis of their interests. In the past years, cookies became more complex and allow more detailed profiling. Thirdly, cookies may also be delivered by another website than the one being navigated by the users. Such third party cookies are typically used for direct marketing purposes, in particular behavioural advertising.

The amended provisions require users to be provided with clearer and more precise information about the purposes of cookies so as to ensure that they are adequately aware of information being placed on their terminal equipment. This means at least that the wording in website privacy policies may have to be rephrased, depending on the intended use of the cookies by the website operator. In certain cases, additional transparency measures may be required.

More problematic are the requirements imposed in relation to user acceptance of cookies. In the original version of the ePrivacy directive, it was considered sufficient if internet users had the opportunity to refuse the storage of a cookie or similar device on their terminal equipment. This lead to an industry practice relying on default acceptance of cookies through browser settings. Most users would not change these settings to opt out. However, the changes that were made to the ePrivacy directive in 2009 first seemed to have turned this opt-out possibility into an opt-in regime, requiring prior user consent for the use of cookies in view of sending targeted content to internet users. This caused widespread concerns over the practical workability of such a regime. If prior consent is required, website operators may have to start using pop-ups containing or referring to comprehensive information on the nature and purpose of all the website cookies. Obviously, this would hamper smooth e-commerce and would moreover not be user-friendly. The actual impact will depend on the interpretation given to the new wording in the ePrivacy directive by regulators and courts in EU Member States, which can be more or less flexible. As it turns out, the wording does leave room for interpretation, especially in a combined reading with the directive´s recitals. In particular recital 66 provides a more pragmatic solution by referring to browser settings or other applications to allege implied user consent. This clear reference to browser settings did not exist under the current directive, and from that perspective, the new explanatory text appears to codify the current (relatively flexible) approach used by virtually all website operators. Also, it is important to bear in mind that the Directive does not impose any consent requirements for cookies that are strictly necessary for the provision of a service specifically requested by the user, e.g. when the cookie merely aims at making possible an e-commerce transaction with shopping baskets on the website.

Guidance by the article 29 Working Party

The Article 29 Working Party issued some guidance in this respect but seems to have adopted a rather strict approach undermining the room for interpretation left by the directive’s recitals (Opinion on online behavioural advertising, adopted on 24 June 2010, WP 171, 00909/10/EN). The Working Party is of the opinion that the controller of cookies or any other new technology that could be used to track user behaviour through the browser should inform its users in its privacy statement and may not rely on (default) browser settings for cookies. The opinion also states that user consent is required before the installation of tracking devices such as cookies. The Working Party proposes to use simple and effective mechanisms by means of which users can give and withdraw their consent. On the other hand, the opinion recognises that confidentiality issues do not arise for every time a website makes use of cookies. Therefore, it suggests limiting the need for consent to advertising networks. Also, it would be sufficient to give such consent once and having it renewed on a yearly basis, unless of course where withdrawn earlier by the user. When certain conditions are met, browser settings can be sufficient to indicate user consent. This is the case when the browser 1) rejects third party cookies by default, 2) makes it impossible for website operators to bypass user settings and 3) doesn’t allow general acceptance of all cookies.

Self-regulatory initiatives by the European Advertising Standards Alliance

The European Advertising Standards Alliance (EASA) released on 14 April 2011, in concert with a number of interested parties, a best practice recommendation on online behavioural advertising. The recommendation aims to ensure consumer privacy protection across Europe through a transparent and user-friendly mechanism. It does so by promoting the identification of online behavioural advertising ads via a uniform European-wide interactive icon, which allows consumers to click through to a simple website with full transparent information and to exercise their online choices, including via an opt-out scheme. The icon will be included in or around all online behavioural advertisements and will signal to consumers that such technique is being used. National advertising self-regulatory organisations will have to apply the EASA standards and accept consumer complaints about online behavioural advertising.

Conclusion

It is clear that the current legal regime for website cookies will have to be re-evaluated in the light of the new European rules. Any legal or other measures should be welcomed to the extent that they give consumers more choice and control over information stored and accessed by website operators on the terminal equipment.

On the other hand, a workable solution will have to balance consumer interests with business interests, which should not be facing unnecessary burdens when trying to provide consumers with a user-friendly and targeted online experience. Therefore, it is clear that any implementing law cannot impose a general prior consent for cookies in the same way as it is now the case for e-mail marketing. While awaiting implementation of the directive in Belgian law, website operators and marketers are advised to increase transparency in relation to website cookies towards their users.

Finally, internet users will have to become more proactive and make use of available technical means allowing them better control over who can track their online activity. By way of example, internet browsers are offering new functionalities to block many forms of undesired tracking, making it possible to better control what third-party site content can track the user when he is online.