This past month, the European Union’s Article 29 Data Protection Working Party (the “Working Party”) issued the Working Document 02/2013 providing new guidance on obtaining consent for cookies (“Working Document”). The Working Document sets forth various mechanisms which can be utilized by websites to obtain consent for the use of cookies in compliance with all EU Member State legal requirements.
The amended e-Privacy Directive 2002/58/EC, adopted in 2009 and implemented in all EU Member States, requires website operators to obtain users’ consent for the use of cookies or similar tracking technologies. The Working Document elaborates on the Working Party’s prior opinion, as explained in the Working Party’s Opinion of July 13, 2011 on the concept of consent in particular. Specifically if a website operator wants to ensure that a consent mechanism satisfies each EU Member State requirement, such consent mechanism should include each of the main elements: (1) specific information, (2) prior consent, (3) indication of wishes expressed by user’s active behavior and (4) an ability to choose freely.
Specific Information: The Working Party states that websites should implement a mechanism that provides for “for a clear, comprehensive and visible notice on the use of cookies, at the time and place where consent is sought.” Users must be able to access all necessary information about the different types or purposes of cookies being used by the website.
The Working Paper indicates that necessary information includes:
-
identification of all of the types of cookies used;
-
the purpose(s) of the cookies;
-
if relevant, an indication of possible cookies from third parties;
-
if relevant, third party access to data collected by the cookies;
-
the data retention period (i.e. the cookie expiry date); and
-
typical values and other technical information.
Users must also be informed about the ways that they can accept all, some or no cookies and how to change their cookie settings in the future.
Timing: Consent must be obtained before data processing begins, i.e. on the entry page. The Working Party recommends that websites implement a consent solution in which no cookies are set to a user’s device (other than those that fall under an exception and thus do not require the user’s consent) until that user has provided consent.
Active Behavior: The Working Party indicates that valid consent must be through a “positive action or other active behavior”, provided that the user has been fully informed that cookies will be set due to this action. Unfortunately, the passive use of a website containing a link to additional cookie information is not likely to be sufficient. Examples provided by the Working Party include (i) clicking on a button or link, (ii) ticking a box in or close to the space where information is presented or (iii) any other active behavior from which a website can unambiguously conclude that the user intends specific and informed consent. The Working Party also confirmed their previously issued view that browser settings may be able to deliver valid and effective consent in certain limited circumstances. Where the website operator is confident that the user has been fully informed and has actively configured their browser or other application to accept cookies, then such a configuration would signify an active behavior.
Real Choice: The Working Document provides that websites should present users with real and meaningful choice regarding cookies on the entry page. This choice should allow users to decline all or some cookies and to change cookie setting in the future. The Working Document also clarifies that websites should not make general access to the website conditional on the acceptance of all cookies, although it notes that access to “specific content” could in some circumstances be conditional.
Although the Working Document is a welcome source of guidance providing further clarification on this thorny issue, it is clear that compliance with the European Union’s rules governing cookie consent will continue to provide challenges to companies seeking to conform their websites accordingly.
