left-caret
Insights

caveat vendor

EU On Data Privacy: One Tough Cookie

October 24, 2013

By Ryan Nier

“Hey, you want a cookie?”  That’s the question on the minds of data protection regulators in the EU as they guide states and companies on how to interpret and apply the 1995 European Data Protection Directive.   If you’re offering someone a cookie and they happen to be in the EU, asking that question of your users is necessary and is becoming ever more complex.
 “Cookies,” also known as “browser cookies” or “web cookies,” are little bits of data that can be sent from a website and stored on a user’s web browser.  They are commonly used to store helpful information, such as items in a shopping cart, a login name, or a set of preferences (e.g., “use US English when I visit this site”).

While US law has taken a very permissive approach to cookies – generally allowing their use absent nefarious purpose – the EU has taken a strikingly different approach which focuses on user consent.  On October 14, the EU’s Article 29 Working Party -- which is tasked with advising on how member states should read and apply the terms of the Data Protection Directive – outlined the four corners of what likely will be required for valid “consent.”  The Working Group’s recommendations are not binding, but they are given great weight by EU member states.

Per the Working Party’s guidance, consent must be (1) specific in nature, (2) given prior to use of the cookies, (3) acquired via active behavior, and (4) chosen freely.  More specifically:

  • Specificity: the group recommended that the notice be “immediately visible” and “clear [and] comprehensive.”   It is not enough that the user simply agree to the general use of cookies; the operator must provide information about why it uses cookies and what the cookies are for.

  • Given Before Use:  Notice must be given to a user before cookies are used for the first time.  While this may not seem difficult, the use of cookies is so common and widespread that banning them prior to consent could be clunky.  For example, the information that cookies were initially designed to keep track of – a user’s language preferences, country, or login name – may now be placed out of reach until the user is presented with a consent form that they may not be inclined to read or accept.  For many, this may result in simply stripping helpful functionality from existing websites (e.g., imagine requiring users to choose their language and country every time they visit your website).

  • Active Behavior:  Consent must be acquired through “positive action” such as clicking a button or checking a box.  Moreover, the Working Party advised that consent may be invalid if consumers are not given specific choices that allowed them to choose which cookies they would like and not like.  Once again, in practice, this may require significant changes to how sites are designed and how users interact with them (e.g., a website may be required to delineate categories of cookie use, explain how they work, and require users to check each type of cookie they wish to allow).

  • Free Choice:  Not only are companies required to give users choice, they are only allowed to use cookies that are “adequate, relevant, and not excessive in relation to the purposes for which they are collected.”  Put another way, even if a company meets those first three requirements, consent could still be deemed invalid if the data collected are not strictly necessary for the operation of the site or the provision of the requested service.
    With the EU’s new Proposed Data Regulation on the horizon, complying with “consent” under EU law is only getting more difficult.  Companies with customers in the EU would be wise to heed the Working Party’s advice and tighten up their cookie policies.  Perhaps the better question is, “Hey, want a cookie?  It’s chocolate chip, with whole wheat flour, and isn’t organic.  I can pick out all the chocolate chips out if you want.  In any event, just fill out this form.”

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.