Web Analytics Demystified CONSULTING CONTENT COMMUNITY CONTACT BLOGS ABOUT SEARCH

EU cookie law interpretation is breathtakingly stupid!

« Back to all posts Share, Save or Email

I read the out-law blog post late last night as it was retweeted by @eivindsavio in Norway from @pierrefar in the UK. To be honest, I didn’t think much of it as I had just reviewed Vivane Reding’s EU Telecoms Reform and had blogged about it a couple of hours prior to that after thorough review. After all, I had been writing about the possible threats of both HADOPI in France but also PHORM in the UK, wondering why Mrs. Reding was taking a stance against PHORM while keeping quiet about HADOPI.

It turns out I was wrong as she was fighting one battle at a time, which makes total sense when you need to find unanimous consent of 27 member states.

So basically, what are we talking about?

Back in November 2007, the Commission adopted proposals for the reform of the EU telecoms rules. It took some time for all parties to come to an agreement as it finally fell on November 5th 2009, after much debate. As mentioned, I blogged about the outcome but chose to mainly discuss it from the standpoint of banning HADOPI’s “three-strikes law”. The reason why I chose to do this is because this “three-strikes policy” is an infringement of the basic principals of democracy, as presumption of innocence and the right to privacy is not respected.

Now, this post also talks about the “cookie affair” as the EU Telecoms Reform states “Internet users will be better informed about cookies and about what happens to their personal data, and they will find it easier to exercise control over their personal information in practice.” Vague!

My recommendation was and still is to adapt privacy policies in order to clearly explain to visitors what cookies are used for and why they are there, while also including an opt-out link as found for example in Yahoo! Web Analytics’ privacy policy.

Now, Mr. Struan Robertson’s article on out-law, of which he is the editor, but also on Techradar are almost the same articles word for word. So this is information coming from the same person, just on two different websites. He mentions that Europe’s cookie law was found at the tail end of an 18-page Council press release, together with some other stuff the Council has been working on. Fair enough.

Indeed, page 17, just after the protection of workers from chemical risks within the Social Policy section mentions under the Telecommunications Policy section the creation of the Body of European Regulators for Electronic Communications (BEREC) as well as the adoption of a directive amending legislation in force on universal service ePrivacy and consumer protection.

More specifically it amends the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

And this is where we come to the root of it – please bare with me – as paragraph 66 states:

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

Again, this remains vague and for the life of me, I don’t read prior consent here but an obligation of information in an as much as possible friendly way. So again, I’m not imagining pop-ups or white pages asking for consent to collect information about the surfing behavior but just a clear privacy policy with an opt-out link like Yahoo! Web Analytics proposes.

Also, it’s not as if this was hushed in any way as it’s exactly what the EU Telecom Reform is all about! Additionally, it’s interesting to note that if indeed we were talking about pop-ups &/or white pages asking for consent of measurement, this would need to be enforced. If this goes into effect, BEREC should move really fast!

But Mr. Robertson’s second article also mentions amendment to article 5(3), which surprisingly I’ve only managed to find in a second reading of the article and not as an official document. So it would be nice if he could point to his actual sources, just for the sake of clarity, as any good legal expert usually does as for me, the official document is still this one (hint: check out 5.3)!

Now, does all this really come as a surprise? I think not as already back in April of this year, Viviane Reding clearly stated that directives would be amended and more specifically Directive 2002/58/EC. But it hasn’t yet, has it?

Storm in a Teacup

And that’s all that this actually is in my opinion: A storm in a (very British) teacup. Nothing new here! Well, except for the second phase of an infringement proceeding over the UK to provide its citizens with the full protection of EU rules on privacy and personal data protection when using electronic communications dated October 29th of this year send out by? you’ve guessed it! Mrs Reding …

Last but not least, I would like to mention that Mrs. Reding’s DG Information Society & Media has been using Google Analytics for some time now. I should know as I helped them implement it and raised the privacy issues during the project!

What’s however interesting is that, as of today, I still haven’t found the possibility of opting-out from Google Analytics, but that’s another debate.

Enforcement? Unlikely

I don’t think that prior consent for the use of cookies will be enforced in Europe and I believe it’s just a misinterpretation intended to get attention…

Once again, I welcome comments and thoughts as I’m totally open for discussion in order to make sure that the Europe I was raised in and choose to live in upholds to my standards of a righteous society.

