We have reported previously in our Duane Morris Alerts about the progress with new cookie laws across Europe. The laws were introduced following a European Union Directive [the E-Privacy Directive (2009/136/EC)] at the end of 2009. As part of the Directive process, each member state within the European Union agreed to introduce new domestic laws by May 2011, substantially following the form of the Directive. A recent influential EU body has returned the spotlight to those laws with a report on what corporations should do to comply.
As we have noted previously, enforcement of these new laws got off to a slow start, with the UK and Ireland taking the lead. Regulators have written to a number of well-known multinational organisations as part of their enforcement activities. The full list of initial organisations written to by the UK regulator is here: http://www.ico.org.uk/news/blog/2012/~/media/documents/library/
Privacy_and_electronic/Notices/cookies_regulations_organisations_contacted_by_ico.ashx. The full list of initial organisations written to by the Irish regulator is here: http://dataprotection.ie/viewdoc.asp?m=f&fn=/documents/press/listwwebsites.htm. In May 2012, the European Commission referred five countries (Belgium, the Netherlands, Poland, Portugal and Slovenia) to the EU Court of Justice because of their delay in introducing the new rules into their national laws. (See http://europa.eu/rapid/press-release_IP-12-524_en.htm?locale=en.)
The New Article 29 Working Party Report
In an effort to clarify some of the confusion over the Directive and its implementation into local law, the EU’s Article 29 Working Party (WP29) recently published an opinion about these cookie laws. WP29 is an advisory body whose membership includes a representative from the data protection authority of each EU country. Its opinions are advisory rather than binding, but in practice, they are likely to be followed by the regulatory authorities across the EU.
The opinion (technically known as Working Document 02/2013) was adopted on the 2nd October and published on the 14th October 2013. It seeks to clarify the widespread variance of cookie laws.
The opinion states that there are four elements to cookie compliance:
Timing—As a general rule, no cookies can be sent to a user's device before consent has been obtained.
Consent must be freely given. Real choice must be present.
The specific information that must be given will include:
The purpose of the cookies being used.
How long the cookie data will be kept.
What information the cookies are collecting.
How users can express their preferences (for example: by accepting some, none or all of the cookies).
WP29 confirms in its opinion that there is no all-encompassing solution, saying "The website operator is free to use different means for achieving consent, as long as this consent can be deemed as valid under EU legislation." The opinion emphasises that specific consent must be given. "In other words, blanket consent without specifying the exact purpose of the processing is not acceptable."
What Happens Next?
As we highlighted in our earlier Alerts, however, problems remain with the implementation of cookie laws. Enforcement of the laws is down to individual EU countries, not WP29 or the European Commission. As a result, enforcement is likely to still vary across Europe. Some countries like the Netherlands and Spain have taken a more restrictive position. Even in the UK, where there has been measured enforcement activity, there is evidence that public concern has lessened. In its enforcement report on 28th October 2013 (See http://www.ico.org.uk/enforcement/action/cookies) the UK data protection regulator said that complaints had dropped to 73 per quarter from a high of more than 250 per quarter when enforcement activity began.
What Does This Mean for Businesses?