Cookies (the inedible kind) are an integral part of any web user’s experience. Unlike the edible kind, web cookies split opinion massively, either being described as facilitating a personalised, easy-to-use web browsing experience or a method of invading one’s privacy, seemingly without permission.
Cookies are text files which are stored on users’ computers when they visit certain web sites. When the website is revisited in the future, the browser returns the information contained in the cookie to the website, as a memory of what the user previously did on the site. Although stored on a user’s hard drive, cookies cannot read any information on the hard drive and cannot be executed as code and are therefore incapable of transmitting computer viruses.
Their uses however, can be seen as both good and bad. As they serve to ‘remember’ what you have done while browsing a site, they can serve extremely useful purposes, such as recalling your username for a login on a web page, the contents of your virtual shopping basket should you navigate away from a site, or your preferences for page layouts and colour schemes on specific sites. As such, they can serve to personalise the web and make your browsing experience much easier.
Third party cookies are usually those which have been viewed with the most suspicion, as their primary aim is to track a user’s actions and movements as he/she surfs the web. When a user opens a web page, it may have within it information from various third parties, for example, advertisers. These third parties can, if your browser allows them, place cookies onto your computer and then, whenever you log onto another site where their content is present, the cookie on your computer will let that third party know. By this third party cookie tracking, online advertisers can build up profiles of your internet surfing history and create targeted advertising campaigns catering to your tastes, explaining why adverts for products you like always pop up on sites you visit online.
The UK Department for Business, Innovation and Skills (“BIS”) published a consultation on the implementation of the Directive in September 2010, setting out the government’s approach to implementation in a BIS Impact Assessment (the “IA”). The IA recognises that cookies are used on practically every web page a user visits and that generally, consumers place more value on internet advertising that is targeted and relevant to them. Significantly, the IA also recognises that online behavioural based advertising is big business, estimated to be worth £740 million to the British advertising industry by 2012.
The Government therefore aims to implement the Directive without massively disrupting our web browsing experience. Practically, the implementation requirements in the IA will require many websites’ privacy policies to be expanded with full details of all cookies (both first- and third-party) being used on the sites. Also, browser owners will have to ensure they provide users with detailed instructions on how to manage cookies, which is commonly done through the privacy settings on browsers such as Internet Explorer, Firefox and Chrome.
The stance of the Government in the IA is yet to be solidified in a draft statutory instrument. Moreover, the web browser implementation method proposed above flies in the face of the (non-binding) opinions of the EU Article 29 Working Party, which, in June 2010, suggested that member states implement the Directive by enacting legislation with strict opt-in requirements on users (i.e. pop-up windows every time it is sought to place a cookie on a user’s computer). Whether the Government sticks to its stance in the IA will only be revealed once the relevant draft statutory instrument is published in April.
This alert has been written by Simon Halberstam (partner) and Andy Solomon (solicitor) at SIMONS MUIRHEAD & BURTON LLP. If you need help with drafting/revising privacy policies or other input, please contact Simon Halberstam on 020 3206 2781 or [email protected]