As previously stated in an earlier blog post, the contents of this column should in no way be taken as sound legal advice. Or legal advice of any kind.
In an attempt to demonstrate that it was serious about data privacy (and having nothing to do with court proceedings against Google in the EU), over the Summer, Google sent out a letter to users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products:
We want to let you know about a new policy about obtaining EU end-users’ consent.
It clarifies your duty to obtain end-user consent when you use products like Google AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange.
Please ensure that you comply with this policy as soon as possible, and not later than September 30th, 2015.
The Information Commissioner’s Office (ICO), is the UK government agency responsible for data protection, consumer privacy, and information security. However, the ICO hasn't appeared too keen on enforcing the legislation; there are no 'patrols', no 'ticketing' or issuing of fines, no quotas and no targets.
ICO - Action Taken (from the ICO website)
"Between January to March 2015, we received 39 concerns reported about cookies via our website. In the same period, individuals used our website to report 37,561 concerns about unwanted marketing communications. The total concerns reported about cookies via our website during the financial year 2014 – 2015 were 164. It is important to note that many of the concerns we received about cookies did not relate to individual sites or provide any information about specific instances of non-compliance.
Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. However, we have maintained a consumer threat level of ‘low’ in this area due to the very low levels of concerns reported by members of the public."
The current cookie rules, enacted in 2011, have been so poorly implemented and enforced (only two companies across the EU received formal penalties), it is easy to argue they have brought no benefit for consumers' online privacy.
The UK guidelines
The ICO’s implementation guidance requires web sites to:
- Explain what the non-essential cookies are and what they do
- Obtain consent to store non-essential cookies on the visitor’s device.
- those that keep you logged in to a web site, or
- keep your items in your shopping cart, or
- keep your language preference stored.
Non-essential cookies include
- third party advertising beacons
- social media connections
- analytics cookies.
- use plugins, scripts, pop-ups, drop-downs, overlays or third party services (to) request or demand consent to accept cookies
- reject site visitors who decline to accept cookies
- redirect site visitors rejecting cookies to an external site.
The disclaimer itself can be a simple list of the cookies used and what function they serve.
In your cookie disclaimer, you need only advise your site visitors to grant their consent through their individual browser settings. Point to the browser help pages for dealing with cookies; if people have an issue with cookies, they should be empowered to exercise the controls that have been in place since 1998. If that sounds too difficult, suggest browser add-ons like Disconnect.
A timetable for reform of the e-Privacy Directive outlined in a new document from the EU Commission, shows work as "ongoing, expected to end in 2016", riding on the back of the Data Protection Regulation due to complete by the end of 2015.
As ever, the definition of 'consent' under the law is unclear, and 'implied' consent may no longer be sufficient. That suggests that explicit consent may become mandatory, in which case implied consent, or opt-out will need to be revised as opt-in, and a range of measures defined for site visitors who reject cookies.
What types of cookies would be covered under the revised legislation? There's a scale of privacy invasion for different types of cookies, potentially demanding different responses.
What should happen if a visitor rejects the placement of cookies? Force them to leave the site? Re-direct to a non-cookied version? Continue with reduced functionality (if that's possible)?
And can users respond in the right way? As the ICO points out in its guidance, current browser settings are not in line with the needs of the legislation. While the Do Not Track option is now universal there is no consensus about how sites should respond to Do Not Track (DNT) requests.
What hasn't yet been made clear is that cookies are not themselves the source of a problem; they are merely carriers of information, the problem with cookies is what organisations choose to do with the information that is returned and stored elsewhere. RC