EU Privacy: How Will the Cookies Crumble?
Steve MasurWritten by Lindsey Powers
—–
EU businesses have been abuzz about tighter EU privacy rules that affect use of web cookies with little notice in the U.S. Changes to EU laws may have effects even on US-based companies. In addition, proposed bi-partisan privacy legislation in the US reveals a possible trend toward stricter privacy controls stateside. The recent suit filed against an online analytics firm and its customers, including Hulu, Spotify and Spokeo, reveals that even under the current US privacy regime, certain tracking practices can lead to headaches [1] It’s important be aware of these developments and to consider how they might affect the online presence of your business. Online privacy is a moving target and counsel with expertise in internet privacy can help develop a strategy tailored to your business.
New Rules
In 2009, the EU released its e-Privacy Directive tightening existing law on online privacy and data protection [2]. Perhaps the most crucial provision in the Directive for online businesses is the requirement of informed consent by the user for collection of data via cookies. Businesses are concerned about the cost of implementing new requirements, but they can’t even be sure what the exact requirements will be. Is affirmative opt-in consent required before collecting data? What kind of opt-in is required? Pop-up? Screenwrap? Splash page? These questions lead many critics to accuse the Directive of being half-baked.
What are Cookies?
Cookies are tools used by websites that store text data retrieved from the user’s computer. Common uses for web cookies include identifying a user session, authenticating a user, and saving user preferences. A more visible example of the use of cookies is the saving of shopping cart contents for online shopping. It is possible for cookies to be used by spyware or to break into someone’s online account, but the main concern of EU regulators is the protection of individuals from collecting or using information without their consent.
EU Guidance on Consent
Consent is a contentious aspect of the Directive, and the lack of clear guidance is troubling to many online commerce proponents. EU law prior to the new Directive required an opt-out, but the new directive appears to require an opt-in. It is unclear what exactly is required in order to show that informed consent was gathered. Would a pop-up window suffice? Should the site take users to an entry page where they must consent prior to accessing any content? How often must one gain consent? On July 14, 2011, an EU Working Party on Data Protection released anticipated guidance on consent [3]. However, even the EU’s data protection supervisor admits that current advice is unclear [4]. The Working Party states that “all necessary information must be given at the moment the consent is requested,” and that consent is required before the data processing begins [5]. Regarding how consent may be manifested, the Working Party doesn’t really answer the most common concerns regarding how to achieve compliance. This guidance doesn’t give a clear stamp of approval to any specific method of gathering consent—the question most bothersome to many website administrators.
Implementation
The Directive is not actually binding upon companies or individuals until Member States codify it into their national laws [6]. Member States were required to codify and implement the e-Privacy Directive by May 25, 2011, [7], but this date passed with only a handful of Member States meeting the deadline [8]. Perhaps the most notable State to comply so far is the UK, which has not only codified the directive into national law, [9] but has also released guidance from the Information Commissioner (ICO) as to how the new rules are to be enforced. [10]. The ICO has established a one-year grace period for enforcement of the rules, ending in late May 2012, but indicates that companies must begin taking steps towards compliance as soon as possible [11]
Member State Policies on Consent
Because the EU Directive is not specific about the actual requirements imposed upon businesses, there are a multiple flavors of interpretations across the Member States. For example, Ireland [12] and the Netherlands [13] will allow browser settings to suffice as consent. That is, if a user’s browser settings allow cookies, that sufficiently signifies consent. Other Member States, including the UK, have said that while the use of browser settings may one day be a viable option for obtaining consent, current browser settings lack the specificity of settings regarding different types of cookies required to serve as consent. The UK situation is especially interesting because while their actual law says that browser settings are okay for consent, the guidance provided by the regulator says they currently are not [14].
