Planned 'cookie law' update will exacerbate problems of old law – expert

Newly proposed reforms to EU ePrivacy rules could exacerbate problems that stem from existing rules governing the use of "cookies".

The plans, outlined by the European Commission earlier this year, would not resolve the problem businesses currently have in finding mechanisms for obtaining device users' consent to cookies that do not disrupt the user experience, and instead could further complicate compliance for businesses as well as introducing new risks for software providers.

The envisaged timetable for the reforms to be in force – 25 May 2018 – is tight, however, and risks EU law makers rushing through new laws that are flawed.

'Cookie law' problems

The failings of the existing "cookie law" were noted even by the European Commission, which said that the consent rules for cookies had "failed to reach its objectives" since "end-users face requests to accept tracking cookies without understanding their meaning and, in some cases, are even exposed to cookies being set without their consent". It also admitted that meeting the consent requirements "can be costly for businesses".

Yet some of the problems that the Commission has identified could be exacerbated with its new proposals, and new problems created.

What does the Commission draft say?

The Commission's proposed ePrivacy Regulation would ban the use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned, unless a listed exception applied.

However, exceptions allow businesses to deploy cookies etc, in line with those rules, namely if:

necessary to transmit electronic communications over electronic communications networks; the end-user had given consent; necessary to provide an information society service – generally, an online service – requested by the user; or necessary for the provider of a requested information society service to measure web audience – meaning that first party third analytics are permitted, but not third party analytics conducted using another organisation's analytics services.

The proposal would also prohibit the collection of information emitted by terminal equipment to enable it to connect to another device or to network equipment, unless an exception applied. This includes IP addresses and MAC addresses and, for mobile phones, IMEI and IMSI information.

Collection of such "emitted" information would be permitted in one of two circumstances. It would be permitted:

to the extent necessary to establish a connection; or on displaying a clear and prominent notice outlining at least the "modalities" of the collection, its purpose, who's responsible for it, and all other information required to be provided under the General Data Protection Regulation (GDPR) where personal data are collected, as well as how the terminal equipment's end-user can stop or minimise the collection.

The "notice" exception is intended to cover the use of "beacon technologies" over Wi-Fi or Bluetooth networks, for example, to track people's locations through their mobile devices: "scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. [or] to send commercial messages to end-users, for example when they enter stores, with personalised offers"

The collection of such "emitted information" is "conditional on" the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as required under the GDPR in relation to personal data.

The scope of these provisions is broad. Businesses should note that the provisions apply to 'information' that is non-personal as well as personal data.

In addition, 'terminal equipment' could refer not only to telephones and computers, but also tablets, smartphones, connected autonomous vehicles, internet-connected wearables and other 'internet of things' (IoT) devices. This includes telematics boxes added to cars that enable connectivity.

The main problems with the new 'cookie law' proposals

Some of the Commission's wording lacks clarity. Other parts are not technologically neutral. Obtaining valid consent would also become more challenging, and everyday activities with smartphone devices and other popular devices could be deemed to be infringing the new rules. This could lead to unintended consequences.

For example, the provisions could be interpreted as meaning that anyone who picks up their friend's smartphone and takes and emails a photo without the friend's consent is in breach of the Regulation, as that involves use of the phone's storage and processing capabilities. There is no "only personal or household use" exemption under this Regulation, as there is under the GDPR.

Processing of "electronic communications data" in breach of the new "cookie law" provisions is subject to a fine of up to €10 million, or, for organisations, 2% annual turnover if higher. It plainly does not make sense for someone taking and emailing a photo with their friend's smartphone without the friend's consent to be exposed to a fine or to compensation claims for the "damage", which includes "non-material damage".

It is also unclear whether a fine is available only when electronic communications are involved, but not otherwise: for example, if taking a photo using a friend's smartphone without their consent, but without emailing the photo.

Furthermore, the exception for use of cookies for 'web audience monitoring' is not technologically-neutral; indeed, it is already outdated. The exception – which is critical for analytics purposes – is clearly website-centric, and would not apply, for example, to measuring the usage of smartphone apps or IoT devices such as wearables, as those do not involve any "web audience".

