Meeting the Challenge of EU Cookie Law Compliance

December 3, 2012

Contacts
Michael Whitener
Lead Counsel, Technology & Communications m.whitener@clearspire.com +1 202 595 9376

The EUs so-called Cookie Law (properly, Article 5(3) of the Visit us at revised ePrivacy Directive) has been the cause of much handwww.clearspire.com wringing within public and private sectors alike. For EU governments, the challenge is to implement the Cookie Law in a way that honors its spirit without throwing a roadblock in the path of online commerce. For companies doing EU business, the hurdle is determining what minimal level of notice and consent is sufficient to avoid sanctions for Cookie Law violations. This advisory will (1) briefly describe what the Cookie Law requires and (2) recommend best practices for compliance, given the current status of the laws implementation across Europe and guidance provided by EU data protection authorities. What the Cookie Law Does and Does Not Require Media reports have sown a lot of confusion on this score. In plain language, the Cookie Law requires that a computer owner give his or her consent before a cookie (in Article 5(3) terms, information) can be stored on a computer. Note that the cookies do not need to be accessing or collecting personal data. The consent obligation is triggered merely by placing cookies on computers, because in the words of the Article 29 Working Party (which provides advisory opinions on EU data protection matters) computers are part of the private sphere of these users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. The consent requirement of the Cookie Law doesnt apply to every cookie, however. There are two exemptions: (1) cookies that are strictly necessary to provide a service explicitly requested by a subscriber or user, and (2) cookies used for the sole purpose of transmitting over an electronic communications network. The Article 29 Working Party has interpreted both of these exemptions narrowly. For instance, the Working Party has declared that the strictly necessary requirement will be met only if the service will not work if cookies are disabled. Even then, the cookies lifespan must be directly related to the purpose it is used for and set to expire once it is no longer needed. Not surprisingly, the biggest uncertainty regarding the Cookie Law centers on its requirement of consent. The issue transcends the straightforward opt-in/opt-out distinction that is a familiar feature of privacy law. The only gloss that Article 5(3) provides to what is meant by consent is that the subscriber or user must first be provided with clear and comprehensive information. The Article 29 Working Party has interpreted this language as requiring that consent be obtained before a cookie is placed on someones computer. Exercising an opt-out right after the fact isnt sufficient, no matter how prominently displayed the opt-out may be.

Clearspire LawCo., PLLC 1747 Pennsylvania Avenue, NW Suite 200 | Washington, DC 20006

+1 202 549 1200 office

Thus the approach taken in the typical privacy policy of describing what cookies are, how they are used, and how cookies can be disabled will no longer hack it. The Working Party was explicit: consent means active participation of the data subject prior to the collection and processing of data. The Article 29 Working Party offered a hopeful glimmer of an easy solution to the consent conundrum when it considered the possibility that valid consent could be delivered by setting internet browsers to reject cookies by default and requiring affirmative action to accept cookies. But the Working Party ultimately concluded that current browser technology cannot be relied upon for this purpose. Best Practice Recommendations for Compliance EU member nations have been implementing the Cookie Law in fits and starts. The UK has led the pack, especially in terms of providing detailed guidance, joined by a growing number of other countries (and prompted by European Commission threats of legal action against laggards this past summer). At this juncture, its possible to glean from implementation efforts a few best practices for Cookie Law compliance that are likely to meet legal requirements across Europe: 1. The starting point should be a cookie audit. Before deciding on the best mechanisms for obtaining user consent, you need to know what cookies are being used, for what purpose, what data each cookie holds and what type of cookie it is (session or persistent). Your privacy policy should be reviewed to ensure that it accurately describes the cookies used. The subscriber/user must give his or her prior informed consent to non-exempt cookies use. That means clear and comprehensive information is provided before cookies are installed. Note, however, that there are no fixed standards for providing notice and obtaining consent, which allows flexibility and creativity. Popular choices include pop-up modal dialog boxes (which provide information about cookies and ask for the user to click OK) and status bars (which appear at the top or bottom of a website and inform visitors that the site uses cookies, with links to the privacy/cookie policy and a request to opt in). No doubt web developers will come up with new, more user-friendly mechanisms over time. The more privacy intrusive the cookie, the more prominent the notice and unambiguous the consent should be. The Cookie Law itself doesnt distinguish between types of cookies. However, from an enforcement perspective, the more directly the cookie impinges upon a users personal information, the more carefully you need to think about how to obtain consent. Both the UK Information Commissioners Office and the Article 29 Working Party have suggested that first party analytical cookies, such as those used by Google Analytics, pose a lesser privacy risk. Browser setting options are not sufficiently developed to constitute consent. Down the road, browser settings may provide a solution that will allow the avoidance of potentially annoying pop-up consent boxes and the like. But not yet.

2.

3.

4.

What about in the employment context, where a corporate employer wishes to place cookies on employee laptops say, for the purpose of rolling out an enterprise-wide software package? Different EU countries have taken different approaches. The UK, the Netherlands and Sweden, for example, have determined that intranet users are
Clearspire LawCo., PLLC 1747 Pennsylvania Avenue, NW Suite 200 | Washington, DC 20006 +1 202 549 1200 office

not using a public electronic communications service and therefore the Cookie Law is inapplicable, whereas France and Spain do not currently recognize an intranet exception. One strategy that should pass muster across the board is for the employer to provide consent at the enterprise level to have cookies installed, but still leave each individual employee with the option of disabling a particular cookie on his or her laptop. The revisions to the EU Data Protection Directive that are in the works, along with increasingly sophisticated browsers that allow consent to be built into the settings, may eventually ease the stringent consent requirements currently mandated under the Cookie Law. Until then, we will keep an eye out for additional EU guidance in this area. *** Clearspire attorneys are available to advise on your technology and communciations issues. Please contact us if you have any questions.

Disclaimer notice: This publication is for information only and does not constitute legal advice. It is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. So that we can send you this email and other marketing material we believe may interest you, we keep your email address and other information supplied by you on a database. The database is accessible by all Clearspire offices. To stop receiving email communications from us please email info@clearspire.com
Clearspire LawCo., PLLC 1747 Pennsylvania Avenue, NW Suite 200 | Washington, DC 20006 +1 202 549 1200 office