EU Cookie Directive Compliance Richard C. Gruber Jr. The John Marshall Law School RGruber@law.jmls.

edu The following is an update on the status of the implementation of cookie laws by EU member states as stated in the EU Cookie Directive (the Directive),1 effective May 25th, 2011. The Directives purpose is for member states to implement their own laws within the Directives general framework in order to protect the privacy of individuals in the EU. However, the Directive is not law and to analyze compliance one must look to each member state, in certain instances the guidance provided are more specific. Most importantly, the Directive has introduced new rules for online service providers that require consent to be obtained from website visitors before serving cookies and other tracking devices to users computers. A status chart has been attached in order to address which member states have specifically implemented Article 5(3), the status of the implementation, whether opt-in consent is required, as well as any other legal requirements provided by member state law(s). Step 1- Cookies Audit Whether attempting compliance with a single member state or multiple member states, a thorough audit2 of cookie use (website operator and third parties) needs to be undertaken to determine what cookies and similar technologies the website is using3 and how they are being used. Doing so will give you the information you will need to provide users for compliance with even the most demanding member state laws implementing the Directive. Then analyze which cookies are strictly necessary, because several member states as indicated on the Status Chart vary the consent required based upon this factor. Where consent is needed, decide what solution to obtain consent will be best under the circumstances and member state requirements. Lastly, the audit process serves as a useful opportunity to clean up your web page and eliminate the use of any unnecessary cookies.4 For example, asking any of the following additional questions may be helpful: o Whether the cookie is linked to other information held about users- such as usernames,
1

Originally implemented in 2003 as a European Directive- 2002/58/EC and amended in 2009 by Directive 2009/136/EC. 2 For a helpful example of information that should be included in a audit of cookie use: http://www.foolproof.co.uk/eu-cookie-directive-and-your-users/ 3 Helpful definitions for various types of cookies located at: http://eucookiedirective.com/ 4 Information Commissioners Office (ICO)(UK), Guidance on the rules on use of cookies and similar Technologies, version 2, December 13th, 2011, pg. 9, 12-13.

o o o o

What data each cookie holds The type of cook- session or persistent If it is persistent, how long is its lifespan Is it a third party cookie, and if so, who is setting it5

What does the Directive state? The language of the Directive is critical because as the Status Chart indicates, many member states have either adopted the language of the Directive verbatim or close to it. Article 5(3) of the Directive states [a] person shall not store or gain access to information stored, in the terminal equipment or a subscriber or user unless the requirements of paragraph (2) are met... those requirements being that the user is provided with clear and comprehensive information about the information and the purposes of the storage of or access to, that information, and has given his or her consent.67 There are common exemptions member states have adopted from the requirement to provide information and obtain consent such as non-applicability to cookies whose purpose is for the sole purpose of carrying out the transmission or a communication over an electronic communications network; or where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.89 Examples of the types of exempted cookies in certain member states (without exclusion of other possibly exempted cookies): Secure login session, designed to identify the user once he/she has logged-in to an information society service and is necessary to recognize him/her, maintaining the consistency of the communication with the server over the communication network.10 User session, (SessionID) that allows tying together the actions of a user when this is necessary to provide the service he/she requested.11 Shopping basket, used to store the reference of items the user has selected by clicking on a button (e.g. add to my shopping cart). This cookie is necessary to provide an information society service explicitly requested by the user.12
5

Information Commissioners Office (ICO)(UK), Guidance on the rules on use of cookies and similar Technologies, version 2, December 13th, 2011, pg. 13. 6 Article 29 Data Protection Working Party, Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioral Advertising, 02005/11/EN/ WP 188, adopted on 08 December 2011, pg. 8: http://ec/europa.eu/justice/data-protection/article29documentation/opinion-recommendation/files/2011/wp188_en.pdf 7 Privacy and Electronic Communications (EC Directive) Regulations 2003, no. 2426, Reg. 6. 8 5(3) of the revised e-Privacy Directive, 2002/58/EC. 9 Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 8. 10 Id. at pg. 9. 11 Guidance from the French DPA CNIL (Translated into English), are all cookies concerned, December 20th, 2011: http://www.cnil.fr/english/news-and-events/news/articles/whate-thetelecoms-package-changes-for-cookies/ 12 Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 9.

