Legal Updates

Internet Law – E-Commerce – E-Privacy – Cookies – Directive 2009/136/EC – Data Protection – Privacy Policy

 

In December 2009 the E-Privacy Directive (2002/58/EC) was amended by Directive 2009/136/EC. This was partly due to the nature of third party cookies and the growing perception that their existence could amount to an invasion of personal privacy.

 

General

 

Cookies are files stored on a user’s computer which hold data specific to that particular user and the websites the user visits. Cookies then allow a tailored webpage to be delivered to the user upon their return to the page. The obvious advantage of cookies is therefore that they serve to make web browsing easier by, for example, remembering information such as usernames for a login on a webpage, personal preferences for page layouts and the contents of your shopping cart if you navigate away from the page.

 

Third Party Cookies

 

Third party cookies have more of a tracking role. A webpage may contain content from third parties such as advertisers. If the browser allows for it, these third parties may place cookies onto a user’s computer which notifies them if the user visits another page containing the third party’s content. This process allows the advertisers to build up a profile of the user’s browsing habits and thereafter to direct targeted advertising campaigns to the user’s tastes. It is this practice which has been deemed an invasion of personal privacy.

 

Directive 2009/136/EC

 

Need for Consent

 

According to Recital 66 of Directive 2009/136/EC, website owners can only use cookies if they provide users with “clear and comprehensive information” about their purposes and the user consents. The Recital provides for an exception to this obligation where the use of cookies is “necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the…user”. An example of this (as already mentioned) is where the use of cookies is necessary to online shopping websites in respect of a user’s shopping cart.

 

Implementation of Directive 2009/136/EC

 

The UK must implement these measures into its legislation by 25 May 2011.

 

Impact Assessment

 

Online behavioural based advertising is a major contributor to the British advertising industry; the UK Department for Business, Innovation and Skills (“BIS”) published a consultation (“Impact Assessment”) on the implementation of the Directive in September 2010 and estimated its worth as being £740 million by 2012.

 

The Impact Assessment also acknowledges that cookies are used on the majority of web pages.

 

Government Strategy/approach to Consent

 

In light of the BIS’ consultation, the government does not want to adopt the impractical approach of requesting users to provide confirmation every time a cookie is stored on their computer. This would place UK websites at a competitive disadvantage compared to non-EU sites which do not require explicit consent for cookies.

 

The Government intends to get around this by allowing consent to using cookies to be given via users’ web browser settings, which Recital 66 of Directive 2009/136/EC allows.

 

“Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

 

The Impact Assessment therefore proposed a transparent approach to be adopted whereby browser owners provide users with information about cookies and how to change the browser settings and website owners provide users with clear and comprehensive information about cookies used on their sites.

 

Practical

 

• Changes will have to be made to accommodate complete details of all cookies being used on the sites, e.g. rewriting parts of websites’ privacy policies.
• Browser owners will have to ensure they are providing users with instructions on how to manage cookies (although this is usually done now via the privacy settings on browsers such as Internet Explorer, in any case);
• Companies will have to make amendments to their website privacy policies.

 

Visit http://www.rtcoopers.com/practice_dataprotection.php or http://www.rtcoopers.com/ebusiness.php

 

© RT COOPERS, 2011. This Briefing Note does not provide a comprehensive or complete statement of the law relating to the issues discussed nor does it constitute legal advice. It is intended only to highlight general issues. Specialist legal advice should always be sought in relation to particular circumstances.