Posted Tuesday, November 10th, 2009 | 15 responses | Add a Comment | Share, Save or Email


Chris Neil

Here is the amendment —

Article 5(3) shall be replaced by the following:
“3. Member States shall ensure that the storing of information, or the gaining of access
to information already stored, in the terminal equipment of a subscriber or user is
only allowed on condition that the subscriber or user concerned has given his or her
consent, having been provided with clear and comprehensive information, in
accordance with Directive 95/46/EC, inter alia about the purposes of the processing.
This shall not prevent any technical storage or access for the sole purpose of carrying
out the transmission of a communication over an electronic communications
network, or as strictly necessary in order for the provider of an information society
service explicitly requested by the subscriber or user to provide the service.”;

Everything is open to interpretation, but the article here is pretty clear that you must have consent before putting a cookie on a someones machine.


aurelie

Hi Neil,

Yes, I finally found it, page 77!
It’s unfortunate that the initial writer of the blog post didn’t bother to point to the exact literature, it would have avoided a lot of people a lot of hassle!

I would also like to point out that:
1. it doesn’t mention cookies
2. consent isn’t the same thing as opt-in.
On the last point, even out-law made a clear distinction when they talked about the opt-in obligation to avoid spam some years ago when a law was passed related to e-mail marketing.
Funnily enough, their stance had the same effect back then than today: a storm in a tea cup and we all survived!
Please allow me to quote from http://www.out-law.com/page-5657:
An “opt-in” generally refers to a tick box which, if filled in by the user, indicates positively that they...”
as opposed to
“Prior consent”, however, does not specify any particular means of assessing the user’s intention. The main thing to consider is whether the user fully appreciates that they are consenting and what they are consenting to. Therefore, while opt-in is one way of demonstrating a user’s consent, it is not the only way.

I rest my case & welcome feedback.


Conrad Bennett

Hi Aurelie!

I’m not sure I am so optimistic about your interpretation. If you compare the 2002 and 2009 versions, it looks to me like the terminology was tightened up for a reason, with the retention of the exclusion for provision of service ‘explicitly requested’.

While it does not refer specifically to cookies, there is no denying that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user” covers the use of both traditional cookies and any similar workaround such as Flash cookies.

The thing which concerns me most is the use of phrases such as “has given” and “having been provided” as they are clearly using the past tense and suggest prior consent. It therefore would not be sufficient to say “We’ve set some cookies, is that OK? If not, here’s how to remove them”.

Obviously all of this is academic until someone, somewhere clarifies it further, but since the potential impact of the ‘worst case’ is so significant to our industry, I don’t think it does us any harm to give it some consideration.

Cheers,
Conrad
(In the spirit of disclosure I work for a vendor, but the thoughts above are my own ;)


Ny lov forbyder brug af cookies som kan blive ødelæggende for online mediebranchen

[...] kunne tracke og måle sin kampagne, fordi også dette system bygger på cookies. Ifølge blogpostet EU coockie law interpretation is breathtakingly stupid! fra web analytics demystified er dette dog rimeligt utænkeligt. Holdningen her er, at formuleringen [...]


Beyond Web Analytics – Episode 1 | Beyond Web Analytics!

[...] http://aurelie.webanalyticsdemystified.com/2009/11/10/eu-cookie-law-interpretation-is-breathtakingly... Books Referenced: Charlene Li and Josh Bernoff. Groundswell: Winning in a World Transformed by Social Technologies. Harvard Business School Press (Cambridge, MA), 2008. 224 pages. (See also: http://blogs.forrester.com/groundswell/) Note: Some of the sound clips used in this podcast were used under license. Burnkit2600 / CC BY-NC-SA 3.0 Share/Save [...]


Weekly Web Analytics News Roundup – 13th Nov 09 | Actionable Analytics

[...] New law in Europe meaning consent will be required for cookies and why it is breathtakingly stupid [...]


Lars

What I really would like to see is the possibility to opt out of Echelon, FRA, and its other local counterparts.

http://en.wikipedia.org/wiki/Echelon_(signals_intelligence)
http://en.wikipedia.org/wiki/FRA_law


Rob Kaper

Websites do not have local file access. They merely send cookie values as part of the HTTP response and accept local data contained in a HTTP request.

Browsers store cookies. Most if not all have an interface to manage policies. Some even allow a decision on a cookie-by-cookie basis.

Browsers send local files when posting a form with one or more inputs of the type file. Most if not all warn users when this happens.

At best this will make P3P privacy publishment and browser integration a standard. It won’t change the Internet as we know it, it’s not a big deal.


Cookies uitdelen mag niet meer! Eerst toestemming vragen Medialandschap - trends, kunst en technologie

[...] in het mega kwadraat. Vraag je geen toestemming dan krijg je een boete. Dit is zo’n treurige wetgeving dat woorden echt tekort schieten, ik ben sprakeloos.  Gedetailleerdere analyse. Geef het [...]


