The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.” But it is not quite as clear-cut as that quote suggests. The consent requirement relates cookies that collect personal data — an important qualification — and some cookies appear to fall outside of the consent requirement.
Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.
The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.
The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.
So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application”.
Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.