TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Cookie Consent—What's Changed? Related reading: Takeaways from record COPPA settlement

rss_feed

""

Almost five years ago, EU legislators shocked the Internet world by changing the legal requirement for the use of cookies and similar device identification techniques from “notice and opt-out” to “notice and consent.” At first, there was a sense of disbelief about whether this sudden legal twist was for real. As the dust settled, it became clear that what had been common practice until then—sticking a generic paragraph about the use of cookies in the privacy policy and referring users to the browser's menu for further control—was no longer enough to comply with the new requirement.

Eventually, different mechanisms aimed at complying with the law whilst preserving the normal functioning of the Internet emerged. These ranged from the pure opt-in box approach to momentarily waving a cookie warning to users entering a website for the first time. In reality, these mechanisms differed in the level of compliance they achieved, so the EU data protection authorities were at pains to clarify what they regarded as good enough and what didn't meet the consent requirement.

In the end, deploying an "implied consent" mechanism was generally regarded as the minimum baseline for compliance across the EU. Implied consent did not mean simply returning to the old “notice and opt-out” approach.

In order to be regarded as valid consent, this approach needs to meet the following criteria:

  • Prominent cookie notice – As a starting point, the website must deploy some kind of visible notice, such as a banner or pop-up, which alerts visitors to the use of cookies. The users' indication of wishes is impliedly given when they see a cookie notice, understand its meaning and rely on the functionality available to make their cookie choices. This means that the notice provided must be made available for long enough to be seen and digested before cookies are actually dropped onto the user's device.
  • Action that amounts to consent – The cookie banner or pop-up must spell out as clearly and prominently as possible what specific action or conduct will amount to consent. As a minimum, the notice must state that if a visitor continues to use the site without changing the settings, then the website operator will assume that the visitor is happy to receive cookies. Only after the user has taken that action will it be lawful to proceed to drop the cookies onto the device.
  • Control mechanism – As part of the process of obtaining consent, website users must be able to make their choices freely and refuse the use of cookies—other than those that fall under the strictly necessary exemption—at any time and through simple means.
  • Clear and comprehensive information – This is the final—and hopefully easy—bit. Clear and comprehensive information about the use of cookies must always be available (for example, in a cookie policy) to satisfy the ongoing transparency requirements.

The bottom line is that if a website operator deploys a mechanism that properly meets these features, it will be regarded as compliant with the consent requirement.

So what's the problem then?

The problem is that the EU data protection authorities have realised a large number of websites are cutting corners and whilst they appear to follow the implied consent approach, some of the essential features of this model are in fact missing. For example, the Dutch data protection authority has recently taken enforcement action targeting both website operators and ad networks because cookies were in fact being dropped simultaneously to the notice being given. This meant that users' consent was basically being taken for granted as they downloaded a webpage.

Now the mighty CNIL has warned French website operators that it intends to audit the level of compliance with this requirement in October. That's not a massive notice to get your house—well, your website or mobile app—in order, but then again, this has been the law for nearly five years. Will this lead to a drop of enforcement in a sea of noncompliance? Possibly, but do you want to be the next target?

5 Comments

If you want to comment on this post, you need to login.

  • comment Richard • Jul 24, 2014
    This could well prove to be a wake-up call.  Part of the problem is lots of website owners have taken advice from their developers, who have themselves been guided by mis-information.
    
    The main element missing in most websites is the control mechanism.  Most people are relying on the idea that telling people about browser controls to stop cookies is good enough.
    
    However, as the ICO's own guidance in the UK points out, current browser controls are not deemed sufficient on their own to enable compliance.
  • comment Mike • Jul 24, 2014
    Sections of the technology press and some self-styled "cookie-law consultants" and "legal advisors" led businesses  to believe that the implied consent interpretation meant that all that was needed was a placebo that irritated visitors while not giving them any control, but the CNIL, the ICO and other DPAs have always made it clear that prior consent for cookies and other tracking techniques was necessary.
  • comment Mike • Jul 24, 2014
    In their latest guidance the CNIL, whose head is now the chair of the Article 29 Working Party, has pointed out that consent should be revocable by the user at any time, and that consent must lapse at least before 13 months has elapsed. Both they and the Dutch DPA have also pointed out that many third-party cookies (and fingerprinting) also require prior informed consent.
  • comment Aurelie • Jul 25, 2014
    From an analytics perspective, when 5 years ago the announcements were made and the earthquake Eduardo mentioned started taking on rather big proportions, the ICO warned of a cookie cliff: by asking for explicit consent, you would loose at least 80% of your traffic data. I've seen it happen multiple times and today this issue rises again with Spain. Indeed, the Spanish DPA, AEPD, fined 2 companies in February of this year over cookies.
    
