Calm Down Dear, It’s Only a Cookie!

November 26, 2009

All about cookies

A cookie is a small piece of text stored on your computer by a web browser. It is sent by a server to your web browser the first time you visit a web site and sent back to that server on subsequent visits. The cookie itself is relatively uninformative. For example, the cookie added to my computer by the SCL web site is in the table below. It’s not gripping reading.

However, the server can recognise the cookie, and therefore recognise you, on any subsequent visit.[1] This enables all sorts of functionality such as authentication and session tracking. Cookies also allow personalisation and behavioural targeting, which is at the root of the current controversy.

Cookie functionality can be broken down into session cookies and persistent cookies. Session cookies are deleted when you finish your browsing session, which means that they cannot be used to recognise you when you start a new browsing session. In contrast, persistent cookies remain on your browser until their expiry date, which could be a number of years in the future.

Cookies can be further divided into:

·                    site cookies – these are placed onto your browser by the site you actually visit (eg if you visit www.scl.org, you will get a scl.org cookie); and

·                    third-party cookies – these are cookies placed on your browser by a site you haven’t actually visited. This is possible because most web pages contain instructions to fetch content from a third-party server, such as a banner advert. When the browser fetches this content from the third-party server, it too can place a cookie on your browser or read one it has already placed there. If the third party has arrangements with a lot of different web sites, it can track you as you move between them and build a profile of your browsing behaviour.

Other technologies also allow local storage and retrieval of information, such as local shared objects or ‘flash cookies’ which are used by Flash players. These are generally more problematic as they are not subject to the cookie’s privacy controls on web browsers.

Now you just need to tell people

Cookies are primarily regulated by the ePrivacy Directive. This requires web sites to inform users if they use cookies and allow them to opt out. It also permits cookies if they are strictly necessary for the provision of an information society service.[2]

These provisions were a little ineffectual but seem to have caused few problems in practice. Anyone concerned about cookies can easily modify the cookies settings on their browser. For example, the browser can be set to delete all cookies at the end of each browsing session, to reject third party cookies or to reject cookies altogether. Those who are really concerned about their privacy can use the incognito mode available on almost all common browsers which erases all locally stored information at the end of a browsing session, including all cookies.

But soon you will need consent

The provisions in the ePrivacy Directive have now been amended as part of the wider reform of telecoms laws in the EU. Cookies will be allowed only if the user has ‘given his or her consent, having been provided with clear and comprehensive information’ or the cookie is ‘strictly necessary’ for the provision of services ‘explicitly requested’ by the user.

The exception for cookies that are strictly necessary for provision of a service will allow continued use of a number of existing cookies, including most session cookies. Therefore, suggestions that these amendments will cause the Internet to grind to a halt may be a little alarmist.   

Many cookies will fall outside this exemption though and will now need consent, which is a major change. However, the consent requirement needs to be read in light of the recitals which state that where ‘it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application’.

These changes need to be transposed into national legislation in the next 18 months.

So what does ‘consent’ mean?

The key problem is how to reconcile these provisions. What constitutes consent? Some in the advertising lobby suggest it will be necessary to actively click to accept each cookie[3] and this will be ‘lethal’ as:

·                    it will damage the user experience and constantly having to click to accept cookies will confuse and irritate many web surfers;

·                    it is a virus writer’s dream – web surfers who become accustomed to clicking to accept cookies may well find that they have instead downloaded a virus; and

·                    it will be ineffective outside of the EU – while the revisions to the Directive state that ‘enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities’ and European data protection regulators will, no doubt, continue to claim jurisdiction against overseas web sites who use cookies in the EU,[4] the likelihood of international enforcement action remains remote.

However, it is not clear that clicking to accept cookies will be necessary. The reference to browser settings in the recitals was enough to provoke a strong response from the Article 29 Working Party[5] earlier this year[6] indicating it must water down the consent requirement to some extent. Moreover, earlier drafts of the amended Directive demanded not only consent, but ‘prior’ consent. This additional requirement has been removed, which again indicates flexibility in the implementation of these provisions.

