Thinking back to the early days when Europe's controversial "cookie consent" law first passed, many in the privacy community complained about lack of guidance on obtaining consent. The law required
Thinking back to the early days when Europe's controversial "cookie consent" law first passed, many in the privacy community complained about lack of guidance on obtaining consent. The law required them to get consent, but didn't say how.
In response to this, legislators and regulators - at both an EU and a national level - responded that consent solutions should be market-led. The thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen.
As it transpired, this is precisely what happened. In the four years since Europe adopted cookie consent, online operators have now evolved and embraced implied consent models across the EU to obtain their visitors' consent to cookies. However, this is not where the story ends.
In an opinion last week, the Article 29 Working Party published further guidance on obtaining cookie consent ("Working Document 02/2013 providing guidance on obtaining consent for cookies" - available here). This supplements several previous opinions that, directly or indirectly, also address cookie consent requirements (see here, and here, and here, and here, for example).
The rationale behind the latest opinion, on the face of it, is to address the question: "what [cookie consent] implementation would be legally compliant for a website that operates across all EU Member States?" But in answering this question, the guidance veers towards a level of conservatism that all but ensures it will never see widespread - let alone pan-European - adoption.
It doesn't start off well: in discussing how a user can signify choice over whether or not to receive cookies, the guidance at one point states: "it could include a handwritten signature affixed at the bottom of a paper form".
It then goes on to say that "consent has to be given before the processing starts ... As a result a website should deliver a consent solution in which no cookies are set to user’s device ... before that user has signalled their wishes regarding such cookies." In other words, the guidance indicates the need for a pop-up or a barrier page for users to click through before cookies can be set, harking back to the worst fears of industry at the time the cookie consent law was originally proposed.
When we're talking about a fundamental human right, like privacy, the attraction of prior consent is obvious. Unfortunately, it's practically and technically very challenging. However easy it sounds in theory (and it does sound easy, doesn't it?), the realities are much more problematic. For example, do you really require website operators to build two versions of their websites: one with cookies, and one without? What happens to 'free' content on the web whose cost is subsidised by targeted advertising currently - who wants to return to a subscription-funded Internet? If you're a third party service provider, how do you guarantee prior consent when it is your customer (the website operator) who has the relationship with its visitors?
More importantly, prior consent is not what the e-Privacy Directive requires. The word 'prior' never appears in the revised Article 5(3) of the e-Privacy Directive (the Article that imposes the consent requirement). In fact, the word 'prior' was originally proposed, but was later dropped during the course of legislative passage. Contrast this with Article 6(3), for example, which deals with processing of communications metadata (think PRISM) and DOES call for 'prior' consent. Article 13 on unsolicited communications also uses the word 'prior' next to its requirement for consent.
What conclusions should we draw from this? That's a debate that lawyers, like me, have been having for a long time. But, frankly, it's all pretty academic. Let's deal instead in realities: if we were to be faced with cookie pop-ups or barrier pages on entry to EVERY website on the Internet, how quickly would we would become fatigued and simply click away the notices just to get rid of them? What would that say about the validity of any 'prior' consents we provide?
Industry evolved implied consent as a solution that struck a balance between protecting individuals' rights, addressing legal compliance and enabling online business. Over time, it has done wonders to improve online tracking transparency and choice - implied consent has now become so widespread in the EU that even companies for whom cookies are their lifeblood, like Google, have implemented cookie consent transparency and choice mechanisms.
Critically, when done right, implied consent models fully satisfy the legal requirement that users' consent must be "freely given, specific and informed". So here's my suggestion: if you are looking to implement a cookie consent solution across Europe, don't automatically jump to the most conservative standard that will put you out of alignment with your competitors and that, in most cases, will go further than national legislation requires.
Consider, instead, implied consent - but, if you do, embrace it properly: a slight revision to your privacy policy and a new link to a cookie policy in the footer of your website won't suffice. Your implied consent model needs to provide prominent, meaningful notice and choice to visitors. And to see how to do that, see our earlier post here.
In response to this, legislators and regulators - at both an EU and a national level - responded that consent solutions should be market-led. The thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen.
As it transpired, this is precisely what happened. In the four years since Europe adopted cookie consent, online operators have now evolved and embraced implied consent models across the EU to obtain their visitors' consent to cookies. However, this is not where the story ends.
In an opinion last week, the Article 29 Working Party published further guidance on obtaining cookie consent ("Working Document 02/2013 providing guidance on obtaining consent for cookies" - available here). This supplements several previous opinions that, directly or indirectly, also address cookie consent requirements (see here, and here, and here, and here, for example).
The rationale behind the latest opinion, on the face of it, is to address the question: "what [cookie consent] implementation would be legally compliant for a website that operates across all EU Member States?" But in answering this question, the guidance veers towards a level of conservatism that all but ensures it will never see widespread - let alone pan-European - adoption.
It doesn't start off well: in discussing how a user can signify choice over whether or not to receive cookies, the guidance at one point states: "it could include a handwritten signature affixed at the bottom of a paper form".
It then goes on to say that "consent has to be given before the processing starts ... As a result a website should deliver a consent solution in which no cookies are set to user’s device ... before that user has signalled their wishes regarding such cookies." In other words, the guidance indicates the need for a pop-up or a barrier page for users to click through before cookies can be set, harking back to the worst fears of industry at the time the cookie consent law was originally proposed.
When we're talking about a fundamental human right, like privacy, the attraction of prior consent is obvious. Unfortunately, it's practically and technically very challenging. However easy it sounds in theory (and it does sound easy, doesn't it?), the realities are much more problematic. For example, do you really require website operators to build two versions of their websites: one with cookies, and one without? What happens to 'free' content on the web whose cost is subsidised by targeted advertising currently - who wants to return to a subscription-funded Internet? If you're a third party service provider, how do you guarantee prior consent when it is your customer (the website operator) who has the relationship with its visitors?
More importantly, prior consent is not what the e-Privacy Directive requires. The word 'prior' never appears in the revised Article 5(3) of the e-Privacy Directive (the Article that imposes the consent requirement). In fact, the word 'prior' was originally proposed, but was later dropped during the course of legislative passage. Contrast this with Article 6(3), for example, which deals with processing of communications metadata (think PRISM) and DOES call for 'prior' consent. Article 13 on unsolicited communications also uses the word 'prior' next to its requirement for consent.
What conclusions should we draw from this? That's a debate that lawyers, like me, have been having for a long time. But, frankly, it's all pretty academic. Let's deal instead in realities: if we were to be faced with cookie pop-ups or barrier pages on entry to EVERY website on the Internet, how quickly would we would become fatigued and simply click away the notices just to get rid of them? What would that say about the validity of any 'prior' consents we provide?
Industry evolved implied consent as a solution that struck a balance between protecting individuals' rights, addressing legal compliance and enabling online business. Over time, it has done wonders to improve online tracking transparency and choice - implied consent has now become so widespread in the EU that even companies for whom cookies are their lifeblood, like Google, have implemented cookie consent transparency and choice mechanisms.
Critically, when done right, implied consent models fully satisfy the legal requirement that users' consent must be "freely given, specific and informed". So here's my suggestion: if you are looking to implement a cookie consent solution across Europe, don't automatically jump to the most conservative standard that will put you out of alignment with your competitors and that, in most cases, will go further than national legislation requires.
Consider, instead, implied consent - but, if you do, embrace it properly: a slight revision to your privacy policy and a new link to a cookie policy in the footer of your website won't suffice. Your implied consent model needs to provide prominent, meaningful notice and choice to visitors. And to see how to do that, see our earlier post here.