Friday, November 26, 2010

Imagine if tennis had different rules in every country: Cookie Confusion comes to the Continent

A decade ago, European policymakers debated the level of consent required for data protection purposes when a website uses a cookie. Common sense ultimately prevailed. Policymakers realized that an opt-in regime would drive users mad, as every website would be forced to serve up pop-ups asking users to opt-in, annoying everyone. Alternatively websites could just stop using cookies, but that's unworkable in basic technology terms. So, a Directive was adopted mandating an opt-out regime, together with clear notice in privacy policies of the use of cookies. All browsers introduced cookie controls too. After a decade more experience with the Web, rather than seeing more wisdom about the Web, we're seeing the status quo common-sense approach up-ended by contradictory policy agendas in Europe. So, the question is back on the policy agend: should interest-based advertising should be opt-in, or opt-out?

What are the rules now? The 2002 E-Privacy Directive was significantly changed in 2009 (Directive 2009/136/EC). Specifically, the wording for cookies was modified:
  • Article 5(3): Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing...
  • Recital 66 (non-binding): ...Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.
While non-binding, Recital 66 clearly indicates that the directive does not intend to make cookies opt-in. The guidance from the Commission on this question has, however, been ambiguous.
  • In a June 2010 opinion, the Article 29 Working Party contended that in the case of interest-based advertising, at least:

The Article 29 Working Party is of the view that prior opt-in mechanisms, which require an affirmative data subject's action to indicate consent before the cookie is sent to the data subject, are more in line with Article 5(3). In a reference to consent as legal grounds for processing, the Article 29 Working Party recently confirmed these views "The technological developments also ask for a careful consideration of consent. In practice, Article 7 of Directive 95/46/EC is not always properly applied, particularly in the context of the internet, where implicit consent does not always lead to unambiguous consent (as required by Article 7 (a) of the Directive). Giving the data subjects a stronger voice ‘ex ante’, prior to the processing of their personal data by others, however requires explicit consent (and therefore an opt-in) for all processing that is based on consent."

  • At a speech in September 2010, Neelie Kroes (European Commissioner for the Digital Agenda) acknowledged the value created by the online advertising sector and signalled that she was “open to all creative ideas” to develop self-regulation that works for the advertising industry. When directly asked, she also said she was "not in favour of opt-in" for interest-based ads.
  • Alberto Alvaro, the MEP who drafted the revised ePrivacy Directive, has written that it “does not require websites to obtain prior consent for cookies to be placed on users’ terminals.”
  • The Commission’s DG Legal Service has not yet expressed an opinion on whether the revised E-Privacy Directive requires explicit opt-in for interest-based ad cookies.
But this is only the start. The scope for confusion will increase exponentially as individual Member States transpose the law. With no clear guidance to Member States, it is inevitable that 27 different national parliaments will begin diverging in how they transpose these rules. All of which means that global websites will face far more policy and legal confusion in Europe in the years ahead, and users will be facing very different privacy "protections" across geographies. How all of this is supposed to work in