Cookie Law Reform in 2016?

By: Richard Beaumont | Tuesday, February 10, 2015 | Tagged: Cookie Law Review, European Commission | Leave Comment

rip-privacyWhen the new European Commission was announced last year, one of the tasks for Gunther Oettinger as Commissioner for Digital Economy and Society was leading a reform of the e-Privacy Directive, which amongst other things, contains the requirements for consent for the use of cookies and similar technologies on websites. See our report from the time.

A timetable for this has now emerged in a new document (PDF) from the Commission, which shows this work as ‘Ongoing, expected to end in 2016’.  This also reinforces the position that the need for the reform is driven by the introduction of the Data Protection Regulation, which is widely expected to be completed by the end of 2015.

The current cookie rules, introduced in 2011 have been widely criticised, poorly implemented by many publishers and resulted in minimal enforcement action. This has led many to state that the cookie laws have resulted in no benefit for consumers with respect to increasing online privacy, merely increased expense for website owners.

Many people would like to see the laws scrapped completely.  Thanks to one high profile publicity campaign in the UK, many believe they have been already. So given all of this what, if anything, can we predict about how the law might change?

It is difficult to be sure until the regulation is finalised where the main points of divergence between the two sets of legislation will be, but we can perhaps make some educated guesses about the changes, as well as our own recommendation.

Much of the cookie rules hinge on the definition of consent, so if this changes in the regulation it will have a big impact.  In particular there is a push towards making explicit consent the norm, and if this becomes the case then implied consent, or opt-out approaches to use of cookies will need to be revised towards are more opt-in approach.

However, if that happens, then I would suggest we are likely to see at the same time a narrowing down of what types of cookies would be subject to this regime. The Netherlands for example is already preparing changes to their opt-in based law which narrows the scope of the requirements from the orginal provisions.

There is a general move in the Regulation to limit and give consumers control over profiling – and a lot of this aimed at  curbing ubiquitous online tracking of users across domains, using cookies and other methods of identifying individual device users.  I would suggest this would likely become the focus of an 'opt-in to accept cookies’ model, with less privacy-invading cookie uses more likely to be given exemptions or subject to lower requirements.

One area in desperate need of reform is the language around the use of browser settings to signal consent.  This is currently far too vague to be of practical benefit to either users or publishers, especially given that as the ICO points out in its guidance, current browser settings options are not up to the task. 

Browser privacy controls, whilst not exactly keeping pace with tracking technology, have come a long way since the legislation was written, and in particular the Do Not Track feature is now universal in modern browsers.  There are ongoing debates about how sites should respond to Do Not Track (DNT) requests, in an attempt to get a global standard adopted.  Regardless of the progress of that work, there would be a huge leap forward in user privacy, and potential for improvements in usability, if the revised ePrivacy law were to explicitly set out what a compliant response to a DNT request would be. I would expect to see something about that in any changes.

Even as the cookie law first emerged in the consciousness of developers and service providers with a need to make changes to implement it, there was talk of alternative technologies that would enable the laws to be sidestepped without stopping the collection of information from consumers.  There was much talk of device fingerprinting techniques as being outside the wording if not the spirit of the law, and it took an opinion of the Article 29 Working Party (PDF) to quash that interpretation.  I suspect there will be a lot of scrutiny of the wording of the directive to ensure it can keep pace and achieve its goals in the face of ever increasing rates of technological change.

Finally, and perhaps more than a wish than an expectation, a comprehensive review of the cookie law should take a good look at the user interface issues that have really been the centre of much of the talk of the flaws in the law.  It would make a lot of sense for legislators to look at examples of both good and bad practice in notice and consent mechanisms that sites employ.  By doing so they can try to shape the requirements in such a way that it would support models that allow for strong privacy protection that creates a better user experience.  This has the potential to more effectively encourage compliance than the threat of fines, which in many cases are not large enough, or likely enough, to be a viable deterrent.

It is important to point out that all of this is just speculation at the moment, but there is one thing we can be sure of.  Once the work on the reform begins, the lobbying from interest groups will also get pretty fierce.

Tag Cloud