2607/2012

Act Now - The Cookie Monster is Coming

Act Now - The new rules relating to the placement and storage of tracking information on online devices (AKA – the new “Cookie Law”) for businesses with European consumers

 

The new Cookie Law imposes fresh challenges for businesses increasingly using Cookies and similar online tracking technologies to improve their e-commerce offerings. The new Cookie law will be of great interest to e-commerce players (including financial services companies, electronic marketers, social and games application makers and providers and online gaming companies)  that offer intensive data or transaction driven services heavily reliant on Cookies to support a wide range of online services, functions and advertising requirements.

 

It should also be of particular note to online companies established outside of the European Union (e.g., American companies because so much of the online commerce, social and gaming innovation that is developed there is used by European users).

 

SUMMARY

Cookies are files stored locally on computers that contain information about the online activities of the users of the device on which the cookie is stored. The primary revision to the law on Cookies, from which European Union (“EU”) member states will implement member state-specific legislation, is contained in the European Directive (2002/58/EC as amended by 2009/136/EC) on Privacy and Electronic Communications (the “e-Privacy Directive”). 

 

The e-Privacy Directive has been designed to safeguard consumer electronic privacy by making consumers aware of how information is collected (e.g. visiting a website or use of an online device). It has not been designed to restrict the use of Cookies, but is intended to prevent information being stored on people’s online devices without their knowledge or permission. All organisations using Cookies are required to inform users that they exist, to explain their role and to use specific measures to obtain consent to store and use Cookies.

 

Compliance options range from a minimum of greater provision of information to full opt-in compliance for the use of any Cookies.

 

ELECTRONIC COMMUNICATIONS NETWORKS

The new law covers the use of electronic communications networks (web based pages, online applications and application stores, email etc.) to store information, or gain access to information stored, on a subscriber’s terminal. This therefore can include, among other things, any “connected” device (e.g. mobile phones, tablets) and also internet-reliant applications that do not involve web-based interfaces (e.g. iphone/android/x-box/PS3 apps and games). 

 

The salient part of the e-Privacy Directive is Article 5(3) which sets out that consent must be provided to access or store Cookies: 

 

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.”

 

 

Of concern is the fact that, in the most part, the transfer of Cookies between a user and an application happens without the explicit knowledge of the user. Personal information contained in the Cookies can also be stored in machine code making it hard to fully appreciate what information is being collected from a site.

 

INFORMATION & CONSENT

The two key areas to focus on are:

  1. Provision of clear and comprehensive information – details should be provided about what information is collected by Cookies as well as the consequences for the user of allowing Cookies to be transmitted and stored
  2. Obtaining appropriate consent

Information on Cookies should be clearly available, allowing users to make informed decisions on the use of the applications or sites. Simple amendment to standard terms and conditions is not considered suitable compliance.

A relatively narrow exception exists to the consent requirement contained at Article 5(3) of the e-Privacy Directive. Cookie use: 

“shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

 

This exception is more generally usable by e-commerce sites where the Cookies are necessary to the functioning of the site (the use of Cookies to enable online shopping carts to remember your choices for when you “check out”). Whether or not, for example, Google will substantially change its “Analytics” service which tracks information on millions of users for most major website operators (an estimated 57% of the top 10,000 websites use it), remains to be seen. So far we have seen some e-commerce operators reference their use of the Google tracking code as a means of enabling continued use.

 

In order to become compliant, the following three steps are advised:

 

Step 1 - Check what type of Cookies and similar technologies you use and how you use them:

  1. check what data files are placed on user devices, by whom and for what purposes
  2. analyse which Cookies are ‘strictly necessary’ (i.e. storage of or access to information should be essential rather than reasonably necessary for any site to function effectively) and might not need consent
  3. stop using Cookies that are unnecessary or have been superseded as the site has evolved
  4. obtain consent for all other Cookies based on the steps below

 

Step 2 - Assess how intrusive your Cookies are:

  1. the more intrusive your activity, the more priority is needed to obtain meaningful consent
  2. ‘how intrusive’ an activity is will depend to some extent on the view taken by the user

 

Step 3 - Inform users that Cookies are used, what personal data Cookies collect and how it is used:

  1. where you need consent, decide on the best solution, to obtain consent in your circumstances
  2. text concerning Cookies should be sufficiently full and intelligible enabling individuals to clearly understand the potential consequences of allowing the Cookies should they wish to do so

 

Many organisations may seek to rely on an 'implied consent' approach, relying on wording in a privacy policy or cookies statement to the effect that continued use of the website indicates user consent to the placing of cookies. However, there is currently legal uncertainty about whether this approach will satisfy the regulators.

