The fate of Europe's cookie law became improbably entwined with
a debate over file-sharing. To cut a
long story short, it broke free. On 26th October, it was voted
through by the Council of the EU. It cannot be stopped and awaits
only the rubber-stamp formalities of signature and publication.
The vote's result was announced by way of a whisper. It featured
at the tail end of an
18-page Council press release (PDF) that first had to address
fishing quotas, train driving licences and a maritime treaty with
China. I'm afraid we missed it.
There was no attempt to bury this news – but the hushed tones of
its reporting were consistent with the media attention it has
received to date. There has been almost no fuss about this little
law, despite the harm it could do to advertising, the lifeblood of
online publishing. It also threatens to irritate all web users by
appearing at every new destination like an over-zealous security
guard.
Here's what's coming. The now-finalised
text says that a cookie can be stored on a user's computer, or
accessed from that computer, only if the user "has given his or her
consent, having been provided with clear and comprehensive
information".
An exception exists where the cookie is "strictly necessary" for
the provision of a service "explicitly requested" by the user – so
cookies can take a user from a product page to a checkout without
the need for consent. Other cookies will require prior consent,
though.
So almost every site that carries advertising should be seeking
its visitors' consent to the serving of cookies. It also catches
sites that count visitors – so if your site uses Google Analytics
or WebTrends, you’re caught.
You could seek consent with pop-ups, if you’re happy to ignore
accessibility guidelines that
discourage pop-ups – though users' browsers may block pop-ups
by default, which risks confusion. Or you could do it with a
landing page that contains a load of information and some choices.
The choices for users could be:
- Give me a load of cookies, now and in future visits, and let me
get where I wanted to go in the first place – and please don't
interrupt me like this again.
- Cookies sound evil. I'm going to use American sites instead,
because they don’t scare me with this cookie nonsense.
- I don't want cookies from your advertising partners, but I'll
gladly pay for an ad-free version of your site. What's that you
say? I need cookies for that too? OK, but just a few please.
You need to ask each new visitor just once, of course – until
the visitor deletes his 'consent' cookie. Like a blow to the head,
that action will cause your site to forget that you've actually met
before and you'll welcome the visitor like a stranger.
Between now and 26th April 2011, the date this law must come
into force across the EU's 27 member states, two things will
happen. The Directive will be transposed into national laws; and
we'll get guidance from regulatory bodies. Each of these steps is
an opportunity to mitigate the impact of this misguided law.
Our Government could take a bullet for Digital Britain. It could
interpret the Directive creatively or, to be pedantic, wrongly.
Doing that allows businesses to comply with UK law while putting
the UK Government in breach of European law. The European
Commission then makes threatening noises before hauling the UK
before the European Court of Justice for a shoeing, a process that
generally takes a few years to resolve. (The UK is mired in such a battle right now over the
original version of the cookie law – it's just that it's not the
cookie provisions in dispute.)
I doubt this will happen. The new law amends an existing
Directive, passed in 2002. The UK's implementation of that
Directive was faithful and, given some MPs are pleading to make all behavioural advertising opt-in, there
may be political will for an opt-in approach to all cookies.
Perhaps that was the motive in the EU passing this law – I
really don’t know. If it was, behavioural advertising could be
managed without wielding a sledgehammer that cracks almost all
cookies. Lawmakers should identify any harms they see in today’s
practices and legislate against the harms. To legislate against the
technology is unnecessary, short-sighted and destined to fail.
The 2002 Directive is not so different from the new law at
first sight: it said that cookies should come with a "right to
refuse". The UK implementation reproduced these words precisely.
But the Information Commissioner's Office took a pragmatic view,
saying that the right to refuse could be given after the delivery
of the cookie. Compliance was easy: you just had to put some
information in your privacy policy. The new law turns that upside
down.
So a better prospect than a faulty implementation of the revised
law is that our Information Commissioner's Office (ICO) publishes
pragmatic guidance again. The ICO might be motivated to do that:
the cookie law is likely to be as irritating for consumers as it is
for business. This won't be easy, though: the new wording gives
limited room for manoeuvre.
The wriggle room, such as it is, probably doesn’t lie in saying
that advertising or traffic monitoring are ‘strictly necessary’ to
provide the free service ‘explicitly requested’. A better prospect
is a weird recital to the Directive that suggests "the user's
consent to processing may be expressed by using the appropriate
settings of a browser".
It's not a get-out-of-jail-free card by any means. Remember,
it's only a recital, not an article. Recitals are meant to explain
the lawmakers' rationale and sometimes they're used to resolve
ambiguities. They are not meant to contradict the business end of
the Directive – and this recital sounds like a contradiction (which
smacks of bad drafting).
We've heard a different view of what the recital might mean, but
to many it will look like a place of shelter. Subject to whatever
our domestic law says, and our ICO’s guidance, some businesses
might be tempted to hide in the confused wording of that recital.
If I was desperate to avoid landing pages and pop-ups, I would too.
The risk you run is a £5,000 fine, unless the penalties are
increased (which the new Directive invites member states to
do).
That's a gamble that many will consider worth taking because the
alternative might be to haemorrhage ad revenues.
By Struan Robertson, editor of
OUT-LAW.COM. The views expressed are Struan's and do not
necessarily represent those of Pinsent Masons. You can follow
Struan at Twitter.com/struan99.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
