Changes to cookies requirements in Europe and implementation status in the UK, France, Germany, Netherlands and Spain

The European Union has amended the rules applicable to the setting and use of cookies under the E-Privacy Directive¹. EU Member States were obliged to enact national implementing legislation by 25 May 2011. In many Member States this has not occurred; in others it has occurred but website operators and third parties who set and use cookies, such as advertising network providers, are confused as to how to apply the new rules.

This briefing sets out the position on setting and reading cookies both before and after the amendment to the E-Privacy Directive, tracking key European developments relevant to understanding how the new rules will be implemented in different Member States. Finally, we survey how the legislation has been implemented, or not implemented, in the UK, France, Germany, Netherlands and Spain.

There is an appendix setting out key technical terms used in this briefing on the final page.

Before the amendment to the E-Privacy Directive came into force, generally cookies could be set and used if the browser user had been given clear information about what information the cookie collected, what that information was used for and the cookie expiry date, coupled with a right to refuse that the cookie be used. This was interpreted to mean that the user would be given instructions in the privacy policy about how to find cookies and delete them via his/ her browser settings. As most browsers allow cookies to be set by default, cookies were only ever deleted where the user was aware of them and knew how, and could be bothered, to delete them.

Where a cookie was strictly necessary to deliver the service requested by the browser user, there was no such requirement. This exception remains following the amendment to the E-Privacy Directive.

With the rise in awareness of online behavioural advertising and creation of user profiles gathered from cookies across multiple websites, the EU Commission concluded that users did not understand the extent of information gathering that was taking place through cookies and that therefore organisations that set and use cookies should obtain consent in relation to their use rather than setting a cookie and giving the means to delete it.

In November 2009, the E-Privacy Directive was amended to give effect to this more protective position. The wording of the amendment does not expressly require consent to be obtained before the cookie is set and the recitals to the amending instrument expressly acknowledge that consent can be expressed through the appropriate settings of the user’s browser.

In June 2010, the Article 29 Working Party adopted an opinion on online behavioural advertising² that sought to add interpretative detail to the cookies amendments to the E-Privacy Directive. In that opinion (focusing on third party cookies exclusively), the Working Party concluded that the amendment must be read as requiring details about what information the cookie collected and what that information was used for to be given to the user before he/she consented and before the cookie was set. It rejected the argument that a user could be said to have consented to the cookie by having browser settings that allowed cookies on the basis that most browsers allowed cookies by default, many users were unaware of this and how to delete cookies. It signified that consent through non-action was not valid under EU law and that it would be impossible for the user to know what he/she was consenting to in advance.

The Working Party elaborated that for browsers to be used to signify consent, the default setting would have to be changed to reject cookies and the user would need to change that setting him/ herself in order for a browser to be part of the consent gathering mechanism. Further, consent could not be indefinite; it suggested that a fresh consent should be obtained after a year.  Users should be reminded when cookies were being used through the use of a well publicised symbol on the part of the site where the information collection was taking place. This symbol should link back to the consent notice and means to delete the cookie.

The Working Party opinion caused huge controversy in the online world, much of which is paid for by advertising revenues that are higher precisely because more targeted ads can be served due to the user profiles built up through the advertising network provider’s cookies.

A period of intense lobbying followed, the aim of which was to avoid drastic browser or pop up changes that would significantly decrease users’ acceptance of cookies.

The European Advertising Standards Alliance (EASA) is a network of European (and some non-European) advertising standards authorities (such as the UK Advertising Standards Authority) which coordinates and promotes homogenous advertising best practice across Europe. The Internet Advertising Bureau Europe (IAB) is an industry body which represents the online advertising industry in Europe.

These two organisations responded to the Working Party Opinion on online behavioural advertising (OBA) by developing and publishing on 14 April 2011 the EASA Best Practice Recommendation on Online Behavioural Advertising³ and the IAB Framework for European Self-Regulation for Online Behavioural Advertising⁴.

The key elements of the IAB Framework for European Self-Regulation for Online Behavioural Advertising are:

