UK to Give Green Light to Cookies?

September 22, 2010

Last year’s revisions to the European electronic communications laws contained a somewhat controversial obligation to get consent before using certain cookies. The Government has now issued its proposals to implement these amendments into UK law.

A Brief Recap

Cookies are small text files stored on your computer. They are sent by a web site to your computer the first time you visit that web site and allow the web site to recognise your computer on subsequent visits. While there are a number of legitimate uses for cookies, there is also a concern that they can be used in a way that infringes users’ privacy.

Accordingly, the 2002 ePrivacy Directive obliged web site operators to tell users if they use cookies and allow them to opt out. These provisions were a little ineffectual but seem to have caused few problems in practice. Anyone concerned about cookies can easily modify the settings on their browser to reject them.

The ePrivacy Directive was amended in November 2009 to require consent from users for the use of cookies unless the cookie is strictly necessary for the provision of services to the user. This obligation is potentially problematic. However, it needs to be read in light of the recitals to the amending Directive which state consent can be obtained from web browser settings.

These provisions have caused considerable confusion, with a number of conflicting views on how they operate in practice. The Article 29 Working Party issued an opinion in June 2010 all but excluding the possibility of relying on browser settings. In contrast, some advertising bodies, such as IAB Europe, believe the existing control settings in most web browsers are sufficient to satisfy the consent requirements. This leaves the Government in a dilemma. How can it implement these provisions in the UK in a way that:

· clarifies what the new law actually means;

· avoids gold-plating its implementation and harming the competitiveness of the UK e-commerce sector; and

· properly implements the amended ePrivacy Directive to avoid subsequent enforcement action by the European Commission?

More than a Simple Cut and Paste

On the face of it, the Government has simply ducked the issue. The main consultation document states it intends to implement the law by ‘copying out the relevant wording of the Article‘ and it is likely to also include wording to reflect the recital on browser settings. Thus, the Government meets its implementation obligations. In contrast, web site operators only find out what the law means when the Information Commissioner chooses to issue further guidance and/or take enforcement action.

Dig a little deeper and things look a little different. The impact assessment accompanying the main consultation document considers two options to implement these provisions:

· an ‘opt-in’ consent system based on pop-up windows or virtual labels on web-pages visited by users;

· allowing consent to the use of cookies to be given via browser settings.

The Government’s preference could hardly be clearer and shows all the hallmarks of a concerted lobbying campaign by the advertising industry. An opt-in requirement would ‘lead to permanent disruption to services‘ and would result in users ‘switching from UK and EU web sites to non-EU web sites which are easier to use‘. There could be a loss of revenue from behavioural and interest based advertising of ‘up to £740 million by 2012‘.

In contrast, relying on browser settings is unlikely to harm users as ‘there is little evidence of information gathered by cookies being used for illegitimate reasons‘. The impact assessment does, however, suggest that browser manufacturers must make their privacy settings more user-friendly and web sites need to make it clearer how they use cookies. No further guidance is provided on either topic though there are suggestions that this could be developed on a self-regulatory basis.

Thus the Government cuts the Gordian Knot. A near verbatim implementation of the Directive should avoid enforcement action by the European Commission, whilst the Information Commissioner gets a clear steer on how (not) to enforce these provisions in practice.

Will this legislative sleight of hand still provoke the European Commission? It appears not. Neelie Kroes’ recent speech at the European Roundtable on Online Advertising suggests a more tolerant approach, recognising that the economic contribution from online advertising is ‘impossible to ignore‘ and ‘many of the free services now used by billions on the Internet would not be possible without the income derived from the various forms of online advertising‘. Her position is that a ‘self-regulatory solution is possible‘ that is ‘probably based on browser settings‘. Further guidance from the European Commission will appear in due course but there is little here to suggest it will take a hard line on this issue.

Necessary Cookies

The consent requirements do not apply to cookies ‘strictly necessary’ for the provision of services explicitly requested by the user. This should, for example, permit cookies used to manage a shopping cart or to allow secure access to a web site. In contrast, it is unlikely a web site operator could argue that cookies for behavioural advertising are necessary as provide funding for its web site – there is a distinction being between technical and economic necessity.

Again, the Government indicates it will duck the issue and ‘does not intend to give a hard definition of what is strictly necessary, but rather transpose the provision of the Directive with a minimum change of wording, leaving future regulators the flexibility to adjust to changes in usage and technology‘. Given the constant change and innovation on the Internet, this seems like a sensible approach.

In Practice

So where does this leave web site operators? From a policy perspective the Government’s focus on browser manufacturers seems sensible and web site operators should lobby the Government to be as explicit as possible in supporting this position in any implementing legislation. A little more guidance would also be helpful. For example, how do you deal with older browsers without enhanced privacy settings? Who will develop guidance on alerting users to the use of cookies? Will there be grandfathering provisions for existing cookies?

From a technical perspective the best advice still seems to be to sit tight. If the Government maintains its current position, there is little to suggest UK web sites will need a wholesale revision when these provisions finally come into force.

The deadline for responses to the consultation is 3 December 2010.

Marly Didizian is a partner, and Peter Church is an associate, in the Technology, Media and Telecomunications practice at Linklaters LLP, London