What are cookies?
A cookie is a small text file implanted by an online provider (for example, a website operator or an online advertising network) on the hard disks of visitors to the site (often without their knowledge). Cookies collect information about internet users, such as their names, addresses, e-mail details, passwords and user preferences. While cookies and the information they transmit may not be able to identify a living individual on their own, they may be able to do so in combination with other information held by the online provider or a third party.
Different types of cookies
There is a general distinction between first-party cookies and third-party cookies.
First-party cookies
First-party cookies are planted by the website which a user visits itself. This involves assigning a unique identity to the user by setting the cookie to either the user’s browser and/or his hard drive with a view to tracking the user’s journey on the website. First-party cookies are commonly used by website operators for session management, personalisation and recognition purposes where the information transmitted by the cookie is later combined with the personal information the internet user has provided to the provider in the course of a sale or other contact.
In these cases, a user’s cookie is retrieved each time he visits the site which planted the cookie, making it unnecessary to re-enter registration data on each visit, and enabling the user to benefit from features such as Amazon’s 1-click shopping and the ability to store items in an electronic shopping basket between visits.
Although cookies provide internet users with some benefits, they also enable online providers to build profiles of individual users, their online behaviour and their interests. The website may then make specific recommendations to the user on goods and services depending on the information collected in this way. For example, the books, CDs, DVDs and other products that are displayed to a user on the home page of online retailer Amazon will largely be determined by the user’s previous purchases and their on-site browsing habits.
The user profiles created in this way are also commercially valuable, and online providers often sell the information collected in this way to third parties for the purpose of marketing.
Users can block first-party cookies by adjusting their browser settings. However, in some cases this may lead to a loss of functionality of the site visited.
Third-party cookies
Third-party cookies are cookies planted by parties other than the owner of the website a user visits. In practice, many website owners will reserve visual space on its website in return for a fee paid by an advertising network provider. The renting out of website space for the purposes of behavioural advertising is an increasingly essential part of many website operators’ monetisation strategies.
The advertising network provider will normally use the spaces it rents on different websites to:
- Plant a cookie on the user’s browser or hard drive when he first visits a website that is part of its advertising network.
- Recognise any former visitor who returns to that website by the cookie previously planted on his equipment.
- Recognise any user who has already visited any other website that is a partner of the advertising network by the cookie planted on his equipment by the first website he visited.
- Serve a particular advertisement to the user in real-time based on his interests (as identified in the profile created for him based on his journey across different partner websites).
Legal requirements for planting a cookie
Where the data contained in cookies can be linked to a name, a postal address or even an e-mail address, that information will amount to personal data and be subject to the Data Protection Act 1998 (DPA). It is also possible that the DPA may apply where a cookie is placed on a data subject’s computer within the UK by a data controller established outside the EEA. This is on the basis that the controller thereby makes use of equipment in the UK (the data subject’s computer) for the processing of data (otherwise than for the purposes of transit through the UK) (see Practice Note, Overview of UK Data protection regime: Jurisdictional scope).
In November 2009, the Citizen’s Rights Directive changed the requirements that online providers must meet when using cookies from the opt-out regime that was previously in force to a requirement for informed consent (Article 5(3), revised E-Privacy Directive). The revisions to the E-privacy Directive have been implemented in the UK through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) (2011 Regulations) which amend the Privacy and Electronic Communications Regulations 2003 (SI 2426/2003) (2003 Regulations).
The use of cookies is only allowed if the user concerned:
- Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
- Has given his or her consent.
Meaning of consent
The term “consent” is not defined under either the 2003 or the 2011 Regulations, or the DPA. However, Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) defines consent as a “freely given, specific and informed” indication of the data subject’s wishes, which must also be unambiguously given (Article 7(a), Data Protection Directive).
In its guidance, the ICO states that “the fact that an individual must “signify” their agreement means that there must be some active communication between the parties” (see ICO: The Guide to Data Protection). Consent must also be “appropriate to the age and capacity of the individual and to the particular circumstances of the case”. This raises the question of whether consent to the placing of cookies can be adequately obtained in cases where the user in question is a minor. Although the ICO has given guidance on obtaining consents from children in the context of websites which are aimed at children (where it required the explicit and verifiable consent of the child’s parent or guardian unless that child is aged 12 years and over), it is unclear to what extent this advice can be applied to the planting of a cookie which may allow the website operator to collect extensive information about the child’s online behaviour and interests.
Many advertising networks have agreed not to adopt child-specific profiling or interest categories and to refrain from serving targeted advertising where it is clear that the internet user is a minor. However, this may not always be sufficient to address the online provider’s obligation to obtain valid consent to the mere planting of a cookie.
When must consent to cookies be obtained?
According to the Working Party’s opinion, consent to the placement of cookies must be obtained before the cookie is placed and/or before information stored in the user’s terminal equipment is collected (prior consent). In addition, in the Working Party’s opinion, informed consent can only be obtained if the necessary information about the sending and purposes of the cookie has been given to the user before the cookie is placed.
While the ICO guidance is silent on this question, the DCMS letter openly contradicts the Working Party’s opinion in this respect.
