Archive for December, 2011

Time to get to grips with cookies

Posted on December 18th, 2011 by



Without a doubt, figuring out how to comply with the notice and consent requirements affecting the use of cookies in Europe is going to be at the top of the New Year’s resolutions of many data protection officers and privacy counsels.  Despite being a nearly three year old debate, inaction has so far prevailed amongst European website operators to the frustration of the data protection authorities.  A frustration which is only too visible in the latest Working Party Opinion on online behavioural advertising.  We are now well past the deadline to implement these requirements and it is time to start doing something other than burying our head in the sand.

There is no much point in going back to the decision to change the law from notice and objection to notice and consent, unless someone is going to seriously and legally challenge it.  Until that happens, we may as well try and comply with the law.  However, relying on users’ consent to use cookies is a bit like asking people to confirm that they are willing to allow electrons to flow before turning on the light – we don’t fully understand the relevance of moving electrons to lit up a light bulb but we know we don’t want to be in the dark.  So whilst the humble Internet cookie has become a bit of a media star beyond techies and online advertising experts, it is fair to assume that the cookie consent requirement needs a bit of flexibility in its interpretation.

The most obvious way of allowing for that flexibility is to accept that consent will often need to be implied.  An accepted principle under data protection law is that where data processing is not intrusive in nature and there is no foreseeable risk or harm to individuals, the standard of consent required is lower than where the sensitivity of the processing is greater.  So to the extent that the use of Internet cookies has only minimal impact on people’s privacy, it is logical to assume that such use may be based on individuals’ implied consent.  The UK Information Commissioner has taken a slightly cautious view but essentially accepts this approach.  For the UK regulator, it is all about consumer awareness, since implied consent must be based on a definite understanding of what is going to happen.

A more contested issue in this context is whether the consent must be prior to the serving of cookies.  Despite the fact that the e-privacy directive makes no reference to the word ‘prior’ – unlike in the case of e-mail marketing – and that such a word was indeed removed from the directive during the legislative process, the Article 29 Working Party is adamant that consent must be obtained before a cookie is served or information stored in the user’s terminal equipment is collected.  The Information Commissioner on the other hand acknowledges that currently many websites set cookies as soon as a user accesses the site and that this makes obtaining consent before the cookie is set difficult.  The UK Government has gone even further and stated that it is possible that consent may be given after or during processing.

Taking all this into account, what should a website operator or advertiser that relies on cookie technology do?  The time for pondering is certainly running out and so is the patience of the regulators.  Cookies which are strictly necessary for the provision of an online service requested by an Internet user are exempt from the notice and consent requirements, but what about the two most popular types of cookies around: analytics and advertising cookies?  Are these cookies so intrusive and harmful that only explicit and prior consent will justify their use from now on?  Not necessarily, but achieving legal compliance will require some clever thinking and visible action.

Data privacy compliance is not a matter of scientific precision but an exercise of common sense and legal vision.  In the context of Internet cookies, this means bending over backwards to make it crystal clear what cookies are being used and for what purposes.  If implied and real-time consent is going to be relied upon, it is going to have to be pretty obvious to the average user what is going on.  At the very least, it has to be reasonable to assume that someone can easily find out and exercise effective control over the cookies being served on their terminal equipment.  A prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way, but only if they move from a wish list to action.

This article was first published in Data Protection Law & Policy in December 2011.

ICO’s updated guidance on cookie consent

Posted on December 13th, 2011 by



The Information Commissioner’s Office has published an updated Cookies Guidance Document today, together with a press release criticising the performance of website operators on compliance.

So, what’s in it?

Well, it doubts the idea that consent can be obtained after a cookie has been dropped, because ICO sees consent as meaning prior consent. However, the guidance goes on to imply that ICO will take a sympathetic line with websites where the time period between the dropping of the cookie and the obtaining of consent is short:

“It is difficult to see that a good argument could be made that agreement to an action could be obtained after the activity the agreement is needed for has already occurred. This is not the generally accepted way in which consent works in other areas, and is not what users will expect. Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes obtaining consent before the cookie is set difficult. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.”

The Guidance also seems to set up the “implied consent” route to compliance, although ICO cautions that we will need to educate our users before we can be confident that implied consent works. ICO suggests that the entire community of website operators can contribute to this cause – which makes sense – but I do not read the guidance as precluding the implied consent route immediately:

“The level of consent required for any activity has to take into account the degree of understanding and awareness the person being asked to agree has about what they are consenting to. A reliance on implied consent in any context must be based on a definite shared understanding of what is going to happen – in this situation a user has a full understanding of the fact cookies will be set, is clear about what cookies do and signifies their agreement. At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent. As consumer awareness increases over the next few years it may well be easier for organisations to rely on that shared understanding to a greater degree. This shared understanding is more likely to be achieved quickly if websites make a real effort to ensure information about cookies is made clearly available to their users, for example, displaying a prominent link to ‘More information about how our website works and cookies’ at the top of the page rather than through a privacy policy in the small print.”

There is also a notable piece about obtaining consent from subscribers and users, which addresses the situation where a computer has multiple users. Basically, it seems that ICO will treat the website as being compliant where consent is obtained just for the subscriber:

“In a domestic context there will usually be a subscriber (the person in the household paying the bill) and potentially several other users. If a user complained that a website they visited was setting cookies without their consent the website could demonstrate they had complied with the Regulations if they could show that consent had previously been obtained from the subscriber.”

