Cookie Opt-in, Opt-out? How about stepping up?
EU companies are heaving sighs of relief after obtaining some text changes in the EU telecoms package passed this week in Brussels. Concerns that the proposed amendments to the ePrivacy Directive would have required cookies used for secondary purposes to be “opt-in” had trade groups scrambling, but elimination of the words “prior” and “after having been provided” seem to provide some basis for broader interpretation.
Here is the new final language as approved:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
The previous proposed language did address the use of browser settings as a possible way to imply consent. That language was moved to the less binding and more advisory introduction to the legal language of the law. Here is how it reads:
“Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.” Read the full text of the bill here.
It is important to understand that this law is operative at the EU level, meaning that it has no direct effect on companies. Rather, EU countries are now obligated to incorporate the new law into their own national legislation. How will this play out is unclear. Many data regulators already maintain that their current national laws require “opt-in” for cookies used to develop behavioral profiles or for other robust uses that they consider to be “personal”.
Rather than declare victory and head off to fight the next stage of this battle in every national jurisdiction, now might be a very good time for EU ad networks, publishers and advertisers to step up efforts to demonstrate innovative ways to provide users with more transparency and control. If top EU officials consider cookies used for ad related purposes to be “spy cookies”, there is real work to be done to demonstrate that online data can be used in a manner that demonstrates respect for users. We have learnt a great deal from colleagues at data protection authorities abroad about privacy as a human right and believe the “rights” model is increasingly gaining traction over the historic US “harms” model. But perhaps some recent progress in the US may be useful as a model for global cookie use. Companies that develop cookie based profiles are increasingly providing users in the US with access to those profiles, demystifying the process of targeted advertising. In addition, much of industry has agreed to provide notices on ads or on web pages to indicate behavioral data use. A number of leading companies, advocates and academics are working with the Future of Privacy Forum to conduct consumer research to understand the best words and symbols that can be used to meaningfully engage users about how their data is being used. We will be displaying our results at the December 7th FTC “Exploring Privacy” round table event.
Perhaps we can all agree to “opt-in” to stepping up efforts to demonstrate that personalization and privacy can co-exist?
*For those interested in the process, here are the next steps:
-
Final vote on the reform package in a third reading in the plenary of the European Parliament (took place November 242009);
-
Entry into force of the whole telecoms reform package with its publication in the EU’s Official Journal (December 2009);
-
Establishment of the European Body of Telecoms Regulators BEREC (spring 2010);
-
Transposition of the telecoms reform package into national legislation in the 27 EU Member States (by June 2011).