Clarifying cookie consent

This article was first published in Data Protection Law & Policy in April 2012.

Three years have gone by since the European Parliament shocked and awed everyone by tweaking the e-privacy directive and introducing the most controversial word in the data protection glossary – consent – in the provision that deals with Internet cookies.  The debate that followed immediately afterwards about the meaning of consent and whether it will ever be realistic to get everyone using the web to comprehend, consider and positively accept the use of cookies is still ongoing.  Much has been said, written and argued about this subject in the past three years.  Opposing views about whether anything has changed have been aired.  Passionate arguments about what constitutes consent have been put forward.  All of which has contributed to a climate of confusion and myths where legal certainty is surrounded by wishful thinking, so it may be a good idea to shed some light and make some clarifications:

• Where the users of the site are based is irrelevant – A common misconception is to assume that the applicability of the law that governs the use of cookies is determined by the geographical location of the user of the site – for example, that a web site in French used by users in France will be subject to French law.  However, if the web site is operated by an entity established in a different EU Member State and that entity is responsible for serving cookies, the applicable law will be the law of that Member State and not that of the country where the users are based.  Somewhat illogically, if the web site is operated by a non EU-based entity, EU law will only apply if EU-based equipment other than the users' devices is used to process the cookie data. 
• The law is already in force – Many mistaken headlines have been written about the coming into force of the cookie consent requirements in May 2012.  That's actually a year behind the real date.  In the UK at least, the requirement has been in place since 26 May 2011 even though the UK Information Commissioner publicised its intention not to enforce the law for at least a year.  Most other EU Member States – with the notable exceptions of Germany and the Netherlands – have also passed national laws implementing the consent requirement under the e-privacy directive.
• Monetary fines for non-compliance in the UK are unlikely – Again, rather sensationalist headlines have been published with references to potential £500,000 fines being issued by the UK Information Commissioner.  As it happens, the chances of the ICO ever issuing a single monetary fine for not complying with the cookie consent rule are virtually nil.  That is not because the Information Commissioner does not care about this issue but because the conditions regarding the seriousness of the breach and the damage or distress to individuals are very unlikely to be met.  Other countries may of course a lower threshold for fines to be imposed.
• Implied consent still requires demonstrablebehaviour – Much of the debate to date has centred on the scope for implied consent – that holy grail of compliance that does not involve ticking boxes or clicking on ‘I Accept’ buttons.  However, the notion of consent (however we want to qualify it) still involves a clear understanding of what we are agreeing to.  So if implied consent is going to be relied upon, it will have to be obvious to the average user what is happening, which in practice means that, as a minimum, a suitably visible and clear notice must be displayed and made available for long enough to be seen and digested.  Anything less than that would make it very hard to argue that consent was obtained and is likely to be dismissed as insufficient by regulators and the courts.
• The words "By using this site to agree to…" in a privacy policy are meaningless – A word of caution to those who have received or seen guidance to the effect that consent may be obtained by functional use only – i.e. by sticking the words “By using this site you agree that we can place cookies on your device” in a privacy policy or cookie notice.  Needless to say, unless one can show that the notice was read (which is unlikely if it sits behind a minute link at the bottom of a website), the informed consent requirement will not be met
• Lack of enforcement does not prove compliance – Finally, many of the decisions regarding compliance with the cookie consent requirement are driven by the possible risk of enforcement.  In practical terms, this often translates into doing as little as possible to avoid regulatory scrutiny irrespective of whether the mechanism deployed is compliant or not.  Accordingly, as so far no European regulator has taken any enforcement action in this area, the perceived likelihood of enforcement risk is low, which means that hardly anyone is complying with the law. 

Eduardo Ustaran, Partner in our Privacy and Information Law Group at Field Fisher Waterhouse LLP