The volume of digital music services on offer to consumers and the way in which these services inter-relate (e.g. the ability to sign up to Spotify through Facebook) and achieve advertising revenue has brought data protection principles to the fore. For all you music website owners the cookie law is a key consideration and as enforcement will start on 26 May 2012, awareness needs to be raised to ensure you are complying with your online obligations. This article focuses on the cookie law and looks briefly at the situation for Spotify in Germany from a data protection perspective.
The heart of the cookie debate
The cookie debate questions whether websites should collect data about people and their surfing habits that they may not wish to share without first giving consent. Cookies are small files of letters and numbers downloaded onto a device which allow websites to recognise a user’s device. Cookies are used when a website logs users in automatically, or remembers user preferences from a previous visit. They are fundamental to the user’s experience of using mobile phones, social networks and e-commerce.
Websites have until 26 May 2012 to comply with the EU ‘Cookie Directive’, after which the Information Commissioner may impose a variety of penalties, including a £500,000 fine for non-compliance. Central to the success of the cookie law will be the consumer’s awareness of it and, in particular, the all-important icon which allows them to easily opt out of online behavioural advertising. The Digital Advertising Alliance campaign “Your AdChoices” is designed to inform consumers about the way behavioural advertising works. Campaigns raising awareness in turn increase the importance of compliance for digital music platforms.
The new law states that cookies must only be placed on machines where the user/subscriber has given their informed consent. The only exception is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception might apply to a cookie which remembers items ‘added to a basket’ so that the user doesn’t have to find the items again when returning to purchase but the exception is narrow and therefore, in most cases, informed consent must be obtained.
User’s browser settings are a possible means to get user consent. If the user visits your website, you can identify that their browser is set up to allow cookies A, B and C but not cookie D and as a result you can assume that in setting A, B and C you have the user’s consent to do so. You would not set cookie D. However, at present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not all site visits are through a browser – the website may have been accessed using an application on their mobile. The government is working with the major browser manufacturers to establish which browser level solutions will be available and when. One saving grace is that once you have obtained consent for a cookie to be set you will not need to do so each time you use the same cookie (for the same purpose).
Obtaining user consent
There are a number of techniques which websites can employ to obtain the requisite user consent, including pop ups, settings-led and features-led consent. Terms and conditions must make users aware of the changes specifically relating to cookies and then gain a positive indication that users understand and agree to the changes, most commonly obtained by a tick box at first registration/sign up. If your website displays content from a third party that third party may write their own cookies onto your user’s devices.
Music services in Germany
The data protection issue has also arisen recently in Germany, impacting on Spotify’s launch there. The German authorities have requested that Spotify adjusts its business model to comply with Germany’s data protection laws, which are renowned for being among the strictest in the world.
Using Spotify requires users to register using their Facebook account (the option to register via a Spotify account did not seem to be available) and there is concern that users cannot register anonymously or use a pseudonym. The problems stem from a March 2012 ruling by a Berlin court that Facebook's friend finder, which invites users to import email addresses and invite them to join the site, is illegal. The court also found that Facebook’s terms of service are invalid insofar as they seek to give Facebook automatic worldwide rights to use and publish users' content.
Music industry specialists welcome the launch of Spotify as a means to persuade people to listen to and buy music online and tackle the 3 million illegal music downloader’s in Germany. Spotify’s free service relies on the advertising revenue which supports it and interrupts the listener’s experience, meaning compliance with the cookie law is also important. It looks as though Spotify, and other digital services, will have to deal with the data protection aspects before it sees success in Germany.