Time to get to grips with cookies
This article was first published in Data Protection Law & Policy in December 2011.
The most obvious way of allowing for that flexibility is to accept that consent will often need to be implied. An accepted principle under data protection law is that where data processing is not intrusive in nature and there is no foreseeable risk or harm to individuals, the standard of consent required is lower than where the sensitivity of the processing is greater. So to the extent that the use of Internet cookies has only minimal impact on people's privacy, it is logical to assume that such use may be based on individuals' implied consent. The UK Information Commissioner has taken a slightly cautious view but essentially accepts this approach. For the UK regulator, it is all about consumer awareness, since implied consent must be based on a definite understanding of what is going to happen.
A more contested issue in this context is whether the consent must be prior to the serving of cookies. Despite the fact that the e-privacy directive makes no reference to the word 'prior' – unlike in the case of e-mail marketing – and that such a word was indeed removed from the directive during the legislative process, the Article 29 Working Party is adamant that consent must be obtained before a cookie is served or information stored in the user's terminal equipment is collected. The Information Commissioner on the other hand acknowledges that currently many websites set cookies as soon as a user accesses the site and that this makes obtaining consent before the cookie is set difficult. The UK Government has gone even further and stated that it is possible that consent may be given after or during processing.
Taking all this into account, what should a website operator or advertiser that relies on cookie technology do? The time for pondering is certainly running out and so is the patience of the regulators. Cookies which are strictly necessary for the provision of an online service requested by an Internet user are exempt from the notice and consent requirements, but what about the two most popular types of cookies around: analytics and advertising cookies? Are these cookies so intrusive and harmful that only explicit and prior consent will justify their use from now on? Not necessarily, but achieving legal compliance will require some clever thinking and visible action.
Data privacy compliance is not a matter of scientific precision but an exercise of common sense and legal vision. In the context of Internet cookies, this means bending over backwards to make it crystal clear what cookies are being used and for what purposes. If implied and real-time consent is going to be relied upon, it is going to have to be pretty obvious to the average user what is going on. At the very least, it has to be reasonable to assume that someone can easily find out and exercise effective control over the cookies being served on their terminal equipment. A prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way, but only if they move from a wish list to action.