Out-Law Analysis 4 min. read

Cookie compliance: privacy regulators make the best of a bad law


OPINION: A new European law on how web publishers should use cookies is still stoking controversy, seven months after it was passed.

EU privacy watchdogs have just given their view on it and while web publishers will still wince, the regulators' view is more accommodating for business than it could have been.

The EU's Privacy and Electronic Communications Directive was changed last year in a way that demands that websites get every visitor's consent before sending cookies to their machines.

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

This law, which is not yet in force across Europe, immediately hampered the prospects for advertisers, in particular the serving of behaviour-based ads, which tend to generate more clicks and more income for host sites.

If every website has to ask every user if it's OK to track them for advertising, the revenues of advertisers and publishers are threatened.

Advertisers have claimed that the new law allows them to assume consent because a web browser is not set to block cookies. That was one way to interpret the law, but it was an ambitious interpretation at best. Now the Article 29 Working Party – a committee comprising the data protection regulators of the EU's 27 member nations – has said that, in effect, the advertisers got it wrong.

The Working Party has extended an olive branch to industry, though. Prior consent is still needed, it says, but one expression of consent can cover thousands of sites. There had been a fear that the new law might be so draconian as to demand that websites pester their visitors for consent constantly.

Because it is actually the network that matches adverts to sites, the Working Party says it is the ad networks that must obtain your consent.

So if a site uses one of the major ad networks, like DoubleClick, then a user who has previously visited one of DoubleClick's myriad partner sites will be pre-approved for behavioural advertising – if they gave consent.
 
This is far from ideal for publishers, but the Working Party has done a decent job of making a fundamentally anti-business law more palatable.

The problem here is the law itself. It is a shambles. It's ambiguous and potentially contradictory and unhelpful not just to businesses but also to consumers. The lawmakers should have found a way to safeguard consumers that didn't burden them with making decisions on complex relationships and technologies, and that didn't set up a user-barrier at the front door of every website.

But the law is the law. Trade bodies such as the Interactive Advertising Bureau (IAB) and the European Publishers Council have objected to it and issued their own interpretations, claiming that the law says that browser settings give a user's consent. The Working Party explains why that is a flawed interpretation.

Individuals "cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information," writes the Working Party. "Currently, of the four major browsers, only one browser blocks 3rd party cookies by default from the moment the browser is installed," it notes.

On IE, Firefox and Chrome, third party cookies are enabled by default. Only Safari blocks them until the user changes the settings.

The Working Party's answer is not ideal, but it has on its side the benefit of almost certainly meeting the demands of the law.

Even though the Working Party has made life slightly easier for publishers, there is still a major hurdle facing them. Its interpretation of the law still forces publishers to ask a difficult question.

Advertisers and publishers would rather not ask users if they want to be tracked for advertising purposes because users' answers could damage their businesses. But it's hard to avoid asking that question: the Working Party's interpretation of the law is, in purely legal terms, the most compelling interpretation, however flawed and unhelpful the law itself may be.

The Working Party's opinion isn't the final word on how to comply, though. We're still waiting to see the laws that will implement the new Directive in each member state. These laws are likely to be accompanied by guidance from local regulators, in our case the Information Commissioner. There's still the possibility that the local laws and local guidance will be more supportive of the IAB's view, though it would be surprising if that turned out to be the case.

The Working Party has recommended other protections for users. Users' permission should not last forever. Ad networks should ask again every year whether users are happy for cookies to be used to track them. Given the Working Party's views on other aspects of data retention, a year is an uncharacteristically generous period.

The Working Party is calling for the labeling of behavioural ads, with icons that link to information pages. That's a smart move for better transparency and something that the IAB is already supporting and working towards.

The Working Party is also calling for greater privacy control to be built in to browsers, but even if browser makers cooperate, real change will take years. Millions of internet users still browse the web using Internet Explorer Version 6, for example, even though it is nine years old. It will be a long, long time before websites can expect to see a large number of visitors using the privacy-protective browsers that the Working Party has in mind. Website privacy practices have to accommodate legacy browsers like IE6. For the foreseeable future they will be unable to delegate cookie compliance to the browser.

Publishers and advertisers are never going to be happy with the new law – and nor should they be. But they now have clear guidance from the EU's regulators, and the situation is not as bad as they might have feared.

By Struan Robertson, editor of OUT-LAW.COM. An earlier version of this opinion appeared on ZDNet.co.uk. The views expressed are Struan's and do not necessarily represent those of Pinsent Masons. You can follow Struan at Twitter.com/struan99.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.