The law surrounding internet cookies has become increasingly complex due to some intervention from Europe. Many people are unaware of what cookies are, when they are used, or what they do, but nevertheless, consumers will soon be required to “opt in” rather than “opt out” of having cookies placed on their computers. So what does all this mean?
Cookies are small pieces of information in text format that are frequently downloaded to your computer when you visit websites. Cookies have a unique ID that will map back to that particular computer, and only that computer. People tend not to like the idea of anything automatically downloading to their computer, but most cookies are intended to be helpful.
Cookies can be either temporary or permanent. Temporary cookies are saved to the browser memory and are lost at the end of each session. Permanent cookies are passed to the hard disk of a computer. It is this latter type of cookie that saves information, either for the customer’s or the provider’s benefit.
Consumers tend to be less happy, however, when the cookie is from entities such as a major advertising agency. Cookies can come from many sources on a website therefore consumers do not actually need to visit an advertising agency to collect cookies from them. These cookies allow marketers to track a consumer across the web and then provide targeted advertising.
When cookie technology was developed in the early/mid 1990’s, controls were not introduced to allow cookies to be turned off. There was inevitable outcry when consumers discovered that they were being profiled without their consent.
Nowadays, consumers can turn off cookies but most web browsers are still installed with cookie controls enabled so it is up to consumers to actively turn them off as they wish.
This position is about to reversed following a controversial revision to the E-Privacy Directive (2002/58/EC).
The European Legislation
The revision requires users to actively opt in to having cookies rather than opt out i.e there requires to be affirmative action by an individual indicating their consent to receive cookies. It is worth indicating at this stage that there is an exception where the cookies are “strictly necessary” for a service “explicitly requested” e.g the internet shopping example above.
This seems straight forward enough but the confusion arises as the introduction to the directive states “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC (Data Protection) the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.” Does this mean that you can rely on default cookie settings?
Any advertiser would say “yes”, but an independent European advisory body, the Article 29 Data Protection Working Party (the “Working Party”), that produced an opinion on Online Behavioural Advertising clarifying the legal framework says “no”.
Thankfully, the Working Party does not believe that it is necessary to request consent for each reading of the cookie so if a consumer agrees once, it does not have to continue to do so.
In relation to advertising, the Working Party suggests that network providers should:
- place a time limit on the consent;
- offer an easy means of revoking the consent; and
- show clearly where monitoring takes place.
Numerous concerns have been raised about this “opt in” ranging from the effect on website functionality to the potential threat to the online behavioural advertising industry. The fact remains that the “opt in” is here to stay and that businesses should be considering whether any changes require to be made to their systems to comply with the revisal to the legislation.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.