Regulatory arbitrage

This position is a horrible fudge and the only real certainty is that widely divergent approaches will be taken when it is implemented by Member States, largely driven by their current approach to consent. Many will demand some form of active acceptance for cookies, indeed the French Senate has already proposed a draft law that is likely to do this and does not make any reference to browser settings. In all likelihood, a handful of Member States will go the whole hog and require consent to be given in writing.

Other Member States are likely to take a more moderate approach and even decide that, if a browser is configured to accept a cookie, that is sufficient to indicate consent. The express wording in the recital makes this a possibility in the more liberal Member States which allow an implied consent. The United Kingdom is a prime candidate for a more pragmatic approach but, given it is already facing enforcement action from the Commission over its implementation of the original ePrivacy Directive, it may decide on a stricter interpretation.

National divergence raises the prospect of regulatory arbitrage. The use of cookies on web sites should fall within the ‘country of origin principles’ in the eCommerce Directive meaning that web site owners in the EU will only be subject to the cookie laws of the Member State in which they are established. For e-commerce operators, cookie laws may become another factor, like tax and labour laws, to be considered when choosing between jurisdictions.

In any case, the lobbying exercise will now move on. Having only achieved a draw in Brussels, the advertising and privacy lobbies will now have to repeat the exercise at a national level. At the heart of the debate is advertising and the balance between monetising web services and individual privacy rights. 

Really dumb or really smart?

So, on the face of it, this looks like a dumb law. It makes the EU a much less attractive destination for e-commerce and its uncertainty will lead to uneven implementation in different Member States.

Dig a bit deeper and it looks a bit smarter. Those with most to lose are behavioural advertisers such as Microsoft and Google. They also happen to be the makers of some of the most popular web browsers in the market – Internet Explorer (65%t) and Chrome (4%).[7]

These companies will be very keen to demonstrate that it is ‘technically possible and effective’ for users to give consent through the settings on their browsers. The data protection authorities could use this leverage to demand that browser makers rethink their approach to cookies and provide much simpler and privacy-friendly options to users, such as:

·                    including a fat, red privacy button on the browser to make users think about online privacy;

·                    requiring users to actively choose their privacy settings as part of the installation process; or

·                    providing some form of in-line notification as and when cookies are downloaded from a site. 

A browser-based solution is preferable for many reasons. It allows users to take a systematic approach to cookies, rather than having to deal with the issue on a site-by-site basis, which many will find extremely frustrating. eCommerce operators can rely on choices made by user’s browsers and avoid re-engineering their web sites. Finally, changes to browsers should be applied universally allowing European data protection authorities to take a global lead in the future direction of online privacy. Whether the current framework allows this remains to be seen.

Laura Hatherley and Peter Church are Associates in the Technology, Media & Telecommunications practice at Linklaters LLP: www.linklaters.com

Table: A cookie from www.scl.com. It’s gripping reading.

 

__utma200938924.44735142.1258997562.1258997562.1258997562.1scl.org/1088401153984030190085425603473630043234*__utmb200938924.3.10.1258997562scl.org/108877908825630043239425603473630043234*__utmz200938924.1258997562.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)scl.org/1088298958668830079947412963473630043234*

 



[1]    And during your visit as you move from page to page around that web site.

[2]    See art. 5(3) of Directive 2002/58/EC.

[3] Or at least those that are not strictly necessary for the performance of a service to the user.

[4]    On the basis that this constitutes ‘use of equipment’ in the EU under art. 4(1)(c) of the Data Protection Directive.

[5]    The body of European data protection regulators set up under art. 29 of the Data Protection Directive.

[6]    See Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive).

[7]    See http://marketshare.hitslink.com/browser-market-share.aspx?qprid=0. The other major browsers are Firefox (24%) and Safari (4%).