Today "cookies" are an essential function of many websites seeking to sell products and services to their users. Since their "birth", however, cookies have created privacy issues due to their ability to track user behaviour - and by tracking we mean they know "what you did last night", at least on the web anyway!
With the implementation of the Privacy and Electronic Communications Directive 2002/58/EC (the "Directive"), website operators were finally forced to sit up and take account of our privacy concerns, ensuring that when we use their websites they must tell us in a "clear and comprehensive" manner the "purposes of the storage of, or access to, that information", and ultimately, websites must provide us with the opportunity to refuse such storage of, and/or access to, that information.
We have however moved onto the next generation of cookies, the "Flash cookie" (albeit they have in fact been around now for several years). The newer Flash cookie can potentially store much more information about your browsing activities, but more importantly you can't find them on your web browser, resurrecting the old problem of "does the user know they are there, and how can they get rid?"
An academic study by researchers at the University of California in Berkeley (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862) has found that over half of the top 100 websites are retaining user information about us through Flash cookies without permission. This will be of particular concern to those who try to delete cookies as a means of keeping their internet browsing patterns private. Flash cookies differ from HTTP cookies (which users can delete on request), in that they remain largely undetected by privacy settings on your web browser such as Internet Explorer or Firefox.
Change of onus
Under the terms of the directive, each "user", a data subject, must be provided with sufficient information about what the cookies are used for (traffic analysis and advertising, for example) to enable them to come to an informed decision and either provide or not provide their “consent”, as set out in the Privacy Directive 95/46/EC and requisite domestic legislation, to the processing of their data.
The EU, however, has brought in a new set of reforms to the Directive* which aim to provide, inter alia, greater regulation of "behavioural advertising", and must be implemented by member states within 18 months. In relation to cookies, the new law states that a user must explicitly choose to opt in to any website which intends to utilise behavioural tracking techniques. This is essentially a quite remarkable move away from how website operators deal with matters currently, where users must expressly opt out of having their browsing habits tracked.
Once the EU's reforms package has been adopted by member states, it will be no longer be sufficient for websites to rely on a user's browser security settings as a means of evidencing a user's consent to the use of all cookies on a particular website (HTTP cookies can usually be administered through a web browser’s preference drop-down); explicit consent must be sought before applying their cookies on each webpage. Whilst it may not be "commercially convenient" to ask users' permission before serving each cookie, it is the most privacy-sensitive approach to the problem. A headache nonetheless, and yet another compliance issue for website providers across the EU.
To get rid of flash cookies and stop more appearing, instructions are available at http://epic.org/privacy/cookies/flash.html.
This article appeared in the February 2010 issue of The Journal.