Cookies and the E-Privacy Directive

Cookies (the inedible kind) are an integral part of any web user’s experience. Unlike the edible kind, web cookies split opinion massively, either being described as facilitating a personalised, easy-to-use web browsing experience or a method of invading one’s privacy, seemingly without permission.

Cookies are text files which are stored on users’ computers when they visit certain web sites.  When the website is revisited in the future, the browser returns the information contained in the cookie to the website, as a memory of what the user previously did on the site. Although stored on a user’s hard drive, cookies cannot read any information on the hard drive and cannot be executed as code and are therefore incapable of transmitting computer viruses.

Their uses however, can be seen as both good and bad. As they serve to ‘remember’ what you have done while browsing a site, they can serve extremely useful purposes, such as recalling your username for a login on a web page, the contents of your virtual shopping basket should you navigate away from a site, or your preferences for page layouts and colour schemes on specific sites. As such, they can serve to personalise the web and make your browsing experience much easier.

Third party cookies are usually those which have been viewed with the most suspicion, as their primary aim is to track a user’s actions and movements as he/she surfs the web. When a user opens a web page, it may have within it information from various third parties, for example, advertisers. These third parties can, if your browser allows them, place cookies onto your computer and then, whenever you log onto another site where their content is present, the cookie on your computer will let that third party know. By this third party cookie tracking, online advertisers can build up profiles of your internet surfing history and create targeted advertising campaigns catering to your tastes, explaining why adverts for products you like always pop up on sites you visit online.

The seemingly surreptitious use of third party cookies has been viewed in some quarters as an invasion of personal privacy, hence (in part) the passing of directive 2009/136/EC (the “Directive”) in December 2009 which amended the E-Privacy Directive (2002/58/EC). The Directive states that cookies may only be used by website owners if they provide clear and comprehensive information about their purposes and with the end user’s consent (an opt-in). The rationale behind the amendment being that users are made more aware of the use of cookies by the websites they visit. However, user consent is not required where cookies are necessary to deliver a service which has been explicitly requested by a user, for example when shopping in an online store and cookies are used in respect of the items in the consumer’s shopping basket. The UK must implement these measures into its legislation by 25 May 2011. Draft regulations to implement the Directive into UK law are set to be laid before Parliament at some point in April 2011.

The UK Department for Business, Innovation and Skills (“BIS”) published a consultation on the implementation of the Directive in September 2010, setting out the government’s approach to implementation in a BIS Impact Assessment (the “IA”). The IA recognises that cookies are used on practically every web page a user visits and that generally, consumers place more value on internet advertising that is targeted and relevant to them. Significantly, the IA also recognises that online behavioural based advertising is big business, estimated to be worth £740 million to the British advertising industry by 2012.

In the IA, the government has therefore rejected the stance that, practically, the Directive calls for a need that all end users must provide their confirmation every time a cookie is placed on their computer. This would require repeated pop-up windows on every web page visited by a user, which would be impractical. This would also put UK websites at a competitive disadvantage compared with non-EU sites (which don’t require opt-ins for the use of cookies), thus potentially drastically reducing advertising revenues in this country. Instead, the Government intends to implement the Directive by allowing consent to the use of cookies to be given via users’ web browser settings. Full cookie controls are contained within web browsers (as acknowledged in a recital to the Directive), therefore it is proposed (in the IA) that browser owners provide users with “information about cookies and how to change the browser settings” and website owners provide users with “clear and comprehensive information about cookies” used on their sites. The IA goes on to specify that the proposed burden on website owners is that, to the extent needed, they must “make it clearer on their websites the cookies that would be downloaded and their purposes.”

The Government therefore aims to implement the Directive without massively disrupting our web browsing experience. Practically, the implementation requirements in the IA will require many websites’ privacy policies to be expanded with full details of all cookies (both first- and third-party) being used on the sites. Also, browser owners will have to ensure they provide users with detailed instructions on how to manage cookies, which is commonly done through the privacy settings on browsers such as Internet Explorer, Firefox and Chrome.

The stance of the Government in the IA is yet to be solidified in a draft statutory instrument. Moreover, the web browser implementation method proposed above flies in the face of the (non-binding) opinions of the EU Article 29 Working Party, which, in June 2010, suggested that member states implement the Directive by enacting legislation with strict opt-in requirements on users (i.e. pop-up windows every time it is sought to place a cookie on a user’s computer). Whether the Government sticks to its stance in the IA will only be revealed once the relevant draft statutory instrument is published in April.

This alert has been written by Simon Halberstam (partner) and Andy Solomon (solicitor) at SIMONS MUIRHEAD & BURTON LLP. If you need help with drafting/revising privacy policies or other input, please contact Simon Halberstam on 020 3206 2781 or simon.halberstam@smab.co.uk