Of Cookies and Spam – Global Privacy Book

Francoise Gilbert

What’s Cookin’ in the European Union?

The European Union Member States will soon change the rules that apply to cookies and unsolicited messages. Recent amendments to the ePrivacy Directive require the Member States to implement new restrictions in their national laws by June 2011. These changes are likely to significantly affect the procedures and processes used for marketing in, or with, the European Union. The most important change creates new rules for the use of cookies.

1. Background and the 2009 Directive

The e-Privacy Directive is “the other directive” that applies to the protection of personal data in the European Union, in addition to the 1995 EU Data Protection Directive. Adopted in 2002, this directive identifies the restrictions that are intended to protect personal data in the context of wire or Internet communications.

The European Parliament and the Council of the European Union approved Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector in order to address the uses and abuses of new, advanced digital technologies. The ePrivacy Directive supplements Directive 95/46/EC by providing a framework to respond to unsolicited commercial messages, the use of fax and similar technologies for telemarketing purposes, and creates a framework for the use of cookies, traffic data, location data, and public directories.

The 2002 version of the ePrivacy Directive was amended through Directive 2009/136/EC, which became effective in December 2009, and requires Member States to modify their national laws accordingly by June 2011. This amendment was part of a larger series of amendments that updated the existing regulatory framework for electronic communications networks and services. Several provisions of the 2002 ePrivacy Directive are significantly altered through these amendments. This, in turn, will cause a ripple effect when these amendments are implemented in the national laws of each of the EU Member States. Unfortunately, portions of the 2009 Directive are confusing, which is likely to cause significant discrepancies in the way that the Member States interpret this new directive.

2. New Rules for Cookies and Spyware

The most important change that is brought by the 2009 Directive is a new requirement for the use of cookies. The 2009 Directive replaces Article 5(3) of the ePrivacy Directive in order to strengthen the rights of the individuals.

Under the 2002 version of Article 5(3) of the ePrivacy Directive, Member States’ national laws must ensure that electronic communications networks are not used to store information or to gain access to information stored in the terminal equipment of a subscriber or user unless the subscriber or user concerned:

Has first received clear and comprehensive information in accordance with the 1995 Data Protection Directive about the purposes of the processing; and
Is offered the right to refuse such processing by the data controller.

According to the Preamble of the 2002 Directive, information and the right to refuse may be offered once for the use of various devices or pieces of code to be installed on the user’s terminal equipment during the same connection and may also cover any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse, or requesting consent should be made as user-friendly as possible. Access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

a. Notice requirement

The 2009 version of Article 5(3), which supersedes the prior version, retains the notice requirement of the 2002 draft. It states that the subscriber must be provided with “clear and comprehensive information about the purposes of the processing” in accordance with the 1995 Data Protection Directive.

b. Consent or Right to Refuse?

The new Article 5(3) of the ePrivacy Directive requires the user’s consent. Member States national laws must provide that electronic communications networks may store information, or gain access to information already stored, in a user’s or subscriber’s equipment only “if the subscriber or user concerned has given his or her consent.”

There is no definition of “consent” either in the 2002 version of the ePrivacy Directive or in the 2009 Directive. Further, while the 2002 Directive distinguishes “consent” from “explicit consent,” the 2009 Directive does not.

The “right to refuse” in the 2002 version had been understood as an “opt-out.” The user should have the ability to “refuse” the cookies by setting its browser accordingly. An activity occurs unless the user stops the processing and indicates his opposition by using the relevant browser setting. The user is free to change the browser settings at any time.

If the requirement for “consent” is to replace that of a “right to refuse,” what is the difference between the two options? Does it mean that each website should have a landing page in which it provides information about its cookies, so that a visitor can then agree to the policy before entering the site?

Unfortunately, Recital 66, in the preamble to the 2009 Directive, which should provide background and comments on these provisions, only adds confusion. There are discrepancies between the text of the amended Article 5(3), and that of Recital 66. While Article 5(3) requires the user’s “consent,” Recital 66 refers to both the “right to refuse” and the obligation to obtain “consent.” For example, one sentence states: “the methods of offering … the right to refuse should be as user-friendly as possible.” The next sentence, however, provides “where it is technically possible and effective, … the user’s consent to processing may be expressed….”