• It covers websites where information is obtained across multiple websites not under common control of the website publisher which is used to serve targeted advertisements to that user (i.e. where third party cookies are used). It is not aimed at first party cookies (i.e. those set by the website publisher).
• The introduction of a well publicised icon (a lower case “i” on a blue background) on the advertisement through which the cookie is set, to alert the user to the fact that a cookie is collecting information for OBA purposes.
• The icon linking through to information about the companies involved in placing the advertisement and the information collected through cookies and a user friendly interface to disable them. This will be facilitated through a link to a website at www.youronlinechoices.eu which also provides general information about OBA and cookies.
• A requirement that advertising network providers include a clear notice on their website about their OBA data collection and uses of that data, coupled with an easy to use mechanism for the user to opt out of such use/ disable the relevant cookie.
• A requirement for the advertising network provider to obtain explicit consent to cookies it sets that will collect data from substantially all URLs traversed by a device and used for OBA. A mechanism must also be provided whereby such consent can be withdrawn easily.
• Explicit consent if sensitive personal data is collected.
• A prohibition on the creation of advertising segments targeted at children younger than 12 years old.
• A requirement to educate users and businesses about how OBA data is obtained and used.
• If the preceding steps have been undertaken, no requirement for the website publisher to provide further information about the cookies set by the advertising network provider.
• Advertising network providers must self certify compliance with the framework and must submit to independent audits of the same. A B2B compliance seal may be displayed if compliant (and taken down if not).
• A complaints handling procedure to the cookie setting organisation and to local advertising self-regulatory bodies. EASA member advertising authorities will coordinate complaints to try to ensure that only relevant advertising authorities investigate and enforce. Where a complaint is upheld it would be published on the relevant advertising authorities’ websites.

There is no express reference to changes to browser default settings or functionality in the IAB Framework but clearly it would greatly assist the OBA industry if the explicit consent requirements for processing data obtained across substantially all URLs a user visits or sensitive data could be met through an automated browser rather than a pop up opt in solution. Neither, the EASA Best Practice Recommendation on Online Behavioural Advertising nor the IAB Framework for European Self-Regulation for Online Behavioural Advertising have been expressly endorsed by the EC Commission.

There has been far less focus on first party and non-OBA cookies; guidance as to how to comply with the consent requirements for these types of cookies is emerging only now as Member States publish their implementing legislation.

Against this rather complex backdrop it is not at all clear that a uniform position will emerge across Member States. The position in the UK, France, Germany, Spain and Holland as at 24 June 2011 is set out below. Guadalupe Sampedro at Spanish law firm Garrigues has kindly contributed the section on the Spanish position.

Amendments to the UK implementing legislation of the E-Privacy Directive⁵ were passed on 5 May 2011 and came into force on 26 May 2011. The UK data protection regulator (Information Commissioner) issued guidance on the regulations on 9 May 2011⁶.

There was intense consultation in the UK prior to the implementation of the cookies amendments. The UK government was keen not to upset the digital advertising industry unnecessarily and took the approach of transposing the wording of the E-Privacy Directive into the UK implementing legislation almost word for word (including references to consent being given through appropriate browser settings). This left the UK data protection regulator the difficult task of clarifying what would be required to meet its provisions (on the basis that this would allow more flexibility as browser and other consent gathering mechanisms developed).

Given the very compressed timeframe that businesses had to react to the changes in the law, the UK data protection regulator issued guidance that it would not bring enforcement proceedings for non-compliance for 12 months from 26 May 2011 provided that organisations could show they had taken steps to comply properly with the rules by May 2012.

In summary, the UK guidance provides that:

• Website publishers should undertake an audit of the cookies used on their sites and what the information obtained is used for.
• The website publisher should then assess how intrusive the cookie is to the user’s privacy (first party website analytics cited as less intrusive and detailed profiles of a user’s browsing as more intrusive).
• The website publisher then should assess the best method for gaining consent to the use of the cookie bearing in mind how intrusive the cookie is to the user’s privacy. The guidance provides the following suggested methods:
  • Browser settings: at present the UK regulator does not accept that browser settings are sophisticated enough to provide consent. However, it states that the Government is working with browser manufacturers to establish browser level solutions and this door is left open for the future.
  • Pop up windows: a pop window or splash page asking for consent before the cookie is placed.
  • Consent in terms & conditions: consent can be obtained through terms and conditions provided that it is sufficiently prominent and user friendly. Where existing terms are being changed to obtain this consent, the user must be aware the changes relate to cookies and positively accept such changes (a tick box is suggested).
  • Website settings & features: consent could be obtained at the time a setting (e.g. language preferences) or feature (e.g. viewing a video clip) is requested by the user.
  • Website notices & implied consent through use: the guidance is not definitive on this point but the door is left open (particularly for non-privacy intrusive cookies). Identification of the cookies and a description of what each does is required, coupled with more prominent notice mechanics (such as a prominent “cookies” link on the homepage which is highlighted or displays the cookies information (and how to refuse it) just before the cookie is set).
  • Online Behavioural Advertising: the guidance does not actually approve the IAB Framework but mentions that initiatives to ensure users are better informed are taking place and that these initiatives will “adapt” to achieve compliance, suggesting they are not yet sufficient. In the meantime it advises “anyone whose website allows third party cookies to make sure that they are doing everything they can to get the right information to users and that users can make informed choices about what is stored on their device”.

Finally, the UK Government issued an open letter on 24 May 2011⁷ stating that the E-Privacy Directive cookies amendment did not refer explicitly to “prior” consent being required before setting a cookie (although it was logical that in the majority of cases consent should be given in advance). The significance of this is to leave the IAB Framework (where prior opt in consent is not given for every cookie) viable, although it should be stressed that the UK Information Commissioner has not yet endorsed the framework and amendments to that framework may still be required to achieve such endorsement.

