The myriad banners, pop-ups, splash screens, cookie control buttons and other notifications that adorn many European websites have become an increasingly familiar sight since the arrival of the "Cookie Directive" in 2011 (Directive 2009/136/EU). The Cookie Directive requires website operators to obtain Internet users' consent to storing cookies on their devices. While national regulators have provided guidance on "consent" in relation to the various types of cookies available, the question of how actually to obtain consent in practice is still hotly debated. In an attempt to answer that question, the EU's Article 29 Data Protection Working Party (the "Working Party") published guidance on obtaining consent for cookies as Working Document 02/2013 on 2 October 2013 (the "2013 Guidance")1.
For those unfamiliar with the Working Party, it is an independent European advisory body on data protection and privacy and it comprises representatives from each Member State's data protection regulator. Its guidance and Working Documents are not binding, but they are influential. They can also give a useful indication of the approach to enforcement that national regulators may take.
The 2013 Guidance refers to and builds upon previous Working Party guidance in this area, including advice more generally on "consent" in the context of data processing under the "Working Party's Opinion 15/2011 on the definition of consent".Opinion 15/2011 stated that genuine consent must:
- contain "specific information" about the relevant data processing ;
- be given "before the processing starts"
- involve "active behaviour" from the user; and
- be "a real choice freely given".
Applying these requirements to cookies, the Working Party's advice on obtaining consent to cookies is as follows:
The user should be presented with a "clear, comprehensive and visible" notice containing all necessary information about the different types or purposes of cookies being used by the website (including in relation to third party access to data collected by the cookies). This should be presented on entry to the website. For example, this might be via a prominent link to a dedicated location. The Working Party does not expand on what might be considered "prominent", so website operators still have scope to argue font size and page position with national regulators.
The 2013 Guidance unequivocally states that a user must consent "before cookies are set or read" (except for any cookies that do not require a user's consent). Such a requirement may be straightforward in principle, but may be more difficult technically to achieve in practice, particularly if one accepts that "blanket" consents are inappropriate (see below on "Real Choice").
The 2013 Guidance states that consent must be a "positive action" or other "active behaviour" or by any other active behaviour from which a website operator can unambiguously conclude it means specific and informed consent. How "active" the consent has to be has always been the most contentious part of the Cookie Directive and the principal difference from the previous law. Suggested examples of compliant behaviour include "clicking on a button" or "ticking a box". Conversely, the Working Party rejects that an active consent can be achieved by a statement or link to "more information on cookies".
Whether a user can indicate consent by selecting cookie preferences in his Internet browser is touched upon briefly, but the Working Party has not changed its opinion from three years previously. Back then, it concluded that accepting browser settings as consent would be acceptable only in very limited circumstances because the average data subject is unaware of how to use browser settings to reject cookies. The Working Party suggests that browser settings can only be relied upon if the website operator "can be confident that the user has been fully informed and actively configured their browser". Unfortunately, this seems to require such a level of mind reading on the part of the website operator that any attempt to rely on browser setting will always be on shaky ground.
The Working Party advances no elegant solutions itself, but appears to have rejected the more relaxed approach to implied consent that has found favour with website operators and even the UK regulator, the Information Commissioner's Office.
Although some users might appreciate this option, it is another onerous obligation to place on website operators. It might also suggest a lack of understanding by the Working Party of the technical difficulties involved. Effectively, website operators may end up not only having to produce two versions of their websites – one with, and one without setting cookies – but will also have to build additional versions to cater for the different possible combinations of cookie settings. Some websites have already started offering these settings within the website, but not every operator will have the resources to do so and may, in any case, be reluctant to do so if it interferes with the user experience or the smooth navigation of the website.
Taking the biscuit?
Many observers will be disappointed by the 2013 Guidance, as it is looks toward a much more granular approach to cookies over broad practical, industry-friendly measures.
And are ever more granular controls what the public wants? Does anyone really want to click actively through an entry page on every European website they visit? The ICO's annual report shows that cookies are not a big issue for most consumers. Last year in the UK there were 685 complaints about cookies compared with 155,425 complaints about telesales and spam text messages2.Of course, this might just stem from ignorance of the issues. In its survey of over 2,000 Internet users at the end of last year3, the UK's Internet Advertising Bureau found that only 37% could correctly identify the basic definition of a cookie from a multiple-choice question. Around half, however, wanted "to know more about cookies and online privacy".
Persisting with the "tick-box" approach to accepting cookies is likely to move us further away from achieving consensus across all Member States. Moreover, by continuing to demand the heavy regulation of cookies, there is a real risk that consumers' privacy will be harmed instead. Demonising cookies could drive advertisers and websites in need of advertising revenue into the hands of more invasive techniques like "digital fingerprinting", which is the collection of benign browser characteristics to track users across websites without having to store any data files on users' machines.