Out-Law Analysis 5 min. read

UK passes buck on Europe's cookie law with copy and paste proposal


OPINION: The Government has let businesses down by refusing to clarify a law on cookies that has privacy regulators and advertisers at loggerheads, leaving publishers languishing in the middle, unsure whether their advertising is lawful or not.

This week the Government had the chance, when transposing EU law into UK law, to find a way to provide UK firms with much-needed clarity, but it passed it up. Instead it will write Brussels-authored confusion into UK law, word for word.

OUT-LAW reported yesterday that the Department for Business Innovation and Skills (BIS) has launched a consultation on its plans for implementing a suite of five EU Directives, known collectively as the European Electronic Communications Framework.

One of these Directives amends the existing Directive on Privacy and Electronic Communications. The new law includes an Article that demands that websites get every visitor's prior consent before sending cookies to their machines.

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

This law, which is not yet in force across Europe, immediately appeared to hamper the prospects for advertisers, in particular the serving of behaviour-based ads, which tend to generate more clicks and more income for publishers.

The EU law is not just bad for business: it is bad for consumers too. It adds small-print, clicks and confusion without improving privacy in any meaningful way. I have written before that the new EU law is a shambles.

The Article that demands prior consent appears to be qualified by a Recital that says: "Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application."

A recital (a context-setting introduction to a Directive) is not meant to qualify an  Article (a rule of the Directive) yet this one appeared to do just that. So businesses were left to wonder: can we rely on the cookie settings in a user's browser to indicate consent, or do we need to ask them a question about cookies when they visit our site?

The advertising industry is adamant that you can rely on cookie settings. It has relied on that recital as justification for saying that cookie settings indicate consent. Privacy watchdogs disagree. They have pointed out that most browsers accept cookies by default. "It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes," said the Article 29 Working Party. In their view, to comply with this law, visitors should be asked a question about cookies.

This is a muddle. It is not one that BIS could resolve.

If BIS deviates too far from the wording of the Directive, to pass a UK law that makes compliance straightforward and consumer-friendly, it risks infraction proceedings in Europe for failing to transpose the Directive into UK law properly. It also runs the risk that other countries in Europe will transpose the Directive differently – giving businesses the headache of having to detect a website visitor's home country to decide whether or not to present cookie questions. 

So the easiest thing for BIS to do is to copy and paste the Directive into UK law and let someone else sort out the ambiguity. That is what it proposes. Frustratingly, though, it has not acknowledged that any problem exists. Instead, BIS appears to suggest that the Directive was nice and clear in the first place.

"The internet as we know it today would be impossible without the use of […] cookies," says BIS. "Many of the most popular websites and services would be unusable or severely restricted and so it is important that this provision is not implemented in a way which would damage the experience of UK Internet users or place a burden on UK and EU companies that use the web."

"The Directive acknowledges this by saying that consent is not required when the cookie is strictly necessary to deliver a service which has been explicitly requested by the user," it says.

That much is true; but that is not the problem for businesses in complying with this Directive. The problem is that they want to serve some cookies that may not strictly be necessary for the delivery of a service requested by the user, to make their advertising more effective.

Businesses consider this harmless to the user's privacy, but they fear that if they ask permission, at best they will interrupt the user experience at their website, at worst the user will refuse them permission to serve targeted ads and their business will suffer.

A business might argue that its website is free to use only because it is supported by advertising. If cookies are used in the serving of that advertising, can that business argue that the cookies are "strictly necessary" for the delivery of the website? Probably not, in my view, but it is an issue that BIS has avoided altogether.

"Given the fast-moving nature of the Internet, it would be very difficult to provide an exhaustive list of what uses are strictly necessary to deliver a particular online service and if we implemented in this way it would risk damaging innovation," BIS said. That sounds like a cop-out.

"We therefore propose to implement this provision by copying out the relevant wording of the Article, leaving ICO [the Information Commissioner's Office] (or any future regulators) the flexibility to adjust to changes in usage and technology," says BIS. "Recital 66 of the amending Directive provides useful clarification of the Article text. We are considering including appropriate elements of this in the implementing regulations."

Regurgitating the Directive's wording, without any further guidance, is not helpful. Recital 66 does not provide useful clarification of the Article text. If it was useful clarification, there would not be a disagreement between the advertising industry's trade body and the Article 29 Working Party on the question of whether or not websites have to ask visitors questions about cookies.

So the Government has missed the first opportunity to clarify this law. It has passed the problem down the line to the ICO. Businesses must await guidance from the ICO, which may or may not match the guidance of the Article 29 Working Party.

It would have been a brave move for BIS to propose legislation that provides clarity and risk those infraction proceedings. But the Government has done this before. BIS could have supported explicitly the view of the IAB or the privacy regulators, or it could have suggested a fresh interpretation of Recital 66.

A less courageous move might be to transpose the Directive word for word, maximising the prospect of harmonised confusion across the EU, but mitigate the problems by providing guidance on what the Government thinks the law actually means. Weaker still: avoid the guidance, but acknowledge the problems that exist. Instead, BIS has fudged the whole issue. There's no problem here, folks. Move along.

If your business is affected by this issue, you can share your views with BIS by responding to its consultation paper (74-page / 377KB PDF).

By Struan Robertson, editor of OUT-LAW.COM. The views expressed are Struan's and do not necessarily represent those of Pinsent Masons. You can follow Struan at Twitter.com/struan99.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.