Online advertising is the fastest growing advertising medium and a key source of income for many online services. An important factor in this growth is the ability of sites to gather information from consumers about their interests and browsing habits which is then used to build up user-profiles so that advertising can be tailored towards them. This practice, known as behavioural advertising, has been the subject of data privacy concerns for some time as the data collected may amount to personal data and be subject to the Data Protection Act 1998. In an attempt to address these concerns the e-Privacy Directive (2002/58/EC) was implemented in the UK on 11 December 2003, which amongst other things regulates the medium via which such information is collected and stored, namely cookies.
Cookies
Cookies are small text files which are implanted by a website onto a user's hard disk when they visit a site and are then retrieved each time the user visits the sites which planted the cookie. They are temporary and will usually be deleted either when the web browser is closed ("session cookies") or upon expiry of the date set by the website accessed ("persistent cookies"). There are two classes of cookies, first party cookies which are placed by the websites you visit, and third party cookies which are set by third party websites, for example an advertising network may use information from cookies from a user's access to one website to show adverts tailored to their specific interests when that user visits a partner website later. The latter can, therefore, track a user's browsing behaviour across the internet.
Currently, privacy settings of web browsers cannot detect the purpose of cookies and only allow the user to choose whether or not they wish to block/allow cookies. It is, therefore, impossible to block tracing cookies alone without also blocking cookies which provide user functionality.
The e-Privacy Directive
Article 5(3) of the e-Privacy Directive stated that cookies could only be used if users were provided with clear and comprehensive information about the purpose of the cookies and were offered the right to refuse them (effectively, a "notice and opt-out" requirement).
On 19 December 2009, however, the Directive was amended and the "notice and opt-out" requirement under Article 5(3) was replaced with a requirement for prior consent from the user (i.e. "notice and opt-in"). The rationale behind the change is to tackle the problem of unwanted software such as adware, spyware and malware (e.g. viruses/trojans) which may be installed on a user's hard drive without their knowledge.
There are two exceptions to the rules which remain unchanged and are when cookies are used to store information which is strictly necessary for the provision of a service explicitly requested by the user (so, for example, a user can be taken from a product to the checkout without the need for consent) or for the sole purpose of carrying out the transmission of a communication over and electronic communications network.
This switch in approach has strongly been criticized by website operators who raise concerns over the effect this may have on website functionality and users' internet experience. Such consent would need to be sought by a pop-up (which is discouraged by the Web Content Accessibility Guidelines 1.0 published on 5 May 1999) or a landing page (with a mass of information and some choices) which would ultimately, slow down and interfere with the downloading process of webpages which at the moment is practically simultaneous with the setting of a cookie.
Article 29 Data Protection Working Party Opinion
Recital 66 to the revised Directive appears to contradict the intention of Article 5(3) by allowing users to indicate their acceptance of the use of cookies by "using the appropriate settings of a browser or other application", which in practice is already happening in the majority of cases.
Conversely, the Article 29 Working Party consisting of a committee of data protection regulators from EU Member States has given an Opinion on the interpretation of the revised Directive which seems to undermine what is stated in the Recital. They contend that relying on a user's cookie setting is insufficient to satisfy the prior consent requirement and that users not blocking cookies cannot be considered to be giving consent. The underlying reason for their view is that average users are not aware of the tracking of their online behaviour and the use of browsers settings to reject cookies so inaction cannot be deemed to be an indication of their wishes.
They argue that informed consent can only be obtained if prior information about the sending and purpose of the cookie has been provided. But that prior consent may be given to advertising networks covering a large number of websites rather than each site individually. Consent is not to last indefinitely and should expire after a year.
Advertisers claim the Working Party's interpretation is overly strict, anti-business and unrealistic and would result in a slump in advertising revenues but the revised Directive must be implemented in the Member States by 25 May 2011 so it remains to be seen how individual Member States will attempt to mitigate the impact of this law in their guidances which are likely to be issued over the coming months.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
