For the half-year to 31 December 2014, the IPKat's regular team is supplemented by contributions from guest bloggers Rebecca Gulbul, Lucas Michels and Marie-Andrée Weiss.

Regular round-ups of the previous week's blogposts are kindly compiled by Alberto Bellan.

Sunday, 29 May 2011

To cookie or not to cookie?

This Kat is often perturbed that the advertisements in her Gmail and FaceBook accounts seem to be personalised through no action by her. Indeed, recent advertisements on both sites have related to wine, law, cats, Sydney and/or army boot camp training (the last, of course, being a complete mystery). It with interest, then, that this Kat has been following the progress and (lack of) implementation of the EU 'Cookie Directive'.

For those unfamiliar with the concept of a 'cookie', it is a file which is stored on your computer by your web browser when you visit a website. A cookie can be used for remembering log in details, site preferences, shopping cart contents and anything else that can be accomplished through storing text data. Accordingly, cookies are a provide a wealth of useful information for targeted advertising.

The EU first enacted provisions relating to cookies in 2002 in the form of the ePrivacy Directive. In the UK, this was implemented by Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR):

Confidentiality of Communications
6. (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access to that information.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
That is, websites had to tell users how they used cookies and how users could ‘opt out’ if they objected. Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of ‘opting out’.

On 25 December 2009 an amended Directive came into force which had to be implemented into the national law of Member States by 25 May 2011. Accordingly, Regulation 6 of the Privacy and Electronic Communications (EC Directives) (Amendment) Regulations 2011 reads like this:
Confidentiality of Communications
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient forthe purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Therefore, a website operator required informed consent from the user before activating cookies. This amendment came into force on 26 May 2011.

Now 26 May 2011 was last Thursday. So why are UK websites not asking this Kat for 'permission to cookie'?

The answer is that Ed Vaizey, Minister for Culture, Communications and Creative Industries, and the Information Commissioner's Office (ICO) have reached a prior agreement concerning enforcement of the amended Regulations.

The ICO, as enforcer of UK data privacy legislation, was of the view that the new regulation needed to be interpreted strictly and immediately. Indeed, on the front page of its own website, the ICO states:
'On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice'.
Users are then invited to tick a box to accept cookies from the site.

However, the government was not so enthusiastic. In particular, it was concerned about the possible detrimental effects on UK online retailers: the burdensome necessity of obtaining consent from users could make online shopping so cumbersome and intrusive that consumers would use US sites rather than UK sites.

On Wednesday, Mr Vaizey stated in a press release that ‘there will be no immediate changes to how UK websites operate as a result of new EU rules’. Rather, he stated that the government would work with website operators to ‘come up with workable technical solutions’. In a press release, the ICO stated that website operators have up to one year to ‘get their house in order’ and that ‘this does not let everyone off the hook’.

The IPKat agrees with Mr Vaizey’s earlier comment at the CBI forum on e-privacy and the digital economy that the new cookie provisions were ‘a good example of a well-meaning regulation that will be very difficult to make work in practice’.

Merpel wonders, if she chooses not to accept cookies from a particular site, whether she can somehow stop that same site continually asking her if she wants to accept cookies (because that site cannot set a cookie indicating her 'no cookie' preference)?

3 comments:

Anonymous said...

Merpal,

I know you're only being mischievous, but the answer to your question is to use a browser with fine grained cookie control that will let you deal with individual domains (or even sub-domains).

Konqueror (for Linux) is a good example.

patently said...

whether she can somehow stop that same site continually asking her if she wants to accept cookies (because that site cannot set a cookie indicating her 'no cookie' preference)?

Perhaps the site could ask for your consent to store a cookie indicating that you do not want to receive cookies other than the no-cookie cookie?

Anonymous said...

There is no impediment (and some very real incentive) to "cookie" away - at least in the US.

In fact, the plethora of cookie-respawning in widely used formats (e.g. pdf) to work around any cookie control mechanisms is evidence that the "free" in any internet context (such as "free content") is not actually "free."

One needs to recalibrate to the actual currency of the modern age - information. Those already in the industry of that currency have a decided bias that must be recognized by all (and especially law makers) in this arena.

Subscribe to the IPKat's posts by email here

Just pop your email address into the box and click 'Subscribe':