Академический Документы
Профессиональный Документы
Культура Документы
o
o
o
o
Information Commissioners Office (ICO)(UK), Guidance on the rules on use of cookies and
similar Technologies, version 2, December 13th, 2011, pg. 13.
6
Article 29 Data Protection Working Party, Opinion 16/2011 on EASA/IAB Best Practice
Recommendation on Online Behavioral Advertising, 02005/11/EN/ WP 188, adopted on 08
December 2011, pg. 8: http://ec/europa.eu/justice/data-protection/article29documentation/opinion-recommendation/files/2011/wp188_en.pdf
7
Privacy and Electronic Communications (EC Directive) Regulations 2003, no. 2426, Reg. 6.
8
5(3) of the revised e-Privacy Directive, 2002/58/EC.
9
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 8.
10
Id. at pg. 9.
11
Guidance from the French DPA CNIL (Translated into English), are all cookies concerned,
December 20th, 2011: http://www.cnil.fr/english/news-and-events/news/articles/whate-thetelecoms-package-changes-for-cookies/
Security, provide security that are essential to comply with the security
requirements of Directive 95/46/EC13 or other legislation for an information
society service explicitly requested by the user. For example, a cookie may be used
to store a unique identifier to allow the information society service to provide
additional assurance in the recognition of returning users. Attempted logins from
previously unseen devices could prompt for additional security questions.14
Users spoken language (for websites that are translated in several languages) or
other necessary preferences to provide the requested service.15
Flash cookies containing elements that are strictly necessary to make a media
player work (audio or video) for a content that has been requested by the user.16
Accordingly, cookies used for the primary purpose of analytics, advertisement related, and
per-user customization in several instances are not exempt from member states
implemented laws to comply with the Directive because they pose a higher risk to user
privacy.17
One requirement that several member states have included in their laws is for clear and
comprehensive information to obtain informed consent.
The law in the UK for example is not clear on what constitutes clear and
comprehensive, because the amount of information needed is subjective based upon the
knowledge level of the user. The current situation is unfortunate for website operators
because among broader consumers are those who use the internet less regularly, have a
generally lower level of technical awareness, and are less likely to understand the way
cookies work and how to manage them.18
However, the ICO (UK) has provided significantly more guidance than the other member
states that at a minimum will demonstrate a reasonable effort to comply with UK law:
12
The information provided with the respect to alerting and explaining the cookies must be:
o Correct and complete as stated in Article 10 of Directive 95/46/EC23
In order to do so the information must inform users at a minimum:
1) Who (i.e. which entity) is responsible for serving the cookie and
collecting the related information
2) The cookie will be used to create profiles;
3) What type of information will be collected to build such profiles;
4) The fact that the profiles will be used to deliver targeted
advertising and
5) The fact that the cookie will enable the user's identification across
multiple web sites.24
o Given directly to users, in a clear and understandable form before cookies
are placed,
Step 2- Compliance Options
The European Advertising Standards Alliance (EASA) and the Internet Advertising
Bureau Europe (IAB), adopted a self-regulatory Best Practice Recommendation on online
behavioral advertising ("EASA/IAB Code") which may be helpful in certain member
states such as Germany. Under the EASA/IAB Code, an icon will be used as an
information notice for behavioral advertising. In the current implementation of the Code,
the icon is linked to an information website, www.youronlinechoices.eu. On this website,
users can signal their willingness to opt out by selecting specific company names from a
list of different advertising networks. Moreover, wording along side the ad or icon should
at a minimum contain the language personalized advertising.25
o Before informed consent is possible.
According to the ICO, none of the above mentioned clear and comprehensive information
and notices are sufficient alone to grant consent, [y]ou must obtain consent to store a
cookie on a user or subscribers device.26 In order to have an agreement or consent
22
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8.
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 5.
24
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioral advertising,
00909/10/EN WP 171, adopted on 22 June 2010, pg. 18,19:
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf
25
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 3-5.
26
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8.
23
(depending upon the language translation) it must meet be all three of following
requirements:
Freely given
Specific
Informed (as mentioned above under clear and comprehensive information)27
Ways to obtain freely given, specific, and informed consent
The following options are not required in most member states but are available options
under a self-regulatory scheme, as well as options to err on the side of caution when a
member state a website operates in has implemented Article 5(3) of the Directive in some
form but has not given significant guidance.
Browser Option
There are various frequently discussed options that may satisfy the three requirements for
consent, including consent...signified by a subscriber who amends or sets controls on the
Internet browser which the subscriber uses.28 Additionally, the Directive which several
member states have chosen to adopt its language entirely, has the foresight to add ...or by
using another application or program to signify consent that could be, for example, a
browser plug-in or a web consent management platform.29 At this time, industries have
not properly educated users,30 therefore more is required of website operators than the
ideal browser settings option. The browser option is not yet viable31 to ensure compliance
due to the lack of technological sophistication of the majority of users and the uncertainty
of whether or not they had been prompted to consider their current browser settings.32
Text and Format
Other options to make information more prominent and therefore more likely to inform
the user include:
o Formatting (e.g. changing the size of a link to information or using a
different font. Key is distinguishing from the other links).
o Positioning (e.g. moving from the footer to somewhere more likely to
catch the attention of users).