The UK ICO actually provides a helpful model for how to prepare for the roll-out of national privacy laws modeled after the EU Directive. The ICO’s recipe for compliance includes suggested steps companies may take to follow the regulations. These steps include 1) auditing what types of cookies are used, what data is used by those cookies, how the data is used, and which will need consent; 2) assessing the intrusiveness of the use of cookies on the site(s); and 3) developing an appropriate solution for gaining consent. The ICO provides possible options for achieving compliance, including pop-ups, splash pages, footers/headers with tick boxes, etc. [15] [15a]. This seems to be the closest any regulator has come to giving specific criteria for satisfying the requirements of the Directive.
Effect on Non-EU Business
Some experts believe that any site using cookies to collect data from users in the EU is subject to the Directive, but that it must still be decided how exactly enforcement will take place [16]. In an opinion on online advertising, the EU Working Party on Data Protection suggested that businesses outside of the EU who use cookies on EU users’ computers to collect personal data will fall under the e-Privacy rules [17]. However, the concerns of many EU e-commerce companies that the directive will drive online businesses to move operations to the US reflect a different expectation [18].
Recent Privacy Bills in the U.S.
The U.S. has a much less rigid consumer data protection structure than most developed nations. The laws regarding data privacy are piecemeal and tend to relate to specific types of data, such as medical information or financial details, but there is no overarching e-privacy data protection scheme [19].
There are at least two pieces of proposed legislation that seek to change this. In April 2011, Senators John Kerry and John McCain introduced the “Commercial Privacy Bill of Rights.” This bill creates rights related to information gathering and use. Importantly, part of the proposed legislation includes an opt-out requirement for information “unauthorized by the Act,” and an actual opt-in consent requirement for “sensitive personally identifiable information.” [20]
A similar bill was introduced by Representatives Cliff Stearns and Jim Matheson in the House [21].
While these proposals don’t go nearly as far as the EU e-Privacy Directive, they do increase restrictions on gathering and use of data for US companies. Groups such as the Direct Marketing Association oppose the proposed laws, citing cost of compliance and effect on a robust information economy. Surprisingly, supporters of the proposed privacy reforms include AT&T, Microsoft, HP, Intel, and eBay. These companies believe the complexity of the current system costs more in compliance than an overarching scheme would [22] [22a].
This week, a group of lawyers filed a class action complaint against the analytics firm KISSMetrics and many of its customers, including high-profile names such as Spotify, Hulu, Etsy, Slideshare.net, and AOL’s About.me, alleging that the companies “circumvented… browser privacy controls,” and tracked users in an “unreasonable and unexpected way…” [23] violating the Electronic Communications Privacy Act [24]. While it is too early to gauge whether the plaintiffs will prevail because it is unclear whether the ECPA applies to cookies-type tracking, such suits may lead to stronger privacy protection requirements being imposed on online businesses.
Costs of Noncompliance
While most EU States have yet to implement the Directive, one can look to the UK as an example of potential penalties. The ICO reserves the right to audit and to impose monetary penalties on businesses found not to comply with privacy laws, potentially of up to £500,000 [25]. Such penalties may render it extremely costly to be caught with your hand in the cookie jar.
Potential Outcomes for Business
The ICO’s own website was one of the first to adopt the consent feature for use of cookies. When you visit the ICO website, a box appears at the top of the page asking for consent to collect user data via cookies [26]. Since this change, the ICO’s website has seen a 90% drop in traffic [27]. This news has companies and business advocates seriously concerned that the new rules will be the Cookie Monster that eats all their web traffic. The EU’s official stance is that tighter regulations will increase consumer trust and help meet the EU’s goal of increased levels of buying online [28]. It is impossible to tell what the actual effect on commerce will be until the laws are in place and enforced.
Next Steps
While awaiting future guidance and implementation by more member states, it seems that the most reasonable action plan for businesses with presences in the EU should be to start assessing their own use of cookies and to start developing some kind plan for compliance. The ICO’s guidance may be a good starting point since so few EU States have implemented the guidelines. However, it’s important to remember that while Member States can’t deviate too far from the EU Directive, different States may have different requirements for compliance.