E-Privacy and Cookies:Legal Aspects

E-Privacy Directive

2002/58, amended by 136/2009

Main amendments focus on DBN (security) and confidentiality of communications / unsolicited communications (5.3 and 13)

Emphasis on user empowerment, choice

E-Privacy directive: Transposition

• Patchy transposition (all MS: January 13)• “Cookie rule” (5.3) major point of discussion

(confidentiality of communications)• National divergences 1) on interpretation of

“consent” for the purposes of 5.3 (not only) AND 2) on the (technical) implementation of “consent”

Cookies

“A short alphanumeric text which is stored (and later retrieved) on the data subject’s terminal equipment by a network provider” (WP29’s Opinion 2/2010 on Online Behavioural Advertising)

Cookies may or may not contain personal information (IP Address, …)

This is irrelevant for the purpose of applying Article 5.3, which only refers to storage or retrieval of “INFORMATION” in the terminal equipment of a subscriber or user

Cookies – 2002/58 + 95/46

• However, if the information contained in a cookie includes personal data, than all the principles of directive 95/46 are also applicable

• So there is an interplay between the “consent” rule of 5.3 in directive 2002/58 (lex specialis) and directive 95/46 (lex generalis): that is to say, the rules on consent are those set out in directive 95/46 except where they are overridden by the “lex specialis” contained in directive 2002/58 (here: Article 5.3)

Cookies and Consent

Article 5.3 requires that storage of or access to any “information” (including cookies) in the subscriber’s/user’s terminal equipment be subject to prior informed consent (= before cookies are set)– “Prior”: “has given… consent, having been

provided… (see also Recital 66) – “informed”: “… with clear and comprehensive

information”

What Consent?

Article 5.3 of 2002/58 (lex specialis) sets out the specific requirements of prior informed consent for cookies

BUT this “consent” is in no way different from the “consent” of directive 95/46 (article 2.h + Article 7) see also Article 2 of 2002/58– Specific (and informed)– Freely given– Unambiguously given

Consent: Specific

Consequences 5.3: No blanket consent Purpose specification and limitation Appropriate information

WHERE: On the landing page of the website WHAT: Purposes of processing ; Right to accept/decline all or part of the

cookies HOW: Layered approach (WP100) (different levels of detail)

Consent: Freely Given

Consequences 5.3: Real options must be available (e.g.: accept/decline all or part

of the cookies / change browser settings) No conditions to be placed on consent (WP185: Opinion

15/2011 on the definition of consent) Continue browsing website even after declining cookies

Consent: Unambiguously Given

Consequences 5.3: Active behaviour: silence/inactivity is no consent Evidence of consent must be available (to the controller)

Simple scrolling of the webpage is not enough Click on a field, push a button, tick a box, or go to a third-party site where

options can be exercised (trusted third party?)

NOTE: Proposed DP Regulation refers to consent as signified by «clear affirmative action» No passive acceptance

Consent: Additional Food for Thought

Recital 66 of directive 136/2009: If «technically possible and effective» consent to

processing may be expressed by way of browser settings or other applications BUT «in accordance with directive 95/46» What does that mean exactly?

Interesting options, technical difficulties (browsers are not info society service providers) interoperability, technical parameters

«privacy plug-ins» ?

Consent: Additional Food for Thought

- Proposed EU DP Regulation (COM/2012/11) Art. 4: “explicit” consent (rather than “unambiguous” consent)

- WP29’s Opinions (in addition to “Consent” opinion):

- Online Behavioural Advertising (WP171 of 2010)- Cookie Consent Exemptions (WP194 of 2012)

When Prior Consent Is Not the Rule

- WP29’s Opinion on Cookie Consent Exemptions- Focuses on second part of 5.3: No prior informed

consent is necessary - A) For the sole purpose of carrying out transmission of a

communication over an electronic communication network- B) If storage or access is strictly necessary for provision of a

service by the provider of an information society service and such service has been explicitly requested by the subscriber or user

When Prior Consent Is Not the Rule

Hence, in many cases consent is unnecessary (technical conveyance of communications, provision of

services like online shopping cart, authentication, multimedia player sessions, user interface customization,…) BUT for the duration of a session (no permanent tracking) and if cookie is strictly necessary (in the user’s perspective)

Recital 25 of e-privacy: No need to obtain consent for each reading of the cookie – providing users/subscribers are aware that such reading takes place (= once-only informed consent)

The Grey Zone

Do-not-track: discussion in progress (W3C), should mean do-not-collect (in permanence); interoperability issues, standards, …

First-party analytics cookies (audience measuring tools) Not necessary for either technical or service provision services, but

likely to cause no privacy risks (if first-party aggregated statistical purposes, adequate information, opt-out offered)

Rule of thumb? First party, session-specific cookies less likely to require consent than third-party, permanent cookies (see WP’s document on cookie consent exemption)

Fortune Cookies

- http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/2146935 (Guidance on cookies and consent, in English)

- WP29’s Website (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm) (Opinions and Recommendations of EU DPAs, also on cookies)

- http://www.w3.org/2011/tracking-protection/ (Do-not-track standards from W3C)

THANK YOU

- For listening- For your attention- For not asking too many difficult questions….