If the new law is passed, websites will be required to seek
consent from users before serving cookies – the small text files
that help a site to remember a visitor. The law's fate has become
inextricably linked to a file-sharing policy.
The EU's Council of Ministers and Parliament are in disagreement
over a single clause in a package of laws, a clause that requires a
court's authority before an individual can be disconnected from the
internet for illegal downloading. The rest of that package –
including the cookie plan – is now sealed and closed to further
negotiation.
If the file-sharing impasse is resolved, the entire telecoms
package will be passed into law on 14th December. If MEPs and
Ministers cannot reach agreement before then, the entire telecoms
package falls.
So if your business is funded by web advertising, cross your
fingers that a committee of 54 MEPs and Ministers continues to
squabble over the rights and freedoms of BitTorrent users. Any
consensus may damage your website's usability and possibly your
business.
I spoke with someone (who asked not to be named) who was close
to the negotiations on the new cookie law. He heard the advertising
lobbyists scream, but he says the proposal changes nothing.
Most websites "don't seem to offer the clear and comprehensive
information and the right to refuse mentioned in the current law,",
he argues, and the new law is just "shorter, clearer and more
elegant" than what is currently in force.
The current law – a provision of the
Privacy and Electronic Communications
Directive (11-page PDF) – says that sites using
cookies must give visitors "clear and comprehensive information"
about the purpose of the cookies. It also says that a site must
offer visitors "the right to refuse" the use of cookies.
There is an exception for cookies that are "strictly necessary"
to provide a service "explicitly requested" by the user.
Consequently, no cookie notices are required to serve a cookie that
helps a shopper get from a product page to a checkout; but notices
are required for cookies that are used in traffic analysis or
advertising.
When the original law was passed in 2002, the main question was
how and when these notices must be given. What does a "right to
refuse" require of a website? The UK's data protection regulator
took the view that a notice in an easy-to-find privacy policy will
suffice. That approach, it seems, prevailed across the EU and, to
our knowledge, there has never been any action against cookie
transgressors.
Consequently, if you visit the homepage of, say, Times Online
for the first time, you will receive no fewer than 30 cookies from
the newspaper's owners and its advertising partners in the moments
that it takes the page to load. Your web browser is probably set to
accept them all, so you won't know about them. Your "right to
refuse" requires you to visit the site's privacy policy, where
cookies are addressed.
This interpretation of a "right to refuse" is shared by almost
every other site, including OUT-LAW.COM. It's a fudge. It's a lazy
but convenient interpretation of a law that in plain English
appears to expect more. But it’s a fudge that was endorsed by our
Information Commissioner's Office (ICO), because it was deemed
harmless and because the alternative was deemed unworkable. Few
people were keen to see consent screens for the advertising cookies
that make it possible for newspapers to offer their content without
charge (at
least for now).
So the ICO's
guidance (19-page PDF) put pragmatism before pedantry
and web businesses across the UK breathed a big sigh of relief.
Sites across Europe take the same approach. The law has been in
force since 2002 and no sites seem to give the information and the
right to refuse before serving cookies. That sounds to me like a
breach of the current law if you take a strict interpretation.
"What right to refuse did I get?" our source asks of his own
visit to a homepage placing a selection of cookies on his computer.
"You might imagine some sort of pop-up: 'do you refuse this – yes /
no'. You could phrase that many ways but it seems to me you need to
ask for a reaction before storing or gaining access to a
machine."
Can you imagine a pop-up box to explain 30 cookies, or 30 pop-up
boxes? You can simulate this, to experience the irritation
first-hand, if you ask your browser to prompt you each time a site
tries to serve a cookie. You'll soon see why everyone decided to
neglect the letter of the law.
The new
law will be harder to fudge. The words "right to
refuse" are removed. Instead, sites can deliver cookies to a user's
computer only if the user "has given his/her consent, having been
provided with clear and comprehensive information" unless, as now,
the cookie is "strictly necessary" for a service "explicitly
requested".
The consent standard is surely closing the loophole we've all
been exploiting. Regulators sometimes take liberal interpretations
of laws when doing so can benefit both consumers and businesses.
They don't advocate breaking them.
In May I said that a recital in the new
law appeared to be inconsistent with the Article on the
subject. In any Directive, a recital has less weight than an
Article (it's there to set the context for the law and explain why
it is being passed). The recital to the new law says:
"…Where it is technically possible and
effective, in accordance with the relevant provisions of [the Data
Protection Directive], the user's will to accept processing may be
expressed by way of using the appropriate settings of a browser or
other application."
The default setting of most browsers allows cookies. I read this
recital as meaning that consent could be implied from a default
browser setting. How, I asked, could consent be implied from a
default setting?
But our man in Europe takes a different view. "It is doubtful
that today's browsers give clear and comprehensive information
about cookies," he said. That's true: they will show you what a
cookie contains, but that will be code, so you'll have no idea what
it means.
Nor does the right party give you the information: the law
expects Times Online to explain its use of cookies – not a third
party like Microsoft, the Mozilla Foundation, Apple, Google or
Opera. So in his view the recital allows a shortcut for users of a
browser plug-in that probably doesn't exist and that's certainly
nowhere near ubiquitous. (The closest we came was with the Platform
for Privacy Preferences, or P3P, which is as good as dead.) So perhaps the recital a red
herring.
The new law, said our insider, is merely a clarification of the
old one. He didn't wish to comment on whether the law was
commercially viable or not – he would say only what he thought it
meant. While he stressed that he was giving his personal views, I
suspect that others share his views. He acknowledged that
regulators might interpret the new law in the same way as the old
one – but my fear is that they won't. My fear is that they will
take a harder line.
This is supported by concerns raised in Europe and the UK about
behavioural advertising, something that relies on the freedom to
send and read cookies.
European Commissioner
Viviane Reding expressed concerns about behavioural advertising
this month. "European privacy rules are crystal clear: a person's
information can only be used with their prior consent," she said.
"The Commission is closely monitoring the use of behavioural
advertising to ensure respect for our privacy rights. I will not
shy away from taking action where an EU country falls short of this
duty."
It is also consistent with the opt-in approach recommended for behavioural
advertising by the UK's All Party Parliamentary Communications
Group in a report earlier this week . ApComms doesn't like the idea
of cookies being served to users, if they will be used to monitor
behaviour across a network of sites, unless consent is explicit.
"We do not believe that 'opt-out', however commercially convenient,
is the way that these systems should be run," said ApComms.
I maintain that the plans for cookie law reform are misguided.
Behavioural advertising has raised new issues that must be
addressed – but not this way. Websites and their users as well as
advertisers and intermediaries will suffer unnecessarily if this
law is passed.
So please keep fighting, file-sharing factions. Compromise is
for wimps.
By Struan Robertson, editor of
OUT-LAW.COM. This article represents Struan's views – not
necessarily those of Pinsent Masons. You can follow him at
twitter.com/struan99.
