18 December 2013

How the cookie crumbles

Cookies. You come across them daily. And then not necessarily in a cookbook or pastry shop. Cookies are small files that websites place on and subsequently read from your computer. They allow websites to monitor your use of the website. Because of this monitoring, (privacy) regulators have set strict rules for the use of cookies. Most European ebsites will now first show you a banner, pop up, splash screen or info bar on their websites mentioning cookies before allowing you to proceed. But where did this come from?

In 2009, the ePrivacy Directive was adopted mandating all website operators to first inform visitors about – and obtain their consent for – placing cookies. Incidentally, the ePrivacy Directive has been written technology neutral, and applies to all technology that places information on, or reads information from, a user’s computer (and yes, a mobile phone, tablet or even TV fall under the definition of computer). Many EU countries have by now implemented the ePrivacy Directive in their national legislation. But instead of having led to harmonised legislation on this topic throughout the EU, the ePrivacy Directive has instead produced heated debate, concerned website owners and disgruntled website users. Here are five things you should know about the cookie legislation.

1. Consent needs to be unambiguous
Valid consent requires an active indication of the user’s wishes. It is undisputed that prior consent is required before cookies may be placed. Unfortunately (or perhaps fortunately), the regulators have not specifically prescribed how consent should be obtained. Of course, buttons marked “yes” or “no” quite clearly facilitate consent. But the UK regulator has indicated that consent may also be ‘deemed implied’ if a user is made aware of cookies but consistently continues to visit and make use of the website. Also in the Netherlands, the Dutch Minister of Security and Justice is currently investigating whether a system of implied consent could work. Be warned though, this is currently not the law yet.

2. There are exemptions
There are exemptions to the cookie rules. Certain types of cookies are exempt from the notice and consent requirement. These are cookies that either are required to bring a requested functionality by the user (such as the shopping basket at web stores) or without which the webpage would not be able to load. The threshold for exemptions is quite high. Note that “functional” cookies are not exempt per se.

3. Cookies may trigger data protection law In the Netherlands, the use of cookies may trigger data protection laws. The Dutch implementation of the ePrivacy Directive has – as only country in the entire EU – a legal presumption that cookies that are able to track your movements over multiple websites and webpages process personal information to which the Dutch privacy rules apply. This means you not only need to meet the notice and consent requirement, but also comply with other obligations such as having a legal ground, ensure the use of the information is proportional, and agree on specific obligations with your website service providers.

4. There is enforcement already
There has been enforcement on the use of cookies in the Netherlands, in particular by the Dutch data protection authority. As indicated above, cookies may also trigger data protection laws. And it was exactly for that reason that the Dutch data protection authority found a manufacturer of Smart TVs (TVs that can be connected to the internet for interactive services) in violation of the Dutch data protection act. Users could be served with personalised ads and recommendations based on their viewing behaviour. For that the manufacturer placed and read cookies from the TVs. However, the manufacturer had omitted to secure a valid legal basis for processing the cookies and had furthermore not sufficiently informed users about what the cookies were used for. Also, the manufacturer was unable to demonstrate adequate agreements with service providers such as Google Analytics.

5. Changes may still be afoot
The cookie rules are still very much in flux. Legislators and regulators have started to see that the cookie rules have been implemented often to the detriment of usability and userfriendliness. Where the cookie rules can be made more flexible to cater for a better user experience is being considered and discussed. However, legislators still seem to take a ‘wait and see’ approach and very much leave it to the market to come up with fresh and creative ideas on how the rules can be practically complied with. Until then, the rules are still in effect, and still apply to many of the cookies that most websites use. And all discussion and consideration notwithstanding, it is clear that having no policy or information statement about cookies at all (while using them) will not be accepted by the regulators.