The German legislature has not yet published legislation implementing the cookies amendments to the E-Privacy Directive.

Although the German Government adopted a draft bill to amend the German Telecommunication Act on 2 March 2011, to implement amendments to other EU Communications Directives, the draft did not include any provisions covering the cookies amendments. The foreword of the bill states that the increasing use of “cookies” and similar techniques raises concerns about the fundamental right to privacy, in particular because of the risk of profiling by linking information and data without the user’s knowledge. It continues to explain that provisions have not been included due to the ongoing “extensive consultations at European level, which also include self-regulatory approaches of the advertising industry”. The Government appears reluctant to enshrine an explicit opt-in requirement for cookies but there is also no reliable guidance yet as to which alternative methods might be acceptable.

However, the Bundesrat (the Federal Cabinet) has presented a draft law that aims to implement the amended E-Privacy Directive into the German Telemedia Act. The draft, dated 17 June 2011, includes an amendment to Section 13 of the Telemedia Act which provides that storage of data on the equipment of the user (e.g. in the form of a cookie) and the access to this data will only be permissible where the user has been informed properly in advance about the cookies and use of the information that will be obtained through them and has consented to such use. The original exception to the consent requirement remains where the cookie is being used for the sole purpose of enabling an information or communication service which the user has explicitly requested. Unfortunately, the draft and explanatory notes to the draft remain silent as to how the required consent could be given.

Until implementing legislation is passed however, now that the amendments to E-Privacy Directive have come into force, the existing cookies regulations (Sections 13 and 15 of the German Telemedia Act), which provide for an information obligation and an opt-out solution must be interpreted in conformity with the amended E-Privacy Directive. It would therefore be sensible to implement prior consent mechanisms in line with the wording of the E-Privacy Directive (including recital 66 mentioning the possibility of the user to express consent by using the appropriate settings of a browser or other application). In this respect, the UK model might be used as guidance (although it must be stressed that the UK guidance has no legal effect in Germany) until the German position becomes clearer.

In France, the implementation of the amendments to the E-Privacy Directive in relation to cookies will be passed through a Decree⁸ which also covers amendments to other EU communications Directives. A draft version of the Decree is currently in existence⁹ but has not yet been passed.

A public consultation on the draft Decree has been launched by the French Government, including with the relevant French regulatory bodies such as the CNIL (the French data protection regulator) ending on 11 July 2011. The draft Decree is likely to be adopted by the French Government at the latest on 21 September 2011.

A first review of this draft Decree by the CNIL took place on 9 June 2011 but the outcome (opinion) of this review is not made publicly available under French law. Further reviews are expected until 11 July 2011.

If the draft Decree were to be passed in its current form, clear and complete information and, once this information has been made available, consent to be given through appropriate browser settings before any access to the information stored in the Internet user’s equipment or implementation of cookies in said equipment, would be required.

Until then, website owners and advertising network providers should comply with article 32.II of the French Data Privacy Law of 6 January 1978 under which Internet users should be given clear and complete information regarding the purpose of setting cookies and the means to object to the setting of cookies. Models of what should be in the information notices are provided on the CNIL’s website¹⁰.

Although the deadline for transposition of the E-Privacy Directive has expired, the process of amending of the existing Spanish cookies legislation, Act 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI), is still underway.

Relevant amendments to the LSSI were published on 27 May 2011. It will now take about three to four months for these amendments to be reviewed in Parliament and come into force. If the amendments come into force in their current form, prior informed consent will be required before cookies are set and read but users may signify this consent through changing their browser default settings when installing the browser or through an express browser action in relation to specific cookies. As most browsers default settings allow cookies, browser consent remains contingent on changes to browser settings by browser manufacturers.

The amendments anticipate that key cookies users, such as advertising network providers, will implement voluntary codes of conduct in this area. In particular, such codes should include measures which ensure that users receive clear, complete and easily accessible information about the use of cookies and that the manner in which the information is provided and the right of refusal is as simple as possible for the user. It favours the development of standard information icons to signify that cookies are being used.

However, the final position on key aspects is not yet clear. It is quite likely that a Royal Decree will be passed after the amendments come into force prescribing the consent and information requirements in more detail. Until then, website owners and advertising network providers should comply with the guidelines published by the Spanish Data Protection Agency (once published) or, in absence of such guidelines, they should adopt mechanisms similar to those proposed by the UK Information Commissioner in its guidance or other European data protection authorities as they become available.

Special thanks to Guadalupe Sampedro at Spanish law firm, Garrigues, for advice on Spanish law.