Security, provide security that are essential to comply with the security requirements of Directive 95/46/EC13 or other legislation for an information society service explicitly requested by the user. For example, a cookie may be used to store a unique identifier to allow the information society service to provide additional assurance in the recognition of returning users. Attempted logins from previously unseen devices could prompt for additional security questions.14 Users spoken language (for websites that are translated in several languages) or other necessary preferences to provide the requested service.15 Flash cookies containing elements that are strictly necessary to make a media player work (audio or video) for a content that has been requested by the user.16

Accordingly, cookies used for the primary purpose of analytics, advertisement related, and per-user customization in several instances are not exempt from member states implemented laws to comply with the Directive because they pose a higher risk to user privacy.17 One requirement that several member states have included in their laws is for clear and comprehensive information to obtain informed consent. The law in the UK for example is not clear on what constitutes clear and comprehensive, because the amount of information needed is subjective based upon the knowledge level of the user. The current situation is unfortunate for website operators because among broader consumers are those who use the internet less regularly, have a generally lower level of technical awareness, and are less likely to understand the way cookies work and how to manage them.18 However, the ICO (UK) has provided significantly more guidance than the other member states that at a minimum will demonstrate a reasonable effort to comply with UK law:
13

Alert users that the cookies are there,19 Explain what the cookies are doing, and2021

Directive 95/46/EC of the European Parliament, protection of individuals with regard to the processing of personal data, Official Journal L 281, 31995L0046, pg. 31-50, October 24th, 1995: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML 14 Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 9. 15 Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 12-13. 16 Id. 17 Id. at pg. 10. 18 Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 3 (Where 41% of those surveyed were unaware of any of the different types of cookies, only 13% indicated that they fully understood how cookies work, and 37% said they did not know to manage cookies on their computer). 19 Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8. 20 Id. at pg. 8. 21 Id. at French DPA CNIL (Translated into English), are all cookies concerned.

Obtain consent to store a cookie on their device.22

The information provided with the respect to alerting and explaining the cookies must be: o Correct and complete as stated in Article 10 of Directive 95/46/EC23 In order to do so the information must inform users at a minimum: 1) Who (i.e. which entity) is responsible for serving the cookie and collecting the related information 2) The cookie will be used to create profiles; 3) What type of information will be collected to build such profiles; 4) The fact that the profiles will be used to deliver targeted advertising and 5) The fact that the cookie will enable the user's identification across multiple web sites.24 o Given directly to users, in a clear and understandable form before cookies are placed, Step 2- Compliance Options The European Advertising Standards Alliance (EASA) and the Internet Advertising Bureau Europe (IAB), adopted a self-regulatory Best Practice Recommendation on online behavioral advertising ("EASA/IAB Code") which may be helpful in certain member states such as Germany. Under the EASA/IAB Code, an icon will be used as an information notice for behavioral advertising. In the current implementation of the Code, the icon is linked to an information website, www.youronlinechoices.eu. On this website, users can signal their willingness to opt out by selecting specific company names from a list of different advertising networks. Moreover, wording along side the ad or icon should at a minimum contain the language personalized advertising.25 o Before informed consent is possible. According to the ICO, none of the above mentioned clear and comprehensive information and notices are sufficient alone to grant consent, [y]ou must obtain consent to store a
22 23

Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8. Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 5. 24 Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioral advertising, 00909/10/EN WP 171, adopted on 22 June 2010, pg. 18,19: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf 25 Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 3-5.

cookie on a user or subscribers device.26 In order to have an agreement or consent (depending upon the language translation) it must meet be all three of following requirements: Freely given Specific Informed (as mentioned above under clear and comprehensive information)27 Ways to obtain freely given, specific, and informed consent The following options are not required in most member states but are available options under a self-regulatory scheme, as well as options to err on the side of caution when a member state a website operates in has implemented Article 5(3) of the Directive in some form but has not given significant guidance. Browser Option There are various frequently discussed options that may satisfy the three requirements for consent, including consent...signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses.28 Additionally, the Directive which several member states have chosen to adopt its language entirely, has the foresight to add ...or by using another application or program to signify consent that could be, for example, a browser plug-in or a web consent management platform.29 At this time, industries have not properly educated users,30 therefore more is required of website operators than the ideal browser settings option. The browser option is not yet viable31 to ensure compliance due to the lack of technological sophistication of the majority of users and the uncertainty of whether or not they had been prompted to consider their current browser settings.32 Text and Format Other options to make information more prominent and therefore more likely to inform the user include: o Formatting (e.g. changing the size of a link to information or using a different font. Key is distinguishing from the other links). o Positioning (e.g. moving from the footer to somewhere more likely to catch
26 27

Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8. EU Directive 95/46/EC, 2(h): http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=CELEX:31995L0046:EN:HTML & Id. at FN 6.
28

Member states such as France, Hungary, Luxembourg, Spain, Sweden and the draft language of both Greece and Italy allow browser settings for informed consent, however, that is not the case in countries such as Lithuania and under the current status in the UK according to the ICO. 29 Id. at French DPA CNIL (Translated into English), are all cookies concerned.
30 31

Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 3. Id. at French DPA CNIL (Translated into English), are all cookies concerned. 32 Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 11, 12.