    If you want to make sure that you strike a balance between your analytics and compliance needs, most clients have thus adopted a more "forgiveness than permission attitude", allowing for companies to still hold-on to the majority of their data while also respecting their visitors' choices. This is a similar line that's seen in the UK, implicit not explicit consent, moving from opt-out instead of opt-in as most visitors are lazy.
    
    There are other factors at hand in this game as we are talking about any piece of content that might trigger some kind of data call. Typically companies managing digital properties embed for example content files, like Flash files, created by their digital agencies or other 3rd parties. Lately, it's been the hunt for LSO (locally shared objects by Adobe's Flash) or any other zombie, ever, supercookies, ETags, and now even digital or canvas fingerprinting. The KUL and Princeton WP entitled "The Web never forgets:
    Persistent tracking mechanisms in the wild" (https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf) is the latest on the matter.
    
    We see the cookie directive as a good excuse to clean house: go through all the pages of your digital properties and list your tags. Then clean up. You'd be surprised at how much crap and retired tags you can still find on pages!
    Then start looking at what those tools allow you to do: Google Analytics used on this website doesn't allow for PI to be picked up. You'd be surprised at how many sites actually do use an email address (just to name the easy one) in a form field or even in their URLs for Newsletter confirmation for eg. This infringes GA's Terms of Use. Adobe's Omniture doesn't allow for sensitive information but how do you define that? is it content clicked (like a test about diabetes) or an actual variable you're picking up in your reporting?
    
    Also, it's not only about Europe. Indeed, look at the Californian Privacy Protection Act, CalOPPA, and they ask you to explain how you respond to DNT. Most of my clients have between 15 to 80 trackers on their websites. Unless they are using a Tag Management Solution to manage them all through one tool, you need to go through each and every tool to understand how they answer to DNT and if they do.
    
    Last but not least, how do you create procedures for global companies managing multiple brands where each online or digital initiative is just dying to use the latest funky analytics tools? How do you vet them in order to make sure that these tools aren't undergoing any kind of "experiment" with for eg. canvas fingerprinting like AddThis confessed to some days ago, possibly geopardizing your very own liability?
  • comment Mike • Jul 27, 2014
    Aurelle, you are right that sophisticated technology is needed to offer visitors control over their privacy on large web estates, and we at <a href='http://baycloud.com' rel="nofollow">Baycloud Systems</a> have been providing this for 3 years to Fortune 100 companies with thousands of websites. They can manage the settings for our our consent tool, such as preferred language, styling, position, consent intepretation such as explicit or implicit, multiple or single domain consent, expiry time, and many other parameters from a central web based dashboard. Our cloud-based site scanner automatically and periodically produces a detailed, accurate and up-to-date description of first-party and third-party cookies, DOM storage items, Flash LDO, canvas and other fingerprinting, and other tracking behaviours that need user consent, and this can be dynamically rendered into any privacy policy.
    
    We manage first-party cookies and DOM storage directly, and third-party elements via our own or any other tag management solutions (such as Google's). Users can be given the maximum ability to opt-in or out of these elements individually.
    
    We were the first to support the DNT standard. I have been an active member for over 2 years (now an invited expert) of the W3C Tracking Protection Group and have made sure our products were updated as it developed. We now support the qualification of consent interpretation by a visitor's DNT general preference and also the ability to signal consent to compliant third-parties using the DNT API.
    
    Unlike some of our competitors we do not collect, and have never collected, any PII and are not part of the advertising ecosystem. This is another reason we are trusted by major brands.
    
    
    BTW, the ICO did not "warn of a cookie cliff". This was a myth based on them initially (in 2011) not delivering Google Analytics script to non opted-in users, leading to these users not being detected and then this false statistic being gleefully misreported. Our product has always allowed Google Analytics to work even for not opted-in users, without the need to collect or share any PII.