Cookies are plain text files which are usually very small in terms of the amount of information they store but which perform essential functions on the internet. The common feature of cookies is that they are used to distinguish one browser (one person) from another and this can be used for a number of purposes, such as:

• Personalisation. Each time a user revisits a website, the user’s cookie will be retrieved by the website which originally stored it on the user’s hard disk. This enables the websites to remember that user, making it unnecessary for the user to re-enter registration data on each visit.
• Transactional purposes. The use of cookies to maintain data related to a user as the user navigates a website enables e-commerce websites to store items in electronic shopping baskets.
• Analysis. Cookies allow website operators to monitor traffic on their sites and identify browsing patterns.
• Advertising. Cookies are used for online advertising as they enable the collation of browsing-related information about a specific user (as long as he or she uses the same browser). Advertisers can then serve specific adverts or types of advert on the basis of that information.

In the context of advertising, it is useful to distinguish between “first party” cookies and “third party” cookies. First party cookies are cookies placed by the operator of the website visited by the user. These cookies enable the website’s operator to advertise its own products and services to the user based on the information gathered by its own cookies. Third party cookies are cookies sent by an entity other than that which operates the website visited by the user.

Cookies are vital to the online advertising industry which funds much of the free content available on the web. Virtually all commercial – and many non-commercial – websites use cookies and deliver them to their users. This happens as a web page is called up by a browser, so there is no time delay between the page appearing and the cookie being set.

Cookies and EU law

Internet cookies have been in the spotlight under EU data privacy law for quite some time. When the European Parliament was formally asked to consider the original draft of the e-privacy directive by the European Commission in August 2000, nobody knew what type of requirements would end up applying to one of the most frequently used tools on the web. However, when in October 2001, the Parliament issued a substantially revised version of the draft directive incorporating a prior consent requirement for the use of cookies, it became clear that this was a sensitive and controversial issue.

Eventually, the final text of Directive 2002/58/EC was adopted in July 2002. Article 5(3) allowed the use of cookies and similar devices provided that the individuals concerned:

• received clear and comprehensive information (but not necessarily in advance) about the use of that type of technology; and
• were offered the right to refuse it.

In any event, the directive has never prevented the use of cookies for the sole purpose of carrying out (or facilitating) the transmission of a communication over an electronic communications network, or where they are necessary to provide a service explicitly requested by the individual.

The notice and choice requirement has worked well and sections with fairly detailed information about cookies have become the norm in the privacy policies of European websites.

The new directive

Directive 2002/58/EC has been amended by a new directive which was formally adopted on 24 November 2009 and which must be implemented across the EU by May 2011. Article 5(3) now says that the storing of information (or the gaining of access to information already stored) in the terminal equipment of a subscriber or a user is only allowed on the condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC. There is an exception to this where the technical storage or access is:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or

(b) strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.

In order to understand this provision, it is also important to consider recital 66, which acknowledges that third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes. According to the recital, these purposes will range from the legitimate to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It goes on to say that it is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access.

The recital demands that the methods of providing information and offering the right to refuse should be as user-friendly as possible. Significantly, the recital finally points out that where it is technically possible and effective, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.

Bearing all of these points in mind will be very important in order to determine the practical obligations arising from the revised directive and assess the actual effect on the use of cookies.

Interpretation

Given the way cookies are deployed, if the consent requirement under the new article 5(3) were to be interpreted as an absolute opt in-type consent obligation in respect of cookies, it would destroy the normal downloading process of billions of websites on the internet. This suggests that the new wording affecting the storing of information, or the gaining of access to information already stored, in the terminal equipment of an internet user must allow for a purposive interpretation of such wording.

Article 5(3) not only regulates cookies but has a much wider scope covering all types of information stored on, or accessed from, a device, including software. The intention of the article is to tackle the problem that unwanted software such as adware, junk, or even viruses and spyware may be installed on a user’s hard drive without their knowledge and consent. This can be done for instance by bundling this software together with a piece of software that a user actually wanted to install. While the revised law generally calls for the user’s consent, recital 66 treats cookies as a special case within the scope of Article 5(3).

There is clear evidence of the need for this differentiation in the first sentence of recital 66, which refers to the different purposes for which third parties may wish to store or gain access to information. These purposes will range from the legitimate – in particular, cookies – to those involving an unwarranted privacy intrusion, such as spyware or viruses, so it makes sense for the rules to be applied in a way that address those different purposes.

In the context of cookies, it will therefore be crucial to interpret the meaning of giving consent in the light of recital 66. In particular, anyone interpreting the rule set out by Article 5(3) of the revised e-privacy directive should take into account the following:

• Legitimate purposes. As mentioned, recital 66 makes a fundamental distinction in terms of the purposes for which third parties may wish to store or gain access to information. The use of cookies will certainly fall within the “legitimate purposes” category and should not be subject to an unduly burdensome regime.
• Right to refuse. Recital 66 goes on to refer to the right to refuse, which should be as user-friendly as possible. This confirms that in relation to all remote information storage mechanisms covered by article 5(3), the universally applicable obligation is to offer such right, rather than to require a strict opt-in consent. Furthermore, the legislative history makes it clear that the EU legislator wanted to avoid an opt-in for Article 5(3). The notion of “prior” consent had been proposed by the European Parliament in its second reading position but the word “prior” was later removed during the legislative process.
• Ways to control cookies. When the European Data Protection Supervisor recently referred to this point in his press release, he indicated that under the new directive users should be offered better information and easier ways to control whether they wanted cookies stored in their terminal equipment. Again, the ability to control the deployment of cookies does not necessarily mean prior consent, but a practical mechanism to determine the role of the cookies.
• Using appropriate settings of browsers and other applications. In line with this practical approach to controlling cookies, recital 66 states that the user’s consent may be expressed by using the appropriate settings of a browser or other application. This is a clear and visible sign in support of technological solutions that follow the privacy by design approach, and it also confirms that EU law makers are prepared to allow internet users to rely on the technology itself to define their privacy preferences. In practice, this means that internet users will be increasingly expected to employ technological means to decide which types of cookies they are prepared to accept and which ones they are not.

What should websites using cookies do now?

The logical way forward would be for the national legislators to adopt a purposive interpretation of the new wording affecting cookies. This interpretation should lead to a universally accepted position where, in the case of cookies, the user’s consent may be deemed from the relevant browser settings provided that there is genuine transparency.

In the meantime, operators of websites deploying cookies should devise a realistically compliant strategy based on the points made in the recitals of the directive, and use that to make representations to those in charge of implementing the directive in the EU countries where they operate.

Eduardo Ustaran is a partner at Field Fisher Waterhouse and the head of the Privacy and Information Law Group. He is an internationally recognised expert in privacy and data protection law, and co-author of E-Privacy and Online Data Protection and of the Law Society’s Data Protection Handbook.

Email eduardo.ustaran@ffw.com.