The European Parliament today voted to approve the European
Commission's Telecoms Package of reforms. Part of that package of
reforms was a change to EU law on the use of cookies.
Cookies are small text files which websites place on a visitor's
computer. Sites can use cookies to identify users and publishers,
advertisers and advertising intermediaries rely on them to select
adverts for websites.
The now-adopted text says that cookies can be stored on a user's
computer, or accessed from that computer, only if the user "has
given his or her consent, having been provided with clear and
comprehensive information". An exception exists where the cookie is
"strictly necessary" for the provision of a service "explicitly
requested" by the user. (The official text is found in a
96-page PDF. OUT-LAW has a summary of the relevant
parts.)
The Interactive Advertising Bureau (IAB) Europe and publishers'
trade body the European Publishers' Council (EPC) have said that
they believe that the law says that browsers’ settings will
indicate a user's permission to use cookies.
"The ‘Telecom Package’ strengthens security and privacy for
internet users. Crucially, the new law provides a solid legal basis
for cookie management tools in browsers and other applications,"
said a statement from the bodies.
The privacy settings of most browsers can be adjusted by users
to block or allow some or all cookies.
IAB Europe said that the 'preamble' to the law underlines its
case. "The law now clarifies that websites can rely on browser
controls and similar applications to define the acceptance of
cookies," it said. "Publishers and online marketers support this
approach because greater transparency, user-friendly information
and easy cookies-management will increase consumer trust and
confidence."
The preamble to the new law mentions browser settings. It
states, in part: "Where it is technically possible and effective,
in accordance with the relevant provisions of [the Data Protection
Directive], the user's consent to processing may be expressed
by using the appropriate settings of a browser or other
application."
Technology lawyer Struan Robertson of
Pinsent Masons, the law firm behind OUT-LAW.COM, said that IAB
Europe’s interpretation is optimistic but attractive.
"It would be better for everyone if the IAB Europe's view is
right," said Robertson. "It is a pragmatic way to interpret a very
bad law that otherwise damages the user experience on
websites."
To seek consent from users without relying on browser settings,
websites might have to provide pop-up messages or landing pages
that seek consent to the serving of cookies for purposes that were
not “explicitly requested” by users, such as advertising or traffic
analysis.
Robertson has previously called the new law "breathtakingly stupid" and
said that companies may, in the end, interpret it in the same way
as the IAB Europe in a bid to make commercial sense out of it.
"This law affects almost everybody who publishes a website. If
everyone interprets the law in this way, the risk of action is
low," he said. "Companies will be hoping that national governments
and regulators share this interpretation."
IAB Europe's vice president Kimon Zorbas told OUT-LAW.COM that
it believed that the European governing bodies had changed their
mind about demanding explicit consent for cookie use before a
website was used. He pointed out that a previous draft of the text
had demanded "prior" consent, but that that had been changed.
A
draft version of the law that was rejected in May proposed the
following Article 5(3) :
"Member States shall ensure that the storing
of information, or the gaining of access to information already
stored, in the terminal equipment of a subscriber or user is only
allowed on condition that the subscriber or user concerned has
given his/her prior consent, which may be given by way of using the
appropriate settings of a browser or another application, after
having been provided with clear and comprehensive information in
accordance with Directive 95/46/EC, inter alia about the purposes
of the processing. This shall not prevent any technical storage or
access for the sole purpose of carrying out the transmission of a
communication over an electronic communications network, or as
strictly necessary in order to provide an information society
service explicitly requested by the subscriber or user."
The text agreed by the Parliament today
provides the following Article 5(3):
"Member States shall ensure that the storing
of information, or the gaining of access to information already
stored, in the terminal equipment of a subscriber or user is only
allowed on condition that the subscriber or user concerned has
given his or her consent, having been provided with clear and
comprehensive information, in accordance with Directive 95/46/EC,
inter alia about the purposes of the processing. This shall not
prevent any technical storage or access for the sole purpose of
carrying out the transmission of a communication over an electronic
communications network, or as strictly necessary in order for the
provider of an information society service explicitly requested by
the subscriber or user to provide the service."
"The previous version said 'prior' and 'after having been
provided' – so if they changed it, [they] clearly [meant] something
else," said Zorbas. "We believe there is some consent required and
that can be implicit consent. There's no reason to believe it's
explicit consent."
Robertson said, though, that while the change in the text might
imply that, IAB Europe's interpretation is vulnerable to
challenge.
"It is difficult, if you look at the text that has been agreed
by the Parliament, to read it as meaning that no prior consent is
needed," he said. "It says users have to give consent to cookies
'having been provided with' information. I don't see how that's
anything other than prior consent. Yes, it removes the word
‘prior’, but it also removes the reference to browser settings, a
reference that’s been relegated to a recital, and recitals matter
less than Articles.”
The recital to the new law states:
"Third parties may wish to store information
on the equipment of a user, or gain access to information already
stored, for a number of purposes, ranging from the legitimate (such
as certain types of cookies) to those involving unwarranted
intrusion into the private sphere (such as spyware or viruses). It
is therefore of paramount importance that users be provided with
clear and comprehensive information when engaging in any activity
which could result in such storage or gaining of access. The
methods of providing information and offering the right to refuse
should be as user-friendly as possible. Exceptions to the
obligation to provide information and offer the right to refuse
should be limited to those situations where the technical storage
or access is strictly necessary for the legitimate purpose of
enabling the use of a specific service explicitly requested by the
subscriber or user. Where it is technically possible and effective,
in accordance with the relevant provisions of Directive 95/46/EC,
the user's consent to processing may be expressed by using the
appropriate settings of a browser or other application.
The enforcement of these requirements should be made more
effective by way of enhanced powers granted to the relevant
national authorities."
"Most browsers don't default to blocking all cookies and most
people don't change their browser settings, so it's hard to say
that effective consent is conveyed by browser settings," said
Robertson. “Also, browsers can’t tell you the purpose of a
cookie.”
Information Society Commissioner
Viviane Reding said (video, at 13’20) today after the
Parliament vote that she was "surprised that certain Member States
appeared to call the agreed text on cookies into question".
"In the E-Privacy Directive
it is made very clear that a user can only give out his private
data if there is prior consent so if there are spy cookies there
must be a prior consent of the user, very clearly so," she told a
press conference today.
"But there are also the so-called technical cookies, those which
make the whole infrastructure of the internet function. Those are
not concerned by this rule, just to clarify, because there were
some critics that this amendment would make it impossible for the
internet to function. It does not, it is a guarantee for the rights
of the consumers," she said.
The Commission has confirmed in the past that the current law is
intended to control both spyware and cookies. Robertson said he
didn't know what Reding meant when she referred to spy cookies. “Is
she talking about cookies that track users across websites to
deliver better advertising, or is she talking about more sinister
uses? We’re left guessing, unfortunately. Maybe she means what the
IAB Europe says the law means – but if that’s the case, I really
wish the law itself made that clear.”
He said that he hopes IAB Europe’s interpretation will be
supported in member states.
"The next step for this law is implementation in national
states," he said. "It would be helpful for everyone if national
governments followed IAB Euope's approach."
"If national governments copy and paste the EU text, IAB
Europe’s interpretation is open to question. But by then we’ll be
at a stage where only a court can provide the answers and I
wouldn't be at all surprised if this whole debacle never comes
before a court. I just can't see the national regulators wanting to
prosecute just because a company uses cookies to select adverts
without seeking prior consent."
