Dublin Law Firm McCann Fitzgerald Spell Out the Issues for Website Operators and Latest EC Regulatations
On 1 July 2011, important changes to existing laws on cookies were introduced by the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, which are designed to implement the provisions of the ePrivacy Directive (Directive 2009/136/EC) and repeal existing laws in this area (ie SI 535/2003 and SI 526/2008) in their entirety.
A cookie is a small text file which is stored on, and later retrieved from, a user's computer or other device. The main purpose of a cookie is to allow the website operator to identify the relevant device and to recognise repeat visitors to the website. Such repeat visits allow the website operator to track user trends and to obtain a detailed statistical analysis of visitors to the site. In particular, cookies can be used to build a profile of specific users and provide an invaluable tool for any website operator wishing to engage in behavioural marketing based on user preferences.
However, such an approach is no longer sufficient and the prior consent of website users is required. Specifically, Regulation 5(3) provides that a person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user unless such subscriber or user;
(a) has given consent to that use; and
(b) has been provided with clear and comprehensive information, in accordance with the Data Protection Acts 1988 and 2003 (“DPA”), which is:
(i) prominently displayed and easily accessible; and
(ii) includes, without limitation, details of the purposes of the processing.
The clear intention of Regulation 5(3) is that information requirements in sub- section (b) must be complied with before consent is obtained.
As such, very clear information will first need to be given to users regarding the various types of cookies deployed on the website and the purpose of such cookies. A positive indication of consent will then be required so as to ensure that consent is freely given, specific and constitutes an informed indication of the data subject’s wishes.
Not surprisingly, the question causing greatest consternation amongst website operators is how the requirement for such prior informed consent can be satisfied. In particular, website operators are concerned that if consent must be obtained (eg through the use of pop-up menus or similar devices) each time a cookie is downloaded or accessed, this will significantly disrupt the user’s overall browsing experience.
In this context, Regulation 5(4) is worthy of note and provides as follows:
(a) The methods of providing the information and giving consent should be as user-friendly as possible; and
(b) Where technically possible and effective, having regard to the provisions of the DPA, the user’s consent to the storing of information, or gaining of access to information already stored, may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given consent.
Given the potentially disruptive effect of using pop-up menus or similar methods to obtain consent, the possibility that consent might be obtained through the use of appropriate browser settings has given some hope to website operators. In this regard, however, the DPC Guidance makes clear that current browser settings are not sophisticated enough to meet the requirements of Regulation 5(4)(b).
The likely rationale for this view is that the default position for most browser settings is to accept cookies unless the user takes positive steps to block the cookie acceptance function on its browser. This is not consistent with the requirement under the Regulations to obtain a fully informed positive indication of consent.
The DPC further suggests that regard should be had to the Article 29 Working Party Opinion 2/2010 on online behavioural advertising (the “Opinion”) in determining how the consent requirement under the Regulations may be met.
The key points from the Opinion are as follows:
- Browsers which reject cookies by default and require the user to engage in affirmative action to accept the initial acceptance and the continued transmission of cookies by specific websites may be able to deliver valid and effective consent. The Opinion encourages industry to engage with browser manufacturers to work towards such a solution;
- Pending the implementation ofappropriate changes in browser settings,website operators will need to adopt other means of obtaining prior consent through the use of opt-in mechanisms.
The Opinion does not, however, specify what such opt-in mechanisms might involve (eg pop-up menus or other technical devices); and
- Where consent is provided up-front,this should be adequate for subsequent readings of the cookie (ie without the need to obtain consent every time the cookie is used) provided appropriate safeguards are adopted. These include:
- (i) limiting the scope of the consent in time (eg 12 months);
- (ii) providing a means of easily revoking consent; and
- (iii) adopting a clearly visible symbol or tool on the website reminding users that cookies are in use (which should also serve to remind them that they can revoke consent at any time).
Until such time as browser manufacturers adjust their technologies so that rejection of cookies is the norm, website operators will be required to find some other means of satisfying the information and prior consent requirements under the Regulations. Guidance published by the UK Information Commissioner (“ICO”) on the UK equivalent of the Regulations provides a number of practical suggestions as to how such requirements may be satisfied.
(a) the use of pop-up menus asking users for consent, although the ICO acknowledges that this may spoil the experience of using the website, particularly if several cookies are used;
(b) through the use of website terms and conditions, although the ICO states that users would have to be made very clearly aware of the changes and their rights in respect of cookies. They would then have to give a positive indication of consent (eg by ticking a box) to the acceptance of cookies; and
(c) settings-led consent – where website users make particular choices about how they want the website to work for them (eg accessing a site in a particular language, etc). A positive consent to the acceptance of cookies can be incorporated as part of this process; and
(d) feature-led consent – where a website chooses to use a particular feature of the site (eg watching a video clip, etc), consent to cookies can be obtained when the user asks the website to switch on the relevant function
Although neither the Regulations nor the DPC Guidance say so specifically, it is hoped that some degree of tolerance will be afforded to website operators during the time which it will take to incorporate appropriate technologies into their websites for the purposes of obtaining prior consent. Failure to comply with the provisions of Regulation 5(3) is not expressed to be a criminal offence.
Notwithstanding this, as the DPC will have the usual range of civil remedies at his disposal for non-compliance (eg powers to investigate, issue enforcement and information notices, risk of naming and shaming in the DPC annual report, etc) website operators should be mindful not to sit on their hands and should start working on appropriate cookie opt-in mechanisms as a matter of priority.
In fact, website operators should be mindful not to delay and should start working on the appropriate cookie opt-in mechanisms as a matter of priority."
The Regulations have also tightened up the laws on direct marketing with prior consent now being required for marketing calls to mobile phones. Further, the Regulations have placed mandatory notification of security breaches by telecommunications companies and internet service providers on a statutory footing attracting criminal liability for non-compliance. Such changes will be the subject of a separate McCann FitzGerald briefing.
Visit McCann Fitzgerald
Get Instant Irish Tech News Updates....