To add even more to the confusion, the Recital 66 also indicates that the user can express his consent through his browser. The drafters comment that the user could express his “consent to the processing” by using appropriate settings on his browser or other application. If this is the case, then what is the difference with the current state, and what did the amendment intend to accomplish?

These amendments to the 2002 ePrivacy Directive now have to be implemented and interpreted by the 27 Member States. The different possible interpretations of the new Article 5(3) and of Recital 66 of the Preamble of the 2009 Directive are likely to result in significant discrepancies in the laws of the different Member States, the opposite effect of what a directive should accomplish.

c. Exceptions

Like the 2002 version, the new Article 5(3) of the e-Privacy Directive provides exceptions to the consent requirement for certain types of cookies. The exceptions are the same in both the 2002 version of Directive and the 2009 Directive.

One exception allows the use of cookies without consent when the technical storage of, or access to, information is for the sole purpose of carrying out the transmission of a communication over an electronic communication network. The other exception is when the use of a cookie is strictly necessary for the provider of an information society service explicitly required by the subscriber or user to provide the service.

According to the Preamble to the 2009 Directive, these exceptions should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Thus, presumably, session cookies that can take a user from one page to another (e.g. from a page where an order is placed to a checkout page where payment is made) would be allowed. Persistent cookies and web beacons, which may be used for web analytics, but could also be used for behavioral targeting purposes, would require consent.

3. Unsolicited Commercial Messages

In addition to the provisions pertaining to the use of cookies, the 2009 Directive modifies slightly the regime that applies to unsolicited commercial messages. It extends the scope of the ePrivacy Directive. Under Article 13 of the e-Privacy Directive, the national laws of the EU Member States must provide that unsolicited commercial messages may be sent to an individual unless the individual has previously opted-in to receive the message. If the merchant has a relationship with a preexisting customer, an opt-out is acceptable, but only when the communication is made for marketing similar products or services to that customer, and subject to several prerequisites. In this case, the merchant may use the contact information that it collected from the customer in the course of the sale of a product or service.

Several conditions need to occur:

The contact information must have been obtained in the context of the prior sale of a product or a service to the individual by the same company.

The contact information must have been obtained in compliance with the applicable Member State national law that implements the 1995 Data Protection Directive. Notice must be provided and consent obtained. The notice to the individual must describe which data are being collected, the identity of the entity collecting the information, for which purpose(s) the data will be used, the recipients or categories of recipients of the data, and the existence of the right of access to and the right to rectify the data concerning the customer.

The company must inform the customer in a clear and distinct manner that the data might be used again for direct marketing.

The Customer must be given clearly and distinctly the opportunity to object, free of charge and in an easy manner, to such use.

The ability to opt-out of the further use of the contact information must be provided both when the information is first collected, and on each use of the information.

The use of fairly-and-lawfully-previously-obtained contact information is limited to sending the customer information about products or services that are similar to those previously provided to that customer.

These provisions apply only to protect natural persons. However, the directive urges Member States to consider similar provisions to protect legal persons, as well, from unsolicited communications.

The 2009 Directive expand the scope of these provisions:

a. Opt-In for Robocalls, Fax, Email, and Text Messages

The e-Privacy Directive requires that Member States national laws implement an opt-in regime for automatic calling machines, facsimile machines, and emails and text messages used for direct marketing.

The 2009 Directive extends the restriction to MMS and similar applications.

b. Person-to-Person Voice Telephony

For communications other than through automated calling machines, facsimile machines, email, text, SMS, or MMS messages, and the use of email addresses obtained in a prior relationship, such as person-to- person voice telephone calls, the e-Privacy Directive allows Member States to choose between an opt-in and an opt-out regime.

In the 2002 version of the ePrivacy Directive, the privilege was granted only to the subscriber; the 2009 Directive extends the privilege to the users, as well.