The lower house of the Dutch Parliament recently voted on a bill amending the Telecommunications Act which, amongst other things, implements the amendments to the E-Privacy Directive. The bill provides that setting and reading third party cookies requires a browser user’s explicit (opt-in) consent. At the same time, it stipulates that the setting and reading of cookies is deemed to constitute data processing within the meaning of the Dutch data protection act. This would for example mean that setting and reading of third party cookies for behavioural advertising purposes requires unequivocal consent.

Whereas the explanatory note to the relevant amendments to the bill explains that an operator will always need to be able to demonstrate that such consent was obtained, it also states that this does not necessarily imply that such consent should be obtained every time a cookie is set or read. However, the bill does not offer any guidance on how the latter should be understood in technical (user-friendly) terms.

The Dutch government initially proposed that the use of cookies be self-regulated, but as members of parliament found this arrangement to be too open to abuse, the bill was eventually sent to Parliament as requiring opt-in consent for the setting of cookies. Since the date of the legislative proposal, the online-advertising industry has been very critical, fearing that the requisite opt-in consent could force users to click more pop-up windows while navigating the internet and damaging its business model.

Before entering into force, the bill still requires approval by the upper house of Parliament and as such is unlikely to come into force before the end of 2011. Until then, it is not clear that website owners and ad network providers would be under an enforceable duty to obtain prior consent (although it would be sensible to start thinking about how to obtain such consent, perhaps considering the UK Information Commissioner’ guidance as a starting point, but in the knowledge that the exact Dutch requirements may differ).

Article 29 Working Party means the body made up of representatives of all 27 of the EU data protection authorities. It is tasked, amongst other things, with clarifying the interpretation of the EU Data Protection Directive, the national implementing legislation and to contributing to uniform application of the EU Data Protection Directive across the EU. Its opinions and recommendations are not binding but are usually followed by national data protection regulators in framing their own guidance on national legislation.

Cookies - cookies are small text files that are deposited in a user’s browser directory when the user visits a website and which can be programmed to collect information accessible through that browser. The text file with the information is then sent back to the website publisher each time the user returns to the website.

Session Cookies - session cookies collect information about the user relevant to that visit to the website and are active only during that session. Without a session cookie, user log in information and the contents of online shopping carts would need to be re-keyed whenever a user moved to a different webpage. The session cookie allows the user to be recognised as the user moves through that website session.

Persistent Cookies - persistent cookies collect information about the user from previous visits to a website and make that information available to the website publisher when the user returns. This information can allow the website to authenticate the user more easily and to serve up web pages set to the preferences the user selected in previous sessions (e.g. language of site or other preferences).

First Party Cookies - cookies that are set and read by the website publisher.

Third Party Cookies and Online Behavioural Advertising - it is not only the website publisher who can place a cookie in a user’s browser directory when the user visits a site. The website publisher can permit third parties to deposit cookies and most websites that carry third party advertising do permit third parties, known as Advertising Network Providers, to place and read persistent cookies at the same time as serving their advertisement with the webpage.

The diagram below sets out how online behavioural advertising works. The Advertising Network Provider contracts with advertisers to place advertisements on websites that will be most relevant to the user and likely to generate sales for the advertiser’s products. The Advertising Network Provider also contracts with website publishers to serve the advertiser’s advertisements on the website publisher’s website and to allow the provider to place a cookie on the website to collect information about the preferences of the user of the website. The user of the website is generally only identifiable by reference to the IP address from which the user is accessing the website. The persistent cookie for that user can be read by the Advertising Network Provider at each website visited by the user that it places advertisements on. Ubiquitous Advertising Network Providers are therefore able to build up valuable profile information about the user which allows them to place more relevant advertisements.

Advertising that selects advertisements using this process is known as Online Behavioural Advertising.

1. Directive on Privacy and Electronic Communications 2002/58/EC

2. Article 29 Working Party - Opinion 2/2010 on online behavioural advertising

3. http://www.easa-alliance.org/page.aspx/386

4. http://www.iabeurope.eu/media/51094/iab%20europe%20
self%20regulation%20for%20online%20behavioural%20advertising%20140411%20f.pdf

5. Privacy and Electronic Communications (EC Directive) Regulations 2003

6. http://www.ico.gov.uk/for_organisations/privacy_and_electronic_
communications/the_guide/~/media/documents/library/Privacy_and_electronic/
Practical_application/advice_on_the_new_cookies_regulations.ashx

7. UK Department for Culture, Media and Sport Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies

8. In French « Ordonnance »: This term, formerly known as décret-loi, refers to a decree with the power to modify or repeal a law. In this case, several articles of the Decree will modify the Privacy Law of January 6, 1978

9. http://www.economie.gouv.fr/discours-presse/discours-communiques_
finances.php?type=communique&id=5390&rub=1

10. http://www.cnil.fr/vos-responsabilites/informations-legales/?modele=25&submit2=Valider&profil=12