27
28
Member states such as France, Hungary, Luxembourg, Spain, Sweden and the draft
language of both Greece and Italy allow browser settings for informed consent, however,
that is not the case in countries such as Lithuania and under the current status in the UK
according to the ICO.
29
Id. at French DPA CNIL (Translated into English), are all cookies concerned.
30
o Hyperlink text (e.g. rather than simply privacy policy, text would read
find out more about how our site works and how we put you in control).
These options are preferable for website operators simply because they do not pose as big
a nuisance on the user experience.33 This option certainly contrasts with the pop ups and
similar techniques options.
Pop-ups or Similar Techniques
While pop-ups or similar techniques seem to be an easy option to be on the safe side of
achieving compliance with even the most strict member state law, they might spoil the
experience of the user when they are not implemented carefully. The key factor is that
when a cookie is only enabled during certain functions, features, services, or pages etc,
only before the cookie is placed must the user be technically informed and provide
consent. Therefore, a pop-up screen that explains what cookie(s) are needed to continue,
and asking for express consent via click-box will provide you with informed consent to
proceed compliantly.34
Banners and Footers
Moreover, the website may contain a banner on the top of the page or a separate footer
that is specifically for obtaining the informed consent of users.35 The static information
banner on top of a website should request the users consent to set some cookies and
include a hyperlink to a privacy statement with a more detailed explanation about the
different controllers and purposes of placing specific cookies.36 To make it even more
likely to comply, the website can fix the banner or footer to remain on the page until
consent is given while the user scrolls.
Splash Screen
Upon entering the website, a splash screen explains what cookies the website will set,
by what parties, and for what purpose if the user consents.37 This is a useful option,
especially when the website targets users over a certain age because of other applicable
domestic laws.38
Default Settings
33
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 14, 15.
Id. at pg. 16.
35
Id. at pg. 16.
36
Because the ICO is the authority in the UK on compliance with implementation of the
Directive, it is important to note this is the option that they have exercised on their website:
http://www.ico.gov.uk/Global/privacy_statement.aspx
37
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 9.
38
For example, breweries have such splash screens that require age verification before entering
their sites. Reference: http://www.harpoonbrewery.com/
34
A default setting could be set to prohibit the transfer of data to external parties, requiring a
user click to indicate consent for tracking purposes, but would need to be accompanied by
appropriate information to provide for informed consent.39 This option is similar to the
aforementioned default browser settings options which website operators may inform their
users of; although legally insufficient at this point, they are effective in preventing the
collection of behavioral data when set properly by the user.40
Links to more information
Whichever format, layout, or technical structure is chosen, where more information is to
be provided to satisfy informed consent, having a single page41 that includes a table of the
cookie, its name, its purpose, and a link to more information if applicable because its set
by a third party is advisable.42
Consent with third party advertiser involvement
Importantly, if the website supports third party ads, the website operator is liable for their
tracking if neither the third party or the website operator has obtained informed consent.
However, if the third party has themselves obtained informed consent that can be attached
to a user, the website operator does not need to repeat the process of receiving informed
consent.4344 Practically speaking, from a technological standpoint it may be easier to not
differentiate and ask for consent because the process the website implements should be
done in such a way as to detract from the user experience as slightly as possible.45
Changes in cookies after consent
If the purpose of the cookie the website has been given informed consent to install has
significantly changed, the website operator must make the user aware of the changes and
allow them to make the choice regarding the new activities. Although, consent does not
need to be given for each individual cookie in this instance and could be given when the
purpose has been clearly explained and the cookies are performing a set of functions in
conjunction with one another.46
Refusal and Right to Revoke
39
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 10.
Id.
41
Id.
42
Again the ICO is illustrative in providing an example table, however, it is included as a part of
their privacy policy and it may be better situated in a page of its own with reference and link
provided within the privacy policy. Reference:
http://www.ico.gov.uk/Global/privacy_statement.aspx
43
Id. at French DPA CNIL (Translated into English), are all cookies concerned.
44
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 22.
45
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 10, 11.
46
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 22, 23.
40
Some member states such as Bulgaria have included the right to revoke. Generally
speaking, once a user is in a position to provide informed consent, the website operator
should allow for three options: accept the cookie, refuse the cookie and be asked again
next time, or refuse the cookie and memorize the refusal with the installation of a refusal
cookie. Most importantly, despite previously giving informed consent in any of the ways
discussed above, or valid but not foreseen herein, for example in France and Bulgaria the
right to revoke consent must always be made available.47
Summary
Once you have determined the Directive has been implemented in some form in a member
state a website operates in, based upon the above, the suggested course of action is to
attempt compliance by the date required under the local law. Doing nothing or waiting to
see is not advisable, but it is important that the enforcement approach is intended to be
practical and proportionate likely considering the size of an organization,48 its resources,
and the surrounding circumstances, however the Directive and many of the member states
attempts to implement it are not clear or explicit.
Therefore, a websites first steps should be to audit their cookie use and similar
technologies and then the website must provide clear and comprehensive information in
order to obtain informed consent in any of the ways mentioned above, or in similar ways
that are legally analogous when required.
47
48
Id. at French DPA CNIL (Translated into English), are all cookies concerned.
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 24: practical and
proportionate approach.