Out-Law News 4 min. read
11 Oct 2012, 12:40 pm
Neelie Kroes, who is responsible for the EU's Digital Agenda, acknowledged that website owners will still need to obtain consent to use cookies even if web users have 'do not track' (DNT) facilities in their web browsers.
Kroes has been seeking a uniform way for web users to opt out of being tracked by cookies, but now appears to have accepted that organisations currently developing privacy standards for browsers will not deliver that result.
Representatives from a range of top technology firms are currently working on developing a 'do not track' system for web browsers. The work is being done by a working group of the World Wide Web Consortium (W3C), which is responsible for ensuring that web technology is based on an agreed set of technical standards.
However, in a speech in Brussels, Kroes admitted that the she is "increasingly concerned" about the "delay" in concluding the "standardisation work" and said that her primary worry was that the developers had been guilty of "watering down" the standard.
"Make no mistake. I am not naïve," she said. "The way the discussion is going right now shows that the DNT standard, on its own, will not guarantee satisfying legal cookie requirements. Not least because the emerging consensus appears to exclude first-party cookies from the scope."
"The fact is, we need, as far as possible, a simple and uniform way of addressing e-privacy – across different providers and different types of tracking. You shouldn't have every provider reinventing the wheel on this one," Kroes added. "Going the whole way would be better than going half way – of course! But going half the way together is better than leaving everyone on their own. Because it is a common approach, open and generative, fit for the global web."
"But, if DNT only goes half way, providers will need to ensure legal compliance beyond that. There will be a delta, things providers need to do to get valid cookie consent; on top of or beyond implementing DNT," the Commissioner said.
Websites and third-parties, such as advertisers, often record users' online behaviour in order to serve personalised content, such as adverts, based on that behaviour. Websites can use a number of methods to collect user-specific data, including through the use of 'cookies' - small text files that remember users' activity on websites. Operators sometimes pass on information stored in cookies to advertisers in order that they can serve as behavioural adverts based on users' activity and apparent interests.
In June 2011 Kroes set European companies a deadline of a year for developing a standard that would enable internet users to control the tracking of their online activity through cookies.
"The standard must be rich enough for users to know exactly what compliant companies do with their information and for me to be able to say to industry: if you implement this, then I can assume you comply with your legal obligations under the Privacy and Electronic Communications Directive," Kroes said at the time. She warned internet firms that she would "not hesitate to employ all available means to ensure our citizens' right to privacy" if a standardised system for indicating user consent to their online activity being tracked was not agreed within the year, although she appears now to have softened from that view.
In 2009 the EU's Privacy and Electronic Communications Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example. The Directive's amendments were introduced into UK law through changes to the UK's Privacy and Electronic Communications (ePrivacy) Regulations, with the Information Commissioner's Office (ICO) tasked with monitoring compliance and enforcement of the rules.
In her latest speech Kroes said that the "responsible authorities" across the EU are "looking at how to enforce these ePrivacy rules" and that, "before the end of the year", she would ask the Article 29 Working Party, which is a committee made up of representatives from privacy watchdogs from across the EU, to provide its views on the issue.
Kroes said that there should be a "discussion" that takes account of the "the legal requirements" and the "state of the [DNT] standard" on what website operators and advertisers need to do beyond recognising DNT settings in order to obtain valid cookie consent. That discussion should involve both "providers" and enforcement authorities, she said.
Kroes raised specific "concerns" about the standardisation work, stating that it was "crucial" that users are "informed about default settings in their software and devices" and the point of "installation or first use" of their browsers.
"Users must be informed about the importance of their DNT choice," she said. "They must be told about any default setting; and prompted to keep or to change it. Because without that, most users aren't making an informed choice."
Kroes also said it was "troubling" and "undesirable" to hear that the DNT standard may allow for users' privacy choices to be disregarded.
She added that the circumstances in which website operators and advertisers would be allowed to serve website users with cookies in spite of turned-on DNT settings "should be limited; and justifiable". Exceptions currently proposed that would allow for cookies to be served, for example, for "market research" purposes even where DNT controls are enabled, are "extremely broad" and they need to be much more clearly defined, Kroes said.
The Commissioner said that those involved in DNT standard discussions "need to find a good consensus – and fast", and specifically called on US firms to be mindful of EU rules on cookies.
"Failing to deliver [a DNT standard] would mean everyone loses. Users miss out on an easy way to protect their privacy, websites miss out on a simple and user-friendly way to comply with consent requirements. And, ultimately, advertisers lose out, too," she said. "I am convinced that a rich standard is still possible ... I realise it may take a few additional months, but it is still, at the moment, the best outcome for everyone."
Earlier this year W3C outlined proposals stating that DNT controls should not be set by default. Instead, it said internet users would have to provide their "explicit consent" to activate them.
