Articles

The attached article was first published in the Privacy & Security Law Report by The Bureau of National Affairs, Inc.

Abstract

European Union amendments to the e-Privacy Directive will require websites to seek consent before placing ''cookies'' (and similar data) on a user's computer. On the face of it, the amendments look like they will cause significant practical headaches for advertisers. This article explores the consequences for online advertising, noting that the impact of the new Article 5(3) of the amendments, if read in isolation, seems onerous, but if Article 5(3) is read in the context of the amending Directive, an entirely different picture emerges. A key but unknown issue is how the amendments will be interpreted as they are implemented independently into each Member State's national law by a 2011 deadline. The conflict between the new Article 5(3) and the wording of Recital 66 greatly enhances the likelihood of inconsistency between the various European implementations, the authors write.

Introduction

Online advertising has continued its rise as the fastest growing advertising medium, with the switch from traditional media continuing to gather pace. In the United Kingdom, the first half of 2009 saw online advertising revenue increase 4.6 percent to £1.75 billion ($2.3 billion), which for the first time was higher than revenue received for television advertising (£1.64 billion ($2.6 billion), down 16.1 percent).[1] The position in the United States appears much the same, with the total marketing share for online advertising revenue expected to have reached 9.9 percent in 2009 (up from 7.6 percent in 2007)[2]

One factor in the rise of new media advertising is undoubtedly the ability to receive passive feedback from consumers about their interests and browsing habits and the success of a particular advertising campaign. However, the tracking of online user behavior by advertisers and brokers for marketing purposes, known as ''behavioral advertising,'' has lead to significant debate on whether such practices ought to be lawful and in what circumstances. This has been particularly the case in the European Union, which has recently passed amendments (Directive 2009/136/EC on universal service and users' rights (the ''amending Directive'')).[3]

Cookies

In order to explain the changes to the e-Privacy Directive (2002/58/EC), a directive on privacy and electronic communications, it is necessary to provide a little background about cookies and how they operate.

When you use a web browser to request a particular web page (such as ''contact.html''), the host website can be programmed to include in the response an instruction for your web browser to save on your computer a text file with a particular name and value. This text file is known as a cookie. Your browser will automatically send all cookies stored on your computer associated with a particular website (or to be precise, domain (e.g. bristows.com)) to that website on each subsequent visit. This allows the website to read the values of cookies that it has set. The value will typically include a unique identifier, which will allow the website to recognize you via your web browser. This gives the website a memory enabling it to track when you visit and which pages you access. But it also enables user functionality such as recording which items you have placed in an online shopping basket.

All cookies have an expiration date, after which they will be deleted. By default, cookies are temporary (or ''session cookies'') and will usually be deleted when you close your web browser. However, websites will often override this default and set an expiration date years into the future, meaning the cookies will effectively be stored permanently on your computer (these are known as ''persistent cookies'').

Cookies can be further divided between those that are set by the websites you intended to visit (''first party cookies'') and those set by third party websites (''third party cookies''). Third party cookies are usually stored on your computer because the main website that you have visited directs your web browser to the website of a third party ad-broker (for example, DoubleClick, a subsidiary of Google) in order to obtain advertisements. The ad-broker's website will in turn instruct your web browser to set its third party cookies. As the third party may provide advertisements to thousands of websites (in the first half of 2009, 71 percent of online advertising revenue in the United States was collected by just 10 providers[4]), it can effectively track individual browsing behavior across the Internet.

You can disable the automatic setting of cookies by adjusting the privacy settings of your web browser. However, as your web browser cannot determine the purpose of any given cookie, your choice is effectively limited to ''on'' or ''off'' for each website (domain). In practice therefore you cannot block tracking cookies without also blocking any cookies that provide user functionality.

The Original e-Privacy Directive

In 2002, the European Union agreed on the e-Privacy Directive. Among other things, this legislation required Member States to implement restrictions on the use of hidden identifiers to ''trace the activities of the user'' on electronic communication networks. At the same time, the e-Privacy Directive acknowledged that devices such as cookies can be a legitimate tool, such as to analyze the effectiveness of advertising and to verify the identity of users engaged in online transactions.

As a compromise, the e-Privacy Directive directed Member States to put in place a ''notice'' and ''opt-out'' regime. Users must be provided with ''clear and comprehensive information'' about, in particular, why cookies are used on the relevant website (the ''notice'' element). In addition, users must be offered the right to refuse the cookies (the ''opt-out'' element), although there is no direction as to how this should be provided.

The Directive applies to any information that is stored on or accessed from a user's computer, which is very broad. However, narrow exceptions apply for data used solely for electronic transmission (such as an Internet Protocol address) or for a service requested by the user. In practice, therefore, the notice and opt-out requirement applies to HTTP cookies and other cookielike data such as Flash Local Shared Objects (which are data stored on your computer by flash software[5]) that can be used in a cookie-like manner), web beacons and IP addresses.

Overall, this aspect of the e-Privacy Directive was largely welcomed; it was seen to legalize the use of cookies while providing a degree of consumer protection against hidden tracking.

The Amended e-Privacy Directive

On Dec. 19, 2009, the amending Directive came into force and brought with it a vast array of changes primarily aimed at telecoms and Internet service providers. It must be implemented into the national law of each Member State by June 18, 2011.

Significantly for online advertisers, the amending Directive appears to replace the ''notice and opt-out'' regime with a requirement for prior consent (i.e. notice and opt-in). The new Article 5(3) of the amended e-Privacy Directive states: ''Member States shall ensure that the storing of information. . . in the terminal equipment of a user is only allowed on condition that the [user] concerned has given his or her consent, having being provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.'' (emphasis added). If the new Article 5(3) is read in isolation, the switch to prior consent appears significant and might lead to a more onerous regime than the old ''notice and opt-out.''