the attention of users). o Hyperlink text (e.g. rather than simply privacy policy, text would read find out more about how our site works and how we put you in control). These options are preferable for website operators simply because they do not pose as big a nuisance on the user experience.33 This option certainly contrasts with the pop ups and similar techniques options. Pop-ups or Similar Techniques While pop-ups or similar techniques seem to be an easy option to be on the safe side of achieving compliance with even the most strict member state law, they might spoil the experience of the user when they are not implemented carefully. The key factor is that when a cookie is only enabled during certain functions, features, services, or pages etc, only before the cookie is placed must the user be technically informed and provide consent. Therefore, a pop-up screen that explains what cookie(s) are needed to continue, and asking for express consent via click-box will provide you with informed consent to proceed compliantly.34 Banners and Footers Moreover, the website may contain a banner on the top of the page or a separate footer that is specifically for obtaining the informed consent of users.35 The static information banner on top of a website should request the users consent to set some cookies and include a hyperlink to a privacy statement with a more detailed explanation about the different controllers and purposes of placing specific cookies.36 To make it even more likely to comply, the website can fix the banner or footer to remain on the page until consent is given while the user scrolls. Splash Screen Upon entering the website, a splash screen explains what cookies the website will set, by what parties, and for what purpose if the user consents.37 This is a useful option, especially when the website targets users over a certain age because of other applicable domestic laws.38 Default Settings
33 34

Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 14, 15. Id. at pg. 16. 35 Id. at pg. 16. 36 Because the ICO is the authority in the UK on compliance with implementation of the Directive, it is important to note this is the option that they have exercised on their website: http://www.ico.gov.uk/Global/privacy_statement.aspx 37 Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 9. 38 For example, breweries have such splash screens that require age verification before entering their sites. Reference: http://www.harpoonbrewery.com/

A default setting could be set to prohibit the transfer of data to external parties, requiring a user click to indicate consent for tracking purposes, but would need to be accompanied by appropriate information to provide for informed consent.39 This option is similar to the aforementioned default browser settings options which website operators may inform their users of; although legally insufficient at this point, they are effective in preventing the collection of behavioral data when set properly by the user.40 Links to more information Whichever format, layout, or technical structure is chosen, where more information is to be provided to satisfy informed consent, having a single page41 that includes a table of the cookie, its name, its purpose, and a link to more information if applicable because its set by a third party is advisable.42 Consent with third party advertiser involvement Importantly, if the website supports third party ads, the website operator is liable for their tracking if neither the third party or the website operator has obtained informed consent. However, if the third party has themselves obtained informed consent that can be attached to a user, the website operator does not need to repeat the process of receiving informed consent.4344 Practically speaking, from a technological standpoint it may be easier to not differentiate and ask for consent because the process the website implements should be done in such a way as to detract from the user experience as slightly as possible.45 Changes in cookies after consent If the purpose of the cookie the website has been given informed consent to install has significantly changed, the website operator must make the user aware of the changes and allow them to make the choice regarding the new activities. Although, consent does not need to be given for each individual cookie in this instance and could be given when the purpose has been clearly explained and the cookies are performing a set of functions in conjunction with one another.46 Refusal and Right to Revoke
39 40

Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 10. Id. 41 Id. 42 Again the ICO is illustrative in providing an example table, however, it is included as a part of their privacy policy and it may be better situated in a page of its own with reference and link provided within the privacy policy. Reference: http://www.ico.gov.uk/Global/privacy_statement.aspx 43 Id. at French DPA CNIL (Translated into English), are all cookies concerned. 44 Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 22. 45 Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 10, 11. 46 Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 22, 23.

Some member states such as Bulgaria have included the right to revoke. Generally speaking, once a user is in a position to provide informed consent, the website operator should allow for three options: accept the cookie, refuse the cookie and be asked again next time, or refuse the cookie and memorize the refusal with the installation of a refusal cookie. Most importantly, despite previously giving informed consent in any of the ways discussed above, or valid but not foreseen herein, for example in France and Bulgaria the right to revoke consent must always be made available.47 Summary Once you have determined the Directive has been implemented in some form in a member state a website operates in, based upon the above, the suggested course of action is to attempt compliance by the date required under the local law. Doing nothing or waiting to see is not advisable, but it is important that the enforcement approach is intended to be practical and proportionate likely considering the size of an organization,48 its resources, and the surrounding circumstances, however the Directive and many of the member states attempts to implement it are not clear or explicit. Therefore, a websites first steps should be to audit their cookie use and similar technologies and then the website must provide clear and comprehensive information in order to obtain informed consent in any of the ways mentioned above, or in similar ways that are legally analogous when required.

47 48

Id. at French DPA CNIL (Translated into English), are all cookies concerned.

Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 24: practical and proportionate approach.