Feeds

Privacy watchdogs: Silence isn't cookie consent

Thumbs up required

Build a business case: developing custom apps

Advertisers are wrong to say that websites can comply with a new law governing internet cookies by relying on a user's cookie settings, Europe's privacy watchdogs have said. The Article 29 Working Party has published its interpretation of the new law.

Prior consent is required, according to the privacy watchdogs. However, consent can be given to advertising networks covering thousands of websites and need not be given to every individual site, the regulators said.

Cookies are small files that websites send to web browsers to tag visitors. They form the basis of behavioural advertising systems which attempt to tailor adverts to particular demographic groups.

Last year the EU's Privacy and Electronic Communications Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though, and the law must be implemented in member states by May 2011.

While advertisers' trade bodies claimed that advertising behaviour need not change, some internet law experts, including Struan Robertson of Pinsent Masons, the law firm behind OUT-LAW.COM, said that website publishers would more likely have to ask visitors' permission before using cookies.

The Article 29 Working Party is a committee made up of the data protection regulators from the EU's 27 member states and it has just published its opinion (pdf) on what this new law means.

Advertisers had argued that because browser software can block cookies, any user who does not block cookies is effectively giving consent.

The Working Party rejected that view.

"Consent must be obtained before the cookie is placed and/or information stored in the user's terminal equipment is collected, which is usually referred to as prior consent," said the guidance. "Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user.

"Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies," it said. "It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes."

The Working Party did not go as far as to say that every single website needs to ask every single visitor to accept cookies, though. It said that because the cookies are used by advertising networks – which provide ads to many sites – then consent can be given to a network and cover all the sites that network serves.

"Users' acceptance of a cookie could be understood to be valid not only for the sending of the cookie but also for subsequent collection of data arising from such a cookie," said the report. "In other words, the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie."

The Working Party said that this consent should expire after a year, and that each ad network should request consent again every 12 months. It also said that the consent could be withdrawn at any time.

Advertisers have rejected the Working Party's definition and claim that it is anti-business and unrealistic.

"The Directive currently does not require an opt-in for cookies. In practice such a requirement would mean that users would have to confirm every single cookie placed on their PCs, leading to a permanent disruption of their Internet experience," said a statement released by the Internet Advertising Bureau Europe, the European Publishers Council and other advertising and publishers' trade bodies.

"The industry believes this is a gross misinterpretation of the intention of the Directive and a misrepresentation of the type of data typically collected and processed for the purposes of serving interest-based advertising to consumers on our websites," said the statement. "The ePrivacy Directive acknowledged that the controls in modern web browsers give users full and granular control over cookies."

“This is an overly strict interpretation of the ePrivacy directive," said Angela Mills Wade, executive director of the European Publishers Council. "If followed by Member States, it would kill any chance of the media building viable advertising revenues online and our serious efforts to give consumers effective control over the use of cookies."

Struan Robertson said, though, that while the new law passed last year was regrettable in terms of the effect on the commercial interests of publishers, it likely means what the Working Party says it means and not what the ad and publisher trade bodies claim.

"The new law is a shambles, in my view. It's ambiguous and potentially contradictory and I would also argue that it's unhelpful not just to businesses but also to consumers," he said. "The IAB had said that publishers and advertisers could rely on browser settings to indicate consent to cookies. The Working Party says you can't. We expected that. It isn't surprising because while the IAB's interpretation of the EU law was commercially attractive, its legal basis was somewhat weak and vulnerable to challenge."

Robertson said that the Working Party's interpretation of the law is more business-friendly than might have been expected because it demands that web users are asked for cookie permissions less frequently than might have been the case. But he said that, though an accurate interpretation of the law, it would still cause problems for business.

"The Working Party is basically saying websites have to ask their visitors a question while the IAB is saying they don't. That's a massive difference," he said. "Advertisers and publishers would rather not ask that question if they can avoid it because the answers could damage their businesses. The trouble is that the Working Party's interpretation of the law is, in purely legal terms, the most compelling interpretation, however flawed and unhelpful that law may be."

The Working Party's report also said that behavioural advertising should be labelled as such. Consumer regulator the Office of Fair Trading reported last month after an investigation into behavioural advertising. It said that behavioural ads should be labelled, and the IAB told OUT-LAW.COM that it is working on a pan-European labelling scheme.

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.