Just two days before new cookie "consent" rules come into effect across Europe, the Department for Culture, Media and Sport published an open letter on how UK cookie consent requirements should be
Just two days before new cookie "consent" rules come into effect across Europe, the Department for Culture, Media and Sport published an open letter on how UK cookie consent requirements should be interpreted (goo.gl/LuNHk). The letter sets out the views of DCMS (as legislator) in implementing these new rules but, unfortunately, it seems to conflict with earlier advice from the ICO (as regulator) and the Article 29 Working Party.
Specifically:
1. Support for OBA initiatives: The DCMS says that the UK approach has "been built around support for the cross-industry work on third party cookies in behavioural advertising". This is clearly a good sign for the IAB and the self-regulatory OBA framework it has adopted. However, it does not answer the important question of whether enhanced notice and opt-out, as supported by the targeted ad industry, will meet the consent requirement.
2. Consent after the event: The Article 29 Working Party has indicated that prior opt-in consent is more in line with the legal requirement (at least in relation to third party ad network cookies), but the DCMS says that suggestions that there is a mandatory need for prior consent are based on a "misunderstanding" of the UK implementation. It notes that Article 5(3) of the revised e-Privacy Directive does not itself use the word 'prior', suggesting that consent can be given after the event. It's challenging to reconcile this position with that of the ICO who said, in its cookie advice, "You need to provide information about cookies and obtain consent before a cookie is set for the first time".
3. Default browser settings: The DCMS letter also adds confusion to the role of browser settings. Both the ICO and DCMS are clear that current browser settings are not sufficient to obtain visitor consent. But then the DCMS says that the new consent rule "does not preclude an individual giving consent by ... leaving his browser settings as they are", which contrasts with an earlier statement that "default settings could not be considered to meet the requirements of the new Directive." Earlier Article 29 Working Party guidance said "It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes".
What does this mean?
The answer lies in the browser settings available to users. Both the DCMS and the ICO agree that reliance on current browser settings are not sufficient to obtain consent, and the DCMS has to therefore be read in this light.
This means that prior consent may not be necessary once appropriate browser solutions exist. Also, once these solutions do exist, then website operators may be able to obtain consent from users who do not amend their browser settings or controls. However, until these browser solutions are available, then the prior consent standard - and the practical and technical complexities its attracts - would seem to apply.
Thankfully, though, the DCMS has repeated its message that there should be no enforcement before appropriate solutions exist. This means that, rather than worrying about how to implement awkward technical changes to web platforms to obtain user consent, the compliance exercise for now should instead focus on:
(i) auditing existing cookie use;
(ii) assessing intrusiveness; and
(iii) enhancing user transparency, as per earlier posts.
Specifically:
1. Support for OBA initiatives: The DCMS says that the UK approach has "been built around support for the cross-industry work on third party cookies in behavioural advertising". This is clearly a good sign for the IAB and the self-regulatory OBA framework it has adopted. However, it does not answer the important question of whether enhanced notice and opt-out, as supported by the targeted ad industry, will meet the consent requirement.
2. Consent after the event: The Article 29 Working Party has indicated that prior opt-in consent is more in line with the legal requirement (at least in relation to third party ad network cookies), but the DCMS says that suggestions that there is a mandatory need for prior consent are based on a "misunderstanding" of the UK implementation. It notes that Article 5(3) of the revised e-Privacy Directive does not itself use the word 'prior', suggesting that consent can be given after the event. It's challenging to reconcile this position with that of the ICO who said, in its cookie advice, "You need to provide information about cookies and obtain consent before a cookie is set for the first time".
3. Default browser settings: The DCMS letter also adds confusion to the role of browser settings. Both the ICO and DCMS are clear that current browser settings are not sufficient to obtain visitor consent. But then the DCMS says that the new consent rule "does not preclude an individual giving consent by ... leaving his browser settings as they are", which contrasts with an earlier statement that "default settings could not be considered to meet the requirements of the new Directive." Earlier Article 29 Working Party guidance said "It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes".
What does this mean?
The answer lies in the browser settings available to users. Both the DCMS and the ICO agree that reliance on current browser settings are not sufficient to obtain consent, and the DCMS has to therefore be read in this light.
This means that prior consent may not be necessary once appropriate browser solutions exist. Also, once these solutions do exist, then website operators may be able to obtain consent from users who do not amend their browser settings or controls. However, until these browser solutions are available, then the prior consent standard - and the practical and technical complexities its attracts - would seem to apply.
Thankfully, though, the DCMS has repeated its message that there should be no enforcement before appropriate solutions exist. This means that, rather than worrying about how to implement awkward technical changes to web platforms to obtain user consent, the compliance exercise for now should instead focus on:
(i) auditing existing cookie use;
(ii) assessing intrusiveness; and
(iii) enhancing user transparency, as per earlier posts.