Calls for Cookie Law to be Strengthened

By: Richard Beaumont | Tuesday, August 16, 2016 | Tagged: Cookie Law, Cookie Law Review | Leave Comment

Preliminary results of a consultation on the EU ePrivacy Directive, which includes the rules on consent for cookies, show that citizens, civil society groups and data protection authorities all want to see a strengthening of rights and rules in online privacy.  Industry however is hoping for a different outcome, almost certainly because proposed changes look set to disrupt their business models, and force them to do more to ensure privacy of communications and online activity are better protected. 

The report published by the European Commission shows that the large majority of citizen respondents support specific communications privacy rules, and believe the current rules are less effective than they could be. 

This would seem to support the Commission’s own position that, as with the GDPR, ePrivacy laws need to be modernised and strengthened in light of current trends in technology.  This is likely to mean online messaging, email and chat services like Skype, Gmail, and WhatsApp will be required to provide the same level of communications privacy that fixed and mobile phone services are required to do already.  Most of the internet communications services are free of charge to consumers because they can mine the personal data of users to sell to advertisers, something that new rules could prevent. 

No Cookie Walls

When looking at the rules for cookies, most citizens also wanted to ensure they could use online services even if they refused or withdrew consent for the setting of cookies.  This would be in line with the provisions of the GDPR where consent itself can only be deemed valid if it can be withdrawn without detriment. Something that industry can be expected to fight.

There were also significant consultation responses from two key influencing organisations, the Article 29 Working Party (WP29) and European Data Protection Supervisor (EDPS).

The WP29, made up of representatives of the national data protection authorities, called for clarification (PDF) of the cookie rules to make it clearer that the main target of the laws are the impact of cookies and other technologies on the privacy of individuals.

They have asked for less focus on ‘storing information on terminal equipment’ making the rules more technologically neutral, clearer, and more focussed on tracking. Modern devices broadcast a lot of information about themselves, often for very good technological reasons.  However this information can be used to ‘fingerprint’ a device and to single out the user for profiling purposes.  Recently it has been shown for eaxmple that the battery level of a device can be used to track people. The WP29 wants to make sure the revised ePrivacy rules would requires consent for such activity.

At the same time they have called for a relaxation of the rules for activities that do not impact on privacy. This might lead to greater clarity over what purposes of cookies would not need prior consent– giving as an example first party web analytics.  However, they would still require people to be able to opt-out of such activity if they wish.

The EDPS took a similar line (PDF), emphasising that any consent must be freely given, ie that there is an opportunity to refuse to give it yet still use a service, and that most of what they call ‘tracking and monitoring’ should be subject to a revocable consent, regardless of the technology doing the tracking – again focusing on the purpose rather than the technological means.

Both organisations also called for privacy controls to be built at the browser or operating system level of software – to make it easier for individuals to make and change choices, that could operate across all the services they might encounter, avoiding the need for site by site solutions.

Whilst this seems like it would make things easier and more consistent for users, such a thing would require a level of standardisation and agreement on interpretation of the rules that would likely take many years to get to a point where market solutions would work at any kind of scale.

Tag Cloud