In relation to the exception of consent to the collection of information from users' terminal equipment, the definition of consent follows the GDPR's. The GDPR sets stiffer requirements for organisations wishing to rely on consent as a valid means to process personal data.

E-communications software

With its proposed new ePrivacy Regulation, the Commission envisaged that consent to cookies could be gleaned from web browser settings by "centralising the consent in software such as internet browsers and prompting users to choose their privacy settings", which it thought would allow business websites to eliminate cookie banners/notices, "leading to potentially significant cost savings and simplification".

Clarification that software settings may be used to indicate consent is a very positive step from this perspective. However, the way in which this intention has been worded could lead to further problems.

Allowing software settings to signify consent is one thing; but requiring software to provide certain settings goes a step further, possibly too far. Privacy by design and default, which is required under the GDPR for personal data, should be a living concept, allowing flexibility in its implementation; this proposed Regulation sets in stone some very prescriptive obligations.

Under the proposal, web browsers, and other software that "permits electronic communications", must "offer the option" to "prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment", and "upon installation" must inform users of its privacy settings options, and risks, and require users to select a particular setting before proceeding further. Software already installed when the Regulation takes effect must comply on its first update or by 25 August 2018 if earlier.

The Regulation's broad wording is apt to apply to email software, messaging/chat software, internet call software, smartphone apps, and perhaps even router software and IoT firmware, as all these "permit electronic communications". Having a requirement for pop-ups on the installation of email/chat software, and maybe even IoT devices, many of which don't have screens or keyboards, would increase the Commission-acknowledged "unnecessary burden" on consumers and businesses further, rather than alleviating it.

The "upon installation" wording suggests that the software requirements were not meant to cover pre-installed software, like firmware. But if that's the case, there would be a big gap in the Commission's intended protection, as many computers or phones sold to individuals come with much pre-installed software including browsers. Clarification is needed.

A breach of these requirements would expose the "provider" of the software to a fine up to €10 million, or, for organisations, 2% annual turnover if higher. But who is the "provider" of the software? With pre-installed software, is it the computer seller? The computer manufacturer who pre-installed the software? Or neither, because pre-installed software somehow escapes this requirement? If a hardware manufacturer embeds third party software in an IoT device, who is the "provider" then? Is it the hardware manufacturer, the software creator or neither, because pre-installed software is excluded?

The Commission has acknowledged that "additional costs would ensue for some providers of browsers or similar software as these would need to ensure privacy-friendly settings". However, the consequences of its proposal's very broad wording seem bigger than that, and would benefit from further consideration and discussion. In particular, is it the right policy decision to impose obligations and liabilities on software providers as well as those using terminal equipment's processing/storage capabilities or collecting information from such equipment, including the same level of fine – but not on hardware manufacturers? Would these requirements increase the costs of e-communications software?

Alignment with GDPR

The Commission's intention is to closely align the new ePrivacy Regulation with the GDPR. This applies to everything from the fact the new legislation is a Regulation with singular application across the EU and not an EU Directive which would need implementation in each EU member state, to central terms such as 'consent', and the intended date that the new ePrivacy rules would take effect – 25 May 2018, just like the GDPR.

Not long to sort out the mess

The Commission's envisaged timeframe seems ambitious. The GDPR, although a much more detailed piece of legislation, took more than four years to finalise after the Commission's original proposal was published.

A further fundamental underlying issue is, given the GDPR, does the EU really need to regulate privacy in electronic communications separately? After the years of debate on the GDPR, should it not be considered good enough now to cover the privacy risks arising in relation to all forms of communication? Do citizens truly need the prescriptive provisions of the proposed ePrivacy Regulation as well?

It is to be hoped that the problems with the planned new 'cookie law' provisions are addressed as the proposed legislation comes in for scrutiny by MEPs and officials from national governments that make up the EU. The risk, however, is that the short timeframe envisaged for reforms to be set could lead to flaws in the new rules and a lack of clarity for businesses over how to comply – as well as new risks when using many devices only for personal purposes, and possibly more expensive e-communications software.

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.