Defining Consent for Cookies

The Article 29 Working Party is an advisory group to the European Commission on issues of Privacy and Data Protection, so they would have had a lot of input into the Cookie Directive while it was being written up.

Therefore, when they come out with an ‘opinion’ on one of the most imortant aspects of the law – the definition of consent, it is worth paying attention.

If you really want to read the full text of their opinion, which was officially adopted on 13 July 2011, you can find it here in PDF form.  However, be warned that it runs to 38 pages!

For those who don’t want to wade through all that very legalistic language, we have done and are happy to announce we think it can be boiled down to a few key points.

Firstly, in order for consent to be meaningful, it must be based on accurate information being supplied as to what it being consented to.

Secondly, consent needs to be given before any action for which it is being sought can start.

And thirdly, that consent can only be signified by taking some positive action.

In the context of the cookie law it means that website visitors need to be given information about what is being done with the data in the cookies, and that they will have to take action to agree to that, before any cookies can be set or retrieved by the site.

This is much clearer guidance than we have previously seen.  Notably the open letter from the DCMS in the UK back in May that seemed to suggest that consent could be acquired after cookie processing had begun – which this new opinion directly contradicts.

It also has significant implications for the so-called browser based approach to consent.  The requirement for consent to be signified by a positive action in response to specific information, makes a browser based approach impossible without significant new browser functionality, and then forcing all web users in the EU to download a new version.

If anyone thinks that is going to happen in less than a year – they are dreaming.

Firstly, browsers would have by default to be set to refuse all cookies, until the user opts to change the settings.  Secondly, the information that browsers supply to users about cookies can in no way be considered specific enough for a use to give informed consent.

This is not entirely the browser’s fault – the cookies themselves carry no information about what they do or who collects the data.

There is also the issue of liability.  It is the responsibility of the website owner to ensure that cookies are not used without consent.  Which would mean that a browser would have to actively send a message to the website that consent had been recieved, before it could act. 

A lack of such a message could not signify consent – so the website has to de facto assume there has been none – and would therefore need to seek it from the visitor using its own methods, becuase it could not rely on the browser not storing them.

We’d love to hear your opinions on this but we believe this all means that web based permission scripts, of the sort we have developed, are the only viable solution in the short term, and may be the only safe one for website owners for many years to come.