According to the DCMS, prior consent is not required to comply with the requirements of regulation 6(2) of the revised 2003 Regulations. The DCMS stresses that Article 5 of the revised E-Privacy Directive, which the 2003 and 2011 Regulations implement, does not specify that consent must be prior consent. In addition, there is no indication of when consent must be given in the definition contained in Article 2(h) of the Data Protection Directive.
Although the DCMS letter reminds stakeholders that in its natural usage the term consent rarely refers to a permission given after the action for which consent is being sought has been taken, it believes that this does not preclude a regulatory approach that recognises that, in certain circumstances, it is impracticable to obtain consent before processing. The DCMS is therefore of the opinion that, in those circumstances, it is possible that consent may be given after or during processing.
How can consent to cookies be validly obtained?
The following methods for obtaining valid consent are currently being discussed:
- Pop-ups and similar techniques. Online providers could obtain user consent by including express consent provisions with tick boxes in pop-up windows. Although this is the simplest option to achieve compliance, there is general agreement that this would be unpopular with users as it would spoil a user’s experience of using a website if several cookies are used. This way of obtaining consent might also be impractical as many users employ pop-up blockers and would therefore be unlikely to see the pop-up windows.
- Terms and conditions. Website operators may be able to gain consent online using the terms of use or terms and conditions to which the user agrees when they first register or sign up. This is likely to work well in relation to first-party cookies served by providers of online services that require registration or where the user will be required to agree to the website’s terms and conditions in the course of a sale. The ICO guidance stresses that if users have already consented to the terms of use when they first registered online, the organisation must make them aware of the changes to its terms in relation to the use of cookies. The guidance recommends that website operators should obtain a positive indication that users understand and agree to the changes, which can be done by asking them to tick a box.
- Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as their personalised greeting). The ICO guidance suggests that consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
- Functional uses. The ICO guidance explains that an analytic cookie, which collects information about how people access and use a website, might not appear to be as intrusive as others, but still needs consent. It recommends that organisations make information about the use of cookies more prominent, perhaps with a list of them and description of how they work. Text could be placed in the footer or header of the web page, which is highlighted when an organisation wants to set a cookie on the user’s device, prompting the user to read further information (which might, for example, be made available on the privacy pages of the website) and make any appropriate choices.
Recital 66 of the Citizens Rights Directive, which amended the E-Privacy Directive, provides that the user’s acceptance of cookies may be expressed by way of using the appropriate settings of a browser or other application. This has been implemented in the UK by way of regulation 6(3A) of the revised 2003 Regulations, which provides that:
Similarly, he is not always aware of how to use browser settings to reject cookies, even if an explanation of how this can be achieved is included in the website’s privacy policy. The Working Party rejects the notion that an internet user’s inaction (where he has not himself set the browser to refuse cookies) provides a clear and unambiguous indication of his wishes. As a result, the Working Party’s opinion considers that browser settings only deliver consent in very limited circumstances, notably, if browsers are set up by default to reject all cookies and the user has changed the settings to affirmatively accept cookies.
The ICO guidance agrees that, at present, most browser settings are not sophisticated enough to allow online providers to assume that the user has given their consent to allow a website to set a cookie. It also points out that not everyone who visits a website will do so using a browser; for example, they may have used an application on their mobile device. Consequently, the ICO’s current advice is that organisations which use cookies or other means of storing information on a user’s equipment must gain consent some other way. It notes that, in the future, many websites may well be able to rely on the user’s browser settings to demonstrate that they had the user’s agreement to set all sorts of cookies. As the government mentioned in its response document, it is working on this with major browser manufacturers.
The government response, which was published before the adoption of the 2011 Regulations, considered that, in view of the substantive changes to the wording of the E-Privacy Directive, the current use of browser settings as a form of consent is not consistent with the revised wording. Consequently, the government has formed a working group with representatives from the browser manufacturers to see if browsers can be enhanced to meet the revised E-Privacy Directive’s requirements, with users having more information as to the use of cookies, and being presented with easily understandable choices about the import of cookies on their machine.
However, in the DCMS letter, the government clarifies that it is nevertheless of the opinion that there is no requirement for the user to take an affirmative step to change browser settings to give valid consent. The DCMS letter considers that, provided that the user is given adequate information about cookies and what the browser default settings mean for him, regulation 6(3A) of the revised 2003 Regulations should be understood to mean that, if a user is able to signify consent through the amending or setting of a browser, they may also signify consent through choosing not to amend settings or controls of a browser.
As the government’s approach (as set out in the DCMS letter) is in clear opposition to the Working Party’s position, it is currently impossible to say whether other EU member states will follow the UK’s lead or whether they will implement the Working Party’s recommendations. If different approaches to this question emerge across the EU, website operators will find it difficult in this context to rely on browser settings at all.
Obtaining consent to the use of third-party cookies
Advertising network providers that want to place third -party cookies in user’s browsers will find it difficult to rely on any of the options set out above to obtain valid consent. Since they do not have a direct relationship with the internet user whose online behaviour they aim to track, they will not normally be able to obtain consent through the use of terms and conditions or privacy settings. While the use of pop-ups is generally possible, it is also open to the charge that the use of pop-ups lacks user-friendliness and that pop-up blockers may prevent users from seeing the pop-up in the first place (see How can consent to cookies be validly obtained?).
