Act Now - The Cookie Monster is Coming
Act Now - The new rules relating to the placement and storage of tracking information on online devices (AKA – the new “Cookie Law”) for businesses with European consumers
The new Cookie Law imposes fresh challenges for businesses increasingly using Cookies and similar online tracking technologies to improve their e-commerce offerings. The new Cookie law will be of great interest to e-commerce players (including financial services companies, electronic marketers, social and games application makers and providers and online gaming companies) that offer intensive data or transaction driven services heavily reliant on Cookies to support a wide range of online services, functions and advertising requirements.
It should also be of particular note to online companies established outside of the European Union (e.g., American companies because so much of the online commerce, social and gaming innovation that is developed there is used by European users).
Cookies are files stored locally on computers that contain information about the online activities of the users of the device on which the cookie is stored. The primary revision to the law on Cookies, from which European Union (“EU”) member states will implement member state-specific legislation, is contained in the European Directive (2002/58/EC as amended by 2009/136/EC) on Privacy and Electronic Communications (the “e-Privacy Directive”).
Compliance options range from a minimum of greater provision of information to full opt-in compliance for the use of any Cookies.
ELECTRONIC COMMUNICATIONS NETWORKS
The new law covers the use of electronic communications networks (web based pages, online applications and application stores, email etc.) to store information, or gain access to information stored, on a subscriber’s terminal. This therefore can include, among other things, any “connected” device (e.g. mobile phones, tablets) and also internet-reliant applications that do not involve web-based interfaces (e.g. iphone/android/x-box/PS3 apps and games).
The salient part of the e-Privacy Directive is Article 5(3) which sets out that consent must be provided to access or store Cookies:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.”
Of concern is the fact that, in the most part, the transfer of Cookies between a user and an application happens without the explicit knowledge of the user. Personal information contained in the Cookies can also be stored in machine code making it hard to fully appreciate what information is being collected from a site.
INFORMATION & CONSENT
The two key areas to focus on are:
- Provision of clear and comprehensive information – details should be provided about what information is collected by Cookies as well as the consequences for the user of allowing Cookies to be transmitted and stored
- Obtaining appropriate consent
Information on Cookies should be clearly available, allowing users to make informed decisions on the use of the applications or sites. Simple amendment to standard terms and conditions is not considered suitable compliance.
A relatively narrow exception exists to the consent requirement contained at Article 5(3) of the e-Privacy Directive. Cookie use:
“shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
In order to become compliant, the following three steps are advised:
Step 1 - Check what type of Cookies and similar technologies you use and how you use them:
- check what data files are placed on user devices, by whom and for what purposes
- analyse which Cookies are ‘strictly necessary’ (i.e. storage of or access to information should be essential rather than reasonably necessary for any site to function effectively) and might not need consent
- stop using Cookies that are unnecessary or have been superseded as the site has evolved
- obtain consent for all other Cookies based on the steps below
Step 2 - Assess how intrusive your Cookies are:
- the more intrusive your activity, the more priority is needed to obtain meaningful consent
- ‘how intrusive’ an activity is will depend to some extent on the view taken by the user
Step 3 - Inform users that Cookies are used, what personal data Cookies collect and how it is used:
- where you need consent, decide on the best solution, to obtain consent in your circumstances
- text concerning Cookies should be sufficiently full and intelligible enabling individuals to clearly understand the potential consequences of allowing the Cookies should they wish to do so
UNDERTAKE A COOKIE AUDIT
In order to meet the compliance requirements ecommerce and online operators should undertake the following audit:
- Assess whether the e-Privacy Directive applies to their use of online applications
- Internally audit online applications to analyse the type of personal data collected both implicitly through Cookies and explicitly through the application (consider complex or dynamic applications with multiple levels of system architecture and functionality as well as third party code content)
- All Cookies should be reviewed to ensure there is still a business case for their application and use within the business strategy. Of those that are still valid, group them into relevant user based situations (such as ‘front-page load’ ‘user login’ ‘shopping cart checkout’ etc…) and ensure all aspects of the personal data collected are listed and, where necessary, rewritten into layman’s terms
- If particular Cookies record very sensitive user data (e.g. medical history), consider the use of an explicit opt-in feature
- Ensure that third parties who may provide hosting services, content, Cookies, or ancillary applications or services to your customer are aware of the relevant restrictions (and if possible seek indemnities for data protection breach by the same) regarding the collection of personal data and compliance with the e-Privacy Directive
ENFORCEMENT AND PENALTIES FOR NON-COMPLIANCE
EU member states will adopt varying options in order to enforce the new law. In the UK for example, there is a limited appetite for any monetary penalty (although this penalty exists), yet a number of options for enforcement have been outlined which include the use of information notices, undertakings and enforcement notices. Initially, the focus will likely be on the most intrusive cookies and situations where there is a clear privacy impact on individuals.
The UK Information Commissioner’s Office (“ICO”) has published guidance discussing implementation and enforcement of the new law. This may provide a useful analysis for other EU member states.
Generally, for the data protection laws of a particular country to apply to the collection of personal data by means of an electronic application, the collecting entity or data controller (usually the application provider) is required either to be incorporated or physically present in that country or to use equipment within that country. At EU level, the view has been expressed that the placing of a Cookie on the online enabled device of a European user can amount to the use of "equipment" within the relevant EU member state.
While US lawmakers have shown little interest in legislating prior consent for Cookies, an approach consistent with the US view on privacy, the Federal Trade Commission (“FTC”) has exercised its authority to regulate unfair and deceptive trade practices. Enforcement actions have been brought against websites that have, in the FTC's view, misused cookies.
In conclusion, we note that the issue of Cookies and online privacy is very much on the agenda of the World’s leading economies.
It is noteworthy that the changes brought about by the new Cookie law are largely an outgrowth of the Data Protection Directive adopted across the EU in 1995. The major issue with this legislation however concerns the fact that member states implemented their own specific laws following the directive leading to a lack of harmony in this area across Europe.
In January of this year, the EC published a first draft of a new legislative package intended to harmonise the data protection laws across the EU member states (to avoid an unnecessary patchwork law and guidance and update them to address the new technological realities). In the long term, the hope of the EU Justice Commissioner Viviane Reding is that: “A strong,clear and uniform legal framework at EU level [that] will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation”. Many people hope so - the hope is also that the EU legislators will spend significant time listening to a wider range of commercial and civil organisations, industry advisors and other stakeholders to ensure the legal framework is also practical, a consideration that often appears to be left out of the product of the European legislative process.
Please contact firstname.lastname@example.org if you would like advice on your European Data Protection strategy and experienced multi-country support and documentation for a compliance refresh (or compliant roll-out) of your online games, applications or sites.