 

UNDERTAKE A COOKIE AUDIT

In order to meet the compliance requirements ecommerce and online operators should undertake the following audit:

 

  • Assess whether the e-Privacy Directive applies to their use of online applications
  • Internally audit online applications to analyse the type of personal data collected both implicitly through Cookies and explicitly through the application (consider complex or dynamic applications with multiple levels of system architecture and functionality as well as third party code content)
  • All Cookies should be reviewed to ensure there is still a business case for their application and use within the business strategy. Of those that are still valid, group them into relevant user based situations (such as ‘front-page load’ ‘user login’ ‘shopping cart checkout’ etc…) and ensure all aspects of the personal data collected are listed and, where necessary, rewritten into layman’s terms
  • If particular Cookies record very sensitive user data (e.g. medical history), consider the use of an explicit opt-in feature
  • Ensure that third parties who may provide hosting services, content, Cookies, or ancillary applications or services to your customer are aware of the relevant restrictions (and if possible seek indemnities for data protection breach by the same) regarding the collection of personal data and compliance with the e-Privacy Directive
  • Update the privacy policy, Cookies policy and section and application notifications based on the audit and the chosen implementation plan
  • Create a separate and prominent feature deployed on applications that allows users to easily see relevant information about the collected data and the impact of allowing these Cookies. Once published, place a prominent notice, panel or pop-up (for first time viewers to see) with a link to more details on Cookie policy which disappears (following confirmation the notice has been read)

 

 ENFORCEMENT AND PENALTIES FOR NON-COMPLIANCE

EU member states will adopt varying options in order to enforce the new law. In the UK for example, there is a limited appetite for any monetary penalty (although this penalty exists), yet a number of options for enforcement have been outlined which include the use of information notices, undertakings and enforcement notices. Initially, the focus will likely be on the most intrusive cookies and situations where there is a clear privacy impact on individuals.

 

The UK Information Commissioner’s Office (“ICO”) has published guidance discussing implementation and enforcement of the new law. This may provide a useful analysis for other EU member states.

 

MULTINATIONAL ORGANISATIONS

Generally, for the data protection laws of a particular country to apply to the collection of personal data by means of an electronic application, the collecting entity or data controller (usually the application provider) is required either to be incorporated or physically present in that country or to use equipment within that country. At EU level, the view has been expressed that the placing of a Cookie on the online enabled device of a European user can amount to the use of "equipment" within the relevant EU member state.

 

Organisations with operations in (or applications hosted in) multiple EU jurisdictions or which actively target users in EU jurisdictions will need to comply with the rules of that country on the use of Cookies. These rules may, and are likely to, differ from member state to member state. By way of example, in Holland it is a requirement that e-businesses are able to prove that consumers consented to Cookies being downloaded. Additionally, the use of Cookies for targeted online advertising has been classified as the ‘processing of personal data'.

 

While US lawmakers have shown little interest in legislating prior consent for Cookies, an approach consistent with the US view on privacy, the Federal Trade Commission (“FTC”) has exercised its authority to regulate unfair and deceptive trade practices.  Enforcement actions have been brought against websites that have, in the FTC's view, misused cookies.

 

In conclusion, we note that the issue of Cookies and online privacy is very much on the agenda of the World’s leading economies.

 

THE FUTURE

It is noteworthy that the changes brought about by the new Cookie law are largely an outgrowth of the Data Protection Directive adopted across the EU in 1995. The major issue with this legislation however concerns the fact that member states implemented their own specific laws following the directive leading to a lack of harmony in this area across Europe.

 

In January of this year, the EC published a first draft of a new legislative package intended to harmonise the data protection laws across the EU member states (to avoid an unnecessary patchwork law and guidance and update them to address the new technological realities).  In the long term, the hope of the EU Justice Commissioner Viviane Reding is that:  “A strong,clear and uniform legal framework at EU level [that] will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation”. Many people hope so - the hope is also that the EU legislators will spend significant time listening to a wider range of commercial and civil organisations, industry advisors and other stakeholders to ensure the legal framework is also practical, a consideration that often appears to be left out of the product of the European legislative process.

 

Please contact info@ramparts.eu if you would like advice on your European Data Protection strategy and experienced multi-country support and documentation for a compliance refresh (or compliant roll-out) of your online games, applications or sites.

Archives

© Ramparts and Ramparts Law 2012 privacy policy

continue ›

Use of this Web site is subject to our privacy policy which includes information on our use of cookies.