As far as strictly necessary cookies are concerned, which do not need consent, the guidance confirms that cookies dropped for security purposes will fall within this group. So are cookies that help the website controller comply with other legal obligations:

“The term ‘strictly necessary’ means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the person using the cookie might be subject to, for example, the security requirements of the seventh data protection principle.”

Regarding third party cookies, ICO places the compliance burden on the person who drops the cookie, but there are situations where the person dropping the cookie may work to another’s direction, such as under a contract. Thus, the guidance envisages a cooperative approach to be taken by those involved:

“The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.”

The importance of contractual safeguards in the third party cookie situation is highlighted in this part:

“Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.”

The guidance continues with some ideas about achieving compliance, such as carrying out a cookie audit and assessing intrusiveness, but it’s in the section on pop-ups where things become really interesting, because under “Figure 2″ it seems to be confirmed that achieving consent does need a person to tick a box or click an accept button. Rather, the guidance seems to accept the enhanced notice and transparency approach, where consent is obtained from a person who users a website after being properly warned about cookies:

“Using this technique you could ensure you are compliant by not switching on any cookies unless the person clicks I agree. Some users might not click on either of the options available and go straight through to another part of the site. If they do, you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site. This is an option that relies on the user being aware that the consequence of using the site is the setting of cookies. If you choose this option you might want the reassurance of a notice appearing elsewhere on the site which reminds users that you are setting cookies.”

The terms and conditions approach is also endorsed:

“It is not uncommon for consent to be gained online using the terms of use or terms and conditions to which the user agrees when they register or sign up. Where users open an online account or sign in to use the services you offer, they will be giving their consent to allow you to operate the account and offer the service. There is no reason why consent for the cookies cannot be gained in the same way.”

On tracking cookies, the guidance seems to imply that first party ones may be relatively non-intrusive, but the most interesting point is that there seems to be re-affirmation of the enhanced notice and transparency approach:

“It is likely to be more difficult to obtain consent for this type of cookie where you do not have any direct relationship with a user – for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link). As far as possible, measures should be put in place to highlight the use of cookies and to try to obtain agreement to set these cookies.”

The idea of the central permissions centre is also alluded to, where the user goes to one place to confirm their preferences for different websites:

“An organisation with several connected websites could in theory obtain consent for cookies set on each site in one place, for example when the user logged in on one site. In order for this consent to be valid it would have to be absolutely clear which websites the cookies in question were set on, what those cookies were used for and exactly what the user was agreeing to.”

There is also recognition that consent can be obtained on a per category basis, as opposed to a per cookie basis:

“Consent does not have to be gained separately for each individual cookie, provided you have explained the purpose of the cookies clearly a user could provide consent to cookies performing a set of functions.”

Finally, there’s a remind not to forget the general data protection issues. So if the cookies leads to personal data processing, there is an added compliance layer:

“Where the setting of a cookie does involve the processing of personal data, those using them will need to make sure they comply with the additional requirements of the DPA.”

So, these are my first impressions of the guidance: I have not addressed all of the content here, but what I have seen is very reassuring for compliance. It looks like ICO has taken a pragmatic approach to the issues and it has accepted the key compliance mechanisms that many of us are arguing for, such as implied consent, enhanced notice and transparency, the contractual approach and the intrusiveness approach. If ICO adheres to this approach, then a good balance will be struck between the interests of all the key stakeholders. This is a jolly good piece of work.

Authored by Stewart Room, Partner, FFW Privacy and Information Law Group.

Deconstructing the privacy macaron

Posted on December 7th, 2011 by



Compact.  Self-contained.  Multi-layered.  Hard to penetrate and rich inside with a mix of flavours and tones.  Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law.  But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.

So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?

*   A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.

*   Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.

*   Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.

*   Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.

*   Consent – Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice.

*   Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.

*   Controller’s responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.

*   Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.

*   International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

*   Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

*   Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.

All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today’s and tomorrow’s data protection.  Whether the result will suit everyone’s taste is a different matter.

This article was first published in Data Protection Law & Policy in November 2011.

Viviane Reding is now BCR #1 fan

Posted on December 2nd, 2011 by



It is now almost certain that Binding Corporate Rules (BCR) and possibly Binding Safe Processor Rules (BSPR) will feature in the revised EU data protection framework.  The clearest indication of this was given in Viviane Reding’s keynote speech at the IAPP Data Protection Congress in Paris this week.  The European Commission’s Vice-President dedicated her entire speech to encourage organisations to go down the BCR path and to promise a smoother and faster authorisation process.

In summary, Vice-President Reding made the following points:

 * We need efficient and effective tools to ensure that personal information is properly protected and one way to adequately protect the processing and transferring of personal data is binding corporate rules.

* We know that one of the strengths of binding corporate rules is that they offer legal certainty and a lot of flexibility as they are compatible with any corporate culture.

* There are three main aspects of how these rules will be improved in the new framework: simplification, consistent enforcement and innovation.

* The European Commission intends to propose a consistent and streamlined approval process.  Once the binding corporate rules are approved by one data protection authority, they will be recognised by all European data protection authorities without the need for additional national authorisation in case of further transfers.

* BCR should be compatible with small innovative companies’ endeavours to operate on a global scale.

* The reform will make binding corporate rules binding within companies, but also with respect to third parties.

* Binding corporate rules will apply to all internal and extra-EU transfers of any entity in a group of companies.

* The Commission will support the development of binding corporate rules that can also be used by processors, including in the context of cloud computing.

* Vice-President Reding encourages companies of all size to start working on their own binding corporate rules.

There is no stronger recognition for BCR than the Vice-President of the European Commission giving them her full support.  We can now assume that the Commission will walk the talk, and BCR will get full recognition in the black letter of the law.