The Article directs that prior consent should be obtained in accordance with the EU Data Protection Directive (95/46/EC). This defines consent as ''any freely given specific and informed indication'' which, if applied to cookies, could present practical difficulties for advertisers. For example, how should advertisers obtain confirmation of consent without disrupting the user's browsing experience, particularly for multiple and regularly updated cookies, given that consent might be required for each new cookie, and for third-party cookies, given that the user is unlikely to directly visit the website of an ad broker? The constituent elements of consent under the data protection directive are considered in more detail below:

(i) 'indication'

It is generally accepted across Europe that users will not be deemed to have indicated their consent to a privacy policy merely by using that website; wording in the privacy policy that purports to imply consent by use will not overcome this. An informed indication usually requires users to ''do'' something beyond their normal activity, such as clicking on a ''submit'' button or selecting an appropriate tick box next to a short notice explaining what the user is consenting to. Translating this to the cookie arena, prior consent might be obtained via an initial page or pop-up prompting the user to expressly accept or decline cookies before the website allows access to the desired page of the website (much like Facebook employed recently when changing its user's default privacy settings).

(ii) 'informed'

It is well known that the majority of privacy policies are read only by the lawyers and information officers that draft them. The worst privacy policies are often long, legalistic and used to cover issues that do not relate to privacy. To meet the informed requirement, a ''to the point'' notice about the use of cookies might need to be placed (or clearly linked) next to the relevant indication source (i.e. next to the tick box or submit button, etc.).

(iii) 'specific'

Several data protection authorities in Europe have interpreted this to mean that a separate indication (tick box, etc.) must be given by the user in respect of each type consent sought. It is possible that such authorities could require websites to offer a consent for each cookie, or at least a consent for each type of cookie used by the website: first and third party, session and persistent, etc.

(iv) 'freely given'

Consent is unlikely to be valid if there are negative consequences attached to refusal. Websites might be required to offer full functionality to users even if they refuse consent for tracking cookies (i.e. web browser settings would not be sufficient). However, this would conflict with Recital 25 of the existing e-Privacy Directive, which states that ''access to specific website consent may still be made conditional on the well-informed acceptance of a cookie . . .''. The question of ''freely given'' might only be relevant then if a website provides an important service (for example, payment of a utility bill) and is the only or main means for users to access that service.

So, on the face of it, the switch to prior consent in the e-Privacy Directive seems onerous and difficult to implement.

However, if the new Article 5(3) is not read in isolation but in the context of the amending Directive as whole, an entirely different picture emerges. Recital 66 provides a clear example of what the amending Directive considers to be valid prior consent. It states that: ''where it is technically possible and effective, . . . the user's consent to processing may be expressed by using the appropriate settings of a browser or other application.'' This suggests that prior consent should be considered more flexibly than the rules of prior consent explained above. In particular, it would seem that a valid indication of prior consent can be given well before, or at least implied at the time, a cookie is actually set by the user's web browser settings. In addition, it could be interpreted from the amending Directive that a user does not need to be informed about each individual cookie prior giving their consent, provided they are sufficiently informed about cookies in general and the ability to block them by changing their web browser privacy settings (although this might cause problems for less well known cookie-like data, such as Flash Local Stored Objects).

Certain Member States and privacy campaigners might argue that the lack of granularity in web browser settings, which fail to distinguish between different types (first party, third party, session, persistent, etc.) and purposes of individual cookies, means they are not technically effective (as Recital 66 requires). It is also true that the recitals of a Directive are not law themselves. However, recitals are often used by national and European judges to interpret the meaning or purpose of a Directive. Overall, it will be difficult for Member States to ignore the existence of Recital 66 and refuse the use of browser settings as a valid means of obtaining a user's valid prior consent to cookies.

Conclusion: Cookie or Death?

Unfortunately, it is hard to avoid concluding that the amending Directive will be at best a mere confirmation of the status quo and at worst a potential pan-European mess.

If the new Article 5(3) is viewed by certain Member States in isolation (with Recital 66 brushed under the carpet), they might implement prior consent in accordance with the standard interpretation of the Data Protection Directive. This could spell bad news for behavioural advertising. An effective reduction on the ability to anonymously track user browsing habits may have negative consequences for free internet services such as Facebook, YouTube and Spotify. These websites rely on the revenue generated from online advertising space, which might be reduced if the primary advantage of online advertising is removed.

However, strict prior consent is only one potential outcome from the change to the e-Privacy Directive. It is equally, if not more, likely that Recital 66 will prevail. If Member States view (as they should) the amending Directive as a whole, their national law (and/or the guidance of their regulators) should make clear that web browser privacy settings are a valid means for users to provide their consent. As most settings allow cookies to be set by default, the new prior consent regime could look very similar indeed to the existing notice and opt-out regime.

It is hard to overestimate how unhelpful it is to have such uncertainty on the face of the Directive. The amending Directive is not directly applicable and must be implemented independently by each Member State into its national law. The conflict between the new Article 5(3) and the wording of Recital 66 greatly enhances the likelihood of inconsistency between the various European implementations. This effectively draws another battle line for European Member States in the ongoing debate as to whether virtually anonymous Internet data such as cookies and IP addresses are personal data. The United Kingdom traditionally adopts a pragmatic approach to online privacy, which suggests that in the U.K., at least, there will be no change to the existing cookie requirements. Advertisers relying on cookie-like data that already comply with these requirements should not have to change their existing practices. However, particularly for advertisers subject to the laws of other European jurisdictions, it is still very much a case of ''watch this space,'' as Member States implement and issue guidance on the changes over the next 18 months.