My colleague Sherif Malak has been munching his way through the subject of cookies. We hope you'll find this helpful!
If you’ve sorted through the flurry of guidance and commentary thrown up over the last couple of weeks concerning the UK’s implementation of the changes to the e-Privacy Directive, you would be forgiven for feeling slightly bewildered. As a certain fuzzy blue Sesame Street character might say, “it’s all about the cookie.” The exact type being a small file that is sent to and stored on a user’s terminal (normally through their internet browser) when they access a website. The information in the cookie can then later be read by the website server.
These online cookies, like their culinary counterparts, come in a variety of flavours – temporary, persistent, third party - and carry out a variety of different functions – verification, authentication, analytics, behavioural tracking. The new rules apply to all of them and the UK’s implementation of the amendments to the EU e-Privacy directive, which recently came into effect on 26 May 2011, has already been met with a great deal of controversy. So what are the new rules, why such controversy and where do website providers stand in light of them?
The new rules change the previous ‘informed opt-out’ arrangement to an ‘informed opt-in’ regime i.e. except for cookies that are “strictly necessary” for the service requested by a user, web site providers must obtain users’ consent whenever they wish to store or access cookies on their machines.
But what is consent? The operative provisions are quite ambiguous, in part because the European Parliament, only managed to get wording that consent was neither ‘explicit’ nor ‘prior consent’ into the recitals and not the operative provisions of the Directive. The situation wasn’t helped by the Article 29 Working Party’s view advocating prior, specific, informed opt-in based consent.
In its implementation, the UK Government has included part of the recitals to the Directive, the infamous ‘Recital 66’, in the operative provisions of the implementing Regulations which, under 3A state that “consent may be signified by a subscriber who amends or sets controls on the internet browser.” But hopes that website providers could rely on users’ browser preferences were dashed when DCMS announced in its April open letter that current browser settings would be unlikely to be sufficient to provide consent as things stand. Whilst the Government will be looking to work with browser manufacturers in the near future to improve their privacy settings so that providers can rely on such settings, in the meantime consent has to be sought in some other manner. The DCMS made clear however, that where consent for cookies is concerned, the Directive does not use the word ‘prior’ did not “preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing.”
So where does that leave things? Cue the ICO with new guidance and on the eve before the Regulations take effect, the somewhat inelegant implementation of the rules for its own website leaving website developers shivering at the thought of having to use pop up consent boxes that ominously state “One of the cookies we use is essential for parts of the site to operate and has already been set.”
I won’t go through the ICO guidance here as it is clearly written, however it does leave many questions unanswered, including what providers should do where third party cookies are concerned. And what of cookies originally set as a first party cookie but subsequently read in a third party context? Cookies that are highly privacy intrusive cookies are likely to need prior consent but what exactly is needed for cookies that aren’t strictly necessary but are not privacy intrusive? Where prior consent may not be needed, is prominent notice enough?
Despite this ambiguity , I don’t think all this should be too much cause for concern at the moment. The ICO has made clear that it will provide organisations with a grace period of 1 year to comply with the new rules. Although they must show that they are “taking steps” to comply, the aesthetically displeasing ICO implementation surely indicates that the solution to obtaining consent for cookies is one that lies with the underlying browsing technology, whether that be “browsers” as we know them today or the soon to be commonplace ‘in-App’ browsing functionality on smartphones. Older browsers might require a separate approach but as web developers adopt new technology, such as HTML5, such exceptions will become far less of a problem. Indeed, Google has already announced that it will phasing out support for older browsers from 1 August.
Although what the new rules require may still be a little grey, one thing is quite clear: software developers are now on notice – technology is a clear favourite to this legal ‘problem’. Cookie settings must be built into code and in anticipation of clear demand for such features, there’s no reason why this new breed of software won’t be with us by the time the ICO grace period expires.