Struan Robertson

Hi Aurelie,

I wrote the OUT-LAW piece. I just thought I should respond to a few of your points.

The nice people at TechRadar said they liked it and asked my permission to reproduce it. That’s why it’s exactly the same story on 2 sites.

My editorial included a link to the complete final text. It was a 97-page PDF so I put the link right at the end. It was there all along but I guess it was easy to miss on the page because most of the other links were in the text. I agree with you that I should have added that link to the other page as well, the one that quoted all the relevant wording from the new Directive. I forgot to do that but, after reading your piece, I’ve added that link.

Just to reiterate: paragraph 66 – the bit you quote – is a recital. Recitals matter less than Articles when it comes to interpreting EU laws, and the wording that refers to prior consent is found in the Article.

As for the difference between “prior consent” and “opt-in”, I’m not sure that’s relevant here. You do have options on how to give people informatoin about cookies; but you have to find one that gets the information to them before the cookie, as Conrad says.

You say: “I don’t think that prior consent for the use of cookies will be enforced in Europe”.

The Directive will require prior consent. But you may well be right that it won’t be enforced. We’re hoping for the same thing there.

Struan


Perty

It’s ok for our governments to eavesdrop our emails, websurfing etc but they require “third parties” to be very clear about saving a little cookie.

Laughable…


aurelie

Dear Struan,

Thank you for taking the time to reply to my blog post, I sincerely appreciate it and applaud the tone with which you have done so.
It’s actually initially the way in which your writings were set that highly disturbed me as it painted a very gloomy picture of what might be coming, within a possibly short time frame, as if the EU had deliberately slipped in, last minute, something very harmful for the digital industry we both cherish. One of the comments I read over the last few days was even wondering if hosting shouldn’t be moved to the U.S., following your post. That really, really made me very sad as this is not at all in the spirit of how the EU is pushing the Internet!

This reminded me a lot about the privacy debate of some years ago when opt-in for email marketing was debated and where the same doom and gloom feeling was spread around. It created a lot of confusion at the time for all actors involved and basically a terrible waste of time as finally we all survived, adding opt-in or even double opt-ins for email marketing.
My intention here was to calm things down and set some facts straight about how this all came about as the debate was complicated through time with the French Hadopi law and the British Phorm issue. And finding consensus with 27 is certainly more complicated than for 15!

I don’t doubt that things will change, reason why I suggested to at least start with adequate privacy policies on websites – as this is unfortunately very rarely the case, let’s be honest – and show that the opportunity for opting out of measurement is something that the industry I work in, web analytics, has already been pushing for quite some time. The creation of BEREC should, I hope, help enforce this. However, as technology continues to evolve, with the advent of behavioral targeting and the use of mobile, more will certainly come in order to remain compliant with EU and national legislation.

Let’s see how this plays out, shall we? In the mean time, having servers moved to the U.S. is not necessary nor a good solution for Europe.
Thanks again, kind regards,
Aurélie


aurelie

Thanks Rob for your input. I tend to agree and hope that less technical people, including legal experts, will at some time become technically savvy enough to understand it as well!


aurelie

Hi Conrad,

Thanks for your comment! I totally agree that our industry will have to take it into consideration and keep a close eye on how this might unravel.

It’s also interesting to see where the responsibility lies related to the use of the technology between the vendor and the end client. Indeed, if a client uses for example webtrends but hasn’t updated their privacy policy, explaining that they are using cookies to track their visitors, is this your companies’ responsibility or does this lie with the end client?
Vendors of measurement solutions will have to continue to provide their clients with solutions that are in line with legislation. Opting-out of measurement was, as far as I know at least but I might be wrong, something that didn’t even exist a couple of years ago!

However, I see more and more clients in the EU asking about privacy. A free tool was recently discarded and replaced by on site measurement. There’s also discussion about SaaS solutions being hosted outside of the EU, despite Safe Harbor. But these remain informal discussions that I’m sure will find more consistency with time. This is definitely not over yet but it’s not as if we’re all out of a job, either.

Cheers from sunny Madrid,
Aurélie


Don’t do evil or follow the money? | Aurelie Pols at Web Analytics Demystified

[...] is actually in line with how the IAB interpreted the latest EU Telecoms Directive reform I blogged about some time [...]



Add a Comment
Name:
Email: (Not published)
Website:
Comment:

Please note that contributions are moderated and may take a little while to appear.
 
COPYRIGHT © 2010 WEB ANALYTICS DEMYSTIFIED, INC. ALL RIGHTS RESERVED. PRIVACY POLICY