The Cookie Monster?

March 1, 2002

“C is for cookie, Cookie good for me” The Cookie Monster, Sesame Street.

As most readers of this publication are aware cookies are essentially text files sent by Web sites and then stored on your computer’s hard disk. Information contained in the cookie can then be retrieved next time the individual visits the Web site. This will usually be used by the Web site to identify and authenticate the user and may be used to tailor the Web site experience for that user. Cookies are therefore a useful tool for businesses wanting to enhance the Web site visit and hopefully optimise the site’s commercial potential. Nevertheless, despite the apparent positive reasons for the use of cookies, a number of organisations do see them as a potential invasion of an individual’s privacy and are looking for means of limiting their use.

In the November version of the draft Directive ‘concerning the processing of personal data and the protection of privacy in the electronic communications sector’ (the Directive), the European Parliament approved an amendment which would have prohibited the use of cookies without the express consent of the individual. This would have meant that whenever a user visited a Web site that used cookies they would have had to have ‘opted-in’. Fortunately, the European Council of Ministers disagreed with Parliament and removed the ‘opt-in’ option in favour of a more pragmatic approach. The Directive now places an obligation on Web site owners to ensure that:

  • the user receives “in advance . clear and comprehensive information” about the use of the cookie; and
  • the user is offered the right to refuse the use of cookies.

This amounts to the ability to ‘opt out’. Even so the Directive still anticipates allowing cookies to be used if it is ‘strictly necessary’ to provide the services requested by the Web site user.

On the face of it, the Directive tries to find a compromise between an individual’s right to privacy and a recognition that cookies are an established and important part of Internet activity. That said, even in its current form the Directive will create a number of restrictions which, if implemented, could not only threaten commercial revenue streams but could also adversely impact on the ongoing development of the Internet.

The Current Position

The right to privacy is one of the ‘hot’ topics of the moment. There are a number of legal developments including the implementation of the Human Rights Act 1998 and the Data Protection Act 1998 which have established a growing trend to give individuals a degree of control over how information relating to them can and should be used. Whilst this objective should be welcomed, it does need to be put into context. With the government promising to encourage the growth of
e-commerce, perversely the ever-increasing requirement for business to account for rights of privacy could hold back or redirect growth in the use of the Internet by commerce.

There is no specific legislation in the UK dealing with ‘cookies’.

The Information Commissioner in her Legal Guidance note released last year recognised the use of cookies and user profiling and, stated that:

‘Information may be compiled about a particular Web user, but there might not be any intention of linking it to a name and address or e-mail address. There might merely be an intention to target that particular user with advertising, or to offer discounts when they re-visit a particular Web site, on the basis of the profile built up, without any ability to locate that user in the physical world. The Commissioner takes the view that such information is, nevertheless, personal data.’

Such a wide definition of ‘personal data’ seems at odds with the definition afforded in the Data Protection Act 1998 which defines ‘personal data’ as data which identifies the living individual. This apparent inconsistency is explained away by the Information Commissioner on the basis that: ‘In the context of the online world, the information that identifies an individual is that which uniquely locates him in that world, by distinguishing him from others’. It must logically follow that in the view of the Information Commissioner, cookies are already subject to the Data Protection Act 1998.

This means that a Web site must comply with that Act and in particular a Web site owner will need to ensure that the processing of such ‘personal data’ is fair and lawful. Thus a Web site should ensure that a visitor to the Web site is informed that cookies are used and the reason for such use.

Article 8 of the European Convention on Human Rights and Fundamental Freedoms affords an individual the right to privacy in respect of his private and family life. It has not been tested yet, but there may be arguments to say that the depositing of code on someone’s hard drive by a cookie without their knowledge, feeding back user data, is an invasion of privacy. The argument may be remote but it is not inconceivable that it could be run.

It does, therefore, appear that existing legislation already provides some cover to protect visitors to a Web site without the need for additional specific laws.

The Effect of the Directive

The introduction of specific requirements restricting the use of cookies raises important commercial issues. Business could find areas of revenue curtailed by the restrictions in the Directive. For example, the Interactive Business Association (IAB) has already estimated that the cost of such restrictions could run into millions of pounds.

The gathering or harvesting of information, be it through cookies or web bots, is a profitable activity. It is hard to see how further legislation governing the use of cookies is going to help stimulate the growth of e-commerce throughout the European Union. Firstly, any restriction would only affect European-based Web sites, this raises the question of whether European businesses that do this, and wish to continue to do so, would move offshore to avoid the restrictions. Secondly there is no certainty that the law will be observed or adequately policed. The reality of the situation is that a given business may weigh up the likelihood of being caught against the potential cost of compliance, especially when potential profit margins may far outweigh the risks of being caught. Finally, the Directive fails to take into account the fact that nearly all Internet browsers allow a user to prohibit cookies. If a user objects to the use of cookies they can take direct action by changing their Internet settings to prohibit them without the need for any legislation.

The ‘opt out’ approach anticipated by the Directive is likely to have a significant effect on how Web masters operate their sites. By virtue of human nature, many users may be concerned when informed that information will be placed on their hard drive; consequently, it is highly likely that individuals will refuse to accept cookies without understanding how useful they can be.

The legal implications of restricting the use of cookies is still far from clear. If a Web site allows banners (this is a classic means of generating revenue) and the Web site to which the banner links fails to comply with the Directive then the question arises as to whether the original site containing the banner could also be liable. Web sites will therefore need to be extremely careful when linking with third-party sites and will need to be sure that they impose clear obligations on the third party to comply with the Directive and to indemnify the site owner for loss if they do not.

Balancing the Factors

An individual’s right to privacy is of course extremely important but it has to be weighed against other factors. The courts already recognise this balancing act in a number of other areas, for example balancing rights of confidentiality and public interest issues as seen in recent court cases involving fashion and media celebrities. E-commerce is still in its embryonic stage and overly burdensome legislation will do nothing to promote its growth. Cookies form an important part of Web site usage. It could be extremely frustrating for Web site users to find that each time they visit a site they have to re-enter all of their details. Legislators are aware but do need to be very careful before imposing restrictions that could damage or limit the development of e-commerce. This article is not intended as a treatise on why e-commerce is a good thing or otherwise. Suffice to say, most governments consider it so. It is clear that current legislation already provides some protection for the individual and restricting the ability to gather and store information even more will do nothing to promote further growth.

How the Directive is eventually implemented in the UK remains to be seen. What is clear is that Web site owners and their legal advisers will need to review how they use cookies and then ensure that they have appropriate procedures and terms in place to inform visitors that they would like to use cookies and the reasons for such use. Equally, any linkage to other sites should be reviewed and appropriate contractual safeguards should be implemented for all site owners. It is clear that, whilst cookies may be good for the Cookie Monster and lawyers, the jury is out on whether the Directive will prove to be good for e-commerce and the European Union.

Garry Mackay is a solicitor with Bevan Ashford’s IT/IP team and Mark Lomas is a partner and head of Bevan Ashford’s IT/IP team.