Aug 162011

Business Concern Over New EU Consent Requirement to Use Website Cookies

Sidley Data Matters Contributors
, , ,

New EU cookie consent requirement

Amendments to the EU’s ePrivacy Directive have meant that since 25 May 2011 the EU has required website operators to obtain the consent of users to the use of cookies. This is a significant development and it is causing considerable concern among businesses. The new consent requirements for use of cookies, which consist of small text files that are used by virtually every website to recognise a user’s computer and collect information on a user’s activities and preferences, has caused a storm of debate as regulators and businesses struggle to find a practical way of obtaining consent.

There is also particular concern regarding compliance with the new requirements in relation to so called “third party” or “tracking” cookies used in behavioural advertising, where information from cookies is shared with third parties. In these circumstances obtaining consent may be more complex and care needs to be taken to make sure users are made aware of what data are being collected and by whom.

There is only one exception to the new EU consent requirement where the website is using a cookie “that is strictly necessary” to provide the service explicitly requested by the user. However, this is a narrow exception covering, for example, use of a cookie to allow the website to remember items placed in a virtual shopping basket and would not apply, to use of cookies to collect website analytics data.

Confused transposition process in the EU

Another particular concern is the lack of a harmonised approach to implementation of the new consent requirements in different EU Member States. Despite the 25 May 2011 implementation deadline only ten EU Member States have yet implemented the requirements into their national laws, including Estonia, Finland, Ireland, Latvia, Lithuania, Malta, Sweden, Hungary, Luxembourg and the UK. The table on page 3 summarises the current position.

There is also a lack of clarity on how in practice consent may be obtained and in particular whether browser settings can be used to obtain consent. It is understood that in Ireland, Luxembourg, Sweden and the UK the implementing legislation or guidance expressly provides that consent may result from the browser settings. Of these early adopting Member States national guidance has only been published, so far, in Ireland, Sweden and the UK although further national guidance may be published in due course.

In the UK, the Information Commissioner’s Office (the “ICO”) has issued guidance on what may constitute a sufficient opt-in consent:

  • Pop ups and similar techniques – using pop ups on the website screen for users to click that they consent to use of cookies, although the ICO acknowledges that this could spoil the user experience.
  • Terms and conditions – when users open an online account, or sign in to use the services, they could consent through terms and conditions to operation of the account and to use of cookies but a positive indication of consent is required such as through the user ticking a box.
  • Settings–led consent – obtaining consent as part of the process by which the user confirms what they want to do, or how they want the site to work, for example, when selecting a feature as to the size of text they want displayed.
  • Feature–led consent – placing text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when wanting to set a cookie on the user’s device.
  • Browser settings – using browser settings to obtain consent, although the view of the ICO is that most browser settings are not sophisticated enough to allow a website provider to assume that the user has given their consent to the website using a cookie.

To allow businesses to achieve compliance the UK has a grace period of 12 months until May 2012 during which time the ICO will refrain from using its enforcement powers although businesses are expected to take steps to comply with the new requirements. It is also understood that in Sweden a grace period, expected to be around 6 months, will also be applied.

Another question that is still not clear is whether national Member State laws implementing the new cookie consent requirement will apply to website operators not established in a Member State, for example a US website accessed by French consumers.

Practical steps to be considered by businesses now

While there are still some unanswered questions concerning the implementation and scope of the new EU cookie consent requirement it is important that website operators start to consider the new requirements now and how they may apply to their business. Some practical steps that can be taken now include:

  • monitoring the implementation of the cookie consent requirement in different Member States over the next few months;
  • carrying out an audit of the business use of cookies, including the type of cookies used (e.g. first party or third party cookies, session only cookies or persistent cookies);
  • updating privacy policies to include more explicit disclosures on the use and ability to opt-out of use of cookies;
  • evaluating consent options, taking into account customer impact, costs and applicable laws; and
  • reviewing existing arrangements with service providers concerning the collection of data and use of cookies.
For further details on the current implementation of the EU cookie consent requirements please contact:

John Casanova at jcasanova@sidley.com or on +44 (0)20 7360 3739, Jens Rinze at jrinze@sidley.com or on +49 69 22 22 1 4020, William Long at wlong@sidley.com or on +44 (0)20 7360 2061, or the Sidley lawyer with whom you usually work.

1 Based on adopted or draft legislation or based on views of Government authorities or national Data Protection Authorities. Some of the information in this update is based on views of local counsel which is likely to change and where Sidley Austin LLP is not admitted.

 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Some of the information in this update is based on views of local counsel which is likely to change and where Sidley Austin LLP is not admitted. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.