Advertising network providers therefore increasingly offer choice mechanisms to users, which in effect enable users to opt-out from the third-party cookies they set. Most recently, the IAB Europe (Internet Advertising Bureau), which is a broad coalition of advertising, marketing and online businesses, has launched an EU Framework for Online Behavioural Advertising (see Legal update, IAB Europe launches self-regulatory framework on online behavioural advertising.
Central to the framework is a uniform pictogram or icon which will alert a user that he is receiving targeted advertising. The icon will contain a hyperlink to the website www.youronlinechoices.eu, which provides consumer guidance on online behavioural advertising and features a set of steps for consumers to follow to opt out of online behavioural advertising.
The Working Party’s opinion dismisses this mechanism, stating that it is not an adequate way to obtain an average user’s informed consent. In the Working Party’s view:
- Users in general lack the basic understanding that any data about them is being collected, the purposes for which it is used uses, how the technology works and, more importantly, how and where to opt-out. In practice, this means very few people exercise the opt-out option, not because they have made an informed decision to accept behavioural advertising, but rather because they do not realise that by not using the opt-out they are in fact accepting the placement of cookies and the use of the behavioural data collected by those cookies for the purposes of profiling and behavioural advertising.
- Consent requires the user’s active participation before the collection and processing of data rather than a “non-reaction” of the user after the cookie has already been placed and the data collection has already started.
The government response supports “the cross-industry work on third-party cookies in behavioural advertising”, by which it appears to be referring to the IAB framework. It considers that this meets the requirements of Article 5(3) of the revised E-Privacy Directive that has now been implemented in regulation 6(2) of the revised 2003 Regulations.
This support is strengthened in the DCMS letter, which confirms that it is “the firm view of government” that the definition of consent employed in the amending regulation enables rather than precludes the framework developed by the online advertising industry. The DCMS letter also indicates that the ICO guidance will be updated to refer to and endorse the framework in the future.
Limited exceptions to consent requirement
Regulation 6(4) of the revised 2003 Regulations includes a limited number of exceptions to the consent rule. Consent need not be obtained if the cookie is:
- Planted for the sole purpose of carrying out the transmission of a communication over an electronic communications network (regulation 6(4)(a)).
- Strictly necessary for the provision of an information-society service requested by the subscriber or user (regulation 6(4)(b)).
Furthermore, Recital 66 of the Citizen’s Rights Directive refers to services “explicitly requested” by the user. As a result, the ICO guidance acknowledges that its interpretation of this exception has to bear in mind the narrowing effect of the word explicitly. In the ICO’s opinion, the exception would therefore not apply in a case where the website operator has decided that its website would be more attractive if it remembered users’ preferences, or if the provider decided to use a cookie to collect statistical information about the use of its website.
The ICO’s proposed enforcement strategy
The ICO will continue to use its existing powers under the DPA and the 2003 Regulations to address complaints about contraventions of the revised 2003 Regulations and enforce those Regulations (for more information on existing sanction and penalties, see Practice note, Overview of UK data protection regime). For the ICO’s general approach to enforcement, see ICO: Data Protection Regulatory Action Policy.
With respect to the new cookie regime, the enforcement guidance acknowledges that immediate implementation:
- Could significantly restrict the operation of internet services that users generally take for granted.
- Would be likely to cause disproportionate inconvenience both to website providers and to users.
At the same time, the enforcement guidance confirms that the ICO does not condone organisations taking no action in the period up to May 2012. Organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the ICO that particular organisations are not making adequate preparations to be compliant by May 2012, it may issue them with a warning as to the future use of its enforcement powers. If any complaints are received after May 2012, any such warnings will be taken into account by the ICO in deciding if and when to issue an organisation with an enforcement notice.
With respect to complaints about non-compliance with the revised 2003 Regulations received before May 2012, the ICO will provide advice to the organisation concerned on the requirements of the law and how they might comply. Where it considers it appropriate, and particularly as May 2012 approaches, it will also ask organisations to explain to it the steps they are taking to ensure that they will in fact be in a position to comply by May 2012.
Steps towards achieving compliance with the revised 2003 Regulations before May 2012
The ICO guidance advises organisations to take the following steps:
- Check what type of cookies and similar technologies it is using and how it uses them. The ICO explains that this might amount to a comprehensive audit of an organisation’s website, or it could be as simple as checking what data files are placed on user terminals and why. An organisation should analyse which cookies are strictly necessary and which might not need consent. This could be a good opportunity for organisations to clean up their webpages and stop using any cookies that are unnecessary, or which have been superseded as their websites have evolved.
- Assess how intrusive its use of cookies is. The ICO explains that the new rule is intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual’s browsing activity.
- Decide on the best solution for it to obtain consent. Possible solutions include the use of terms and conditions, pop ups and similar techniques, settings-led consent, and website headers or footers.