Cookies are also used by many websites to track users’ behaviour. These are often implemented by third parties (and are thus known as “third-party cookies”) and track users’ activities including their movement around a particular website, but also certain preferences they demonstrate. Cookies of this type are commonly used in advertising. Anyone who has had the somewhat eerie experience of searching for something, for example “ancient Rome”, one day and being faced with endless flashing advertisements for “City Breaks in Rome!” for days after will be providing a home for such cookies on their computer.
At present, the law within the EU requires users to opt-out of receiving cookies. Users are required to adjust their internet browser settings to block cookies. This, of course, can hamper the functionality of certain websites if not done correctly although the latest versions of the mainstream internet browsers (for example, Chrome, Firefox, Internet Explorer, Safari and Opera) allow users to be more selective about which cookies are permitted and which are blocked, giving the choice to block third party cookies alone or, in some cases, the facility to install specific lists of barred cookies.
Taking effect on 26th May 2011 the law regarding cookies within the EU will change. Rather than leaving users to opt-out, EU-owned websites must require users to opt-in where third-party cookies are involved. Given the large number of cookies used by some websites this may seem extreme, but under a strict interpretation of the new law, users must be asked for permission before placing such cookies.
The reason for this change in the law is to regulate third-party cookies and the use of users’ private data without consent. It should be noted that private data in this sense does not necessarily extend as far as personal data as defined by the Data Protection Act, but rather a user’s browsing habits and certain of their activity around the web.
The truthful answer to that question is “nobody really knows”. This change in the law has been a long time coming yet guidance is still somewhat sketchy. The Information Commissioners’ Office (“ICO”) recently published its guidance; the substantive elements of which are incorporated in this information. Commentators from within the industry and many lawyers have also offered speculative guidance.
There are, at present, two principal schools of thought. The first suggests that a user opts-in and gives consent to cookies simply by virtue of their internet browser’s privacy settings. In other words, nothing changes from the current opt-out system. The EU Regulation which implements the new law tells us that this may be acceptable, yet the Directive upon which the Regulation is based says nothing of it.
The principle problem with this argument is that many internet users do not even know what a cookie is, let alone how to adjust their privacy settings. Therefore informed consent (or even implied) is hardly being given as required by the law. Clearly many users do not know how to opt-out; hence those same users cannot possibly have wilfully and knowingly opted-in. The ICO’s guidance, and indeed that provided by many other commentators suggests that, at least at this stage, browser settings may not be enough.
The second school of thought suggests that any websites providing cookies which do not fall within the exceptions outlined above must provide some form of pop-up or landing page expressly requesting consent. Unfortunately, immediate issues arise here too. From a website owner’s perspective this has the potential to incur the cost of hiring web developers to update their websites and, from a user’s perspective, the internet is already plagued with intrusive pop-ups which, in turn may have a negative impact on the website’s traffic. “Do we really need even more pop-ups?” “And what is a tracking cookie anyway?” “Who is this third party?” “Is it watching me?” “Is this violating my privacy?” “Maybe I shouldn’t use this website” “Yes, I’ll go somewhere else that’s safe”.
Indeed the potential for annoyance and confusion is high, as is illustrated somewhat sarcastically (yet also believably) by the following website from David Naylor: EU Cookies Directive Interactive Guide.
One may even go so far as to speculate that it would not be long before more knowledgeable internet users begin to develop “cookie consent pop-up killer” browser extensions in order to speed up and clean up their browsing experience. Notwithstanding these obvious and annoying real-world implications, the majority of legal (as opposed to technical) commentators seem to suggest that this is the preferred option.
Questionably so. The latest browsers are making it easier to block unwanted cookies whilst continuing to allow those which are important (and unaffected by the Directive), however they still rely upon users having a certain degree of knowledge. That said; certain browsers such as Apple’s Safari (including the mobile versions used on iOS devices) block third party cookies by default. Other mainstream browsers allow the blocking of third-party cookies (whilst continuing to accept first-party cookies so as not to disrupt the functionality of websites), however their default settings, for now at least, allow them. Many speculate that other browsers will soon follow suit (Though one must ask, would Google – a notable user of cookies – actually wish to hamper their own services with their in-house browser, Chrome?).
That depends upon how tolerant your visitors are. The ICO and other legal commentators have suggested that the browser settings option does not satisfy the requirements of the law whereas the pop-up / landing page option does. The wording of the Regulation notwithstanding, this would certainly appear to be the case as the Regulation’s reference to browser settings must surely be interpreted in light of the fact that, until third-party cookie blocking is the norm, many users will be reluctant to “tinker around under the bonnet”. However with so much emphasis on a positive, uncluttered end-user experience on the internet and a clearly demonstrable end-user dislike for pop-ups and other similar intrusions there is a compelling argument to be made that suggests that users will be more bothered that your website keeps asking them questions than they would be by the fact that advertisements seem to magically know what they are interested in.
As for obtaining consent it is recommended that you simply use good judgement. This law unreasonably, in our opinion, puts businesses between a rock and a hard place and it is certainly proving unpopular with the technical community. Indeed, a Google search for “stupid EU law” reveals many results about this very subject. The ICO’s guidance advises businesses to “decide what solution to obtain consent will be best in your circumstances” which, with respect, is somewhat unhelpful. Moreover, despite including the text of the regulation on page 3 of their guidance, page 5 tells us that “one of the suggestions…is that browser settings are one possible means of getting consent…” seemingly ignoring the text of the Regulation which appears less than two pages prior. The guidance also suggests that most browsers’ settings are not yet sophisticated enough to allow users to block third-party cookies. We would respectfully argue that this is wrong. Browsers do allow the blocking of such cookies; however it is perhaps more their default settings and users’ own knowledge which are a cause for concern.
The ICO guidance represents, at present, the official line on the new EU cookie law. It makes it clear that website owners cannot simply sit back and do nothing; but also suggests that there will be something of a transitional period while everyone (including the government) works out how best to comply with this law. The ICO guidance is available here.
It is likely that further commentary will emerge from official, legal and technical sources as the new law settles in after its entry into force on 26th May. Simply-docs will keep you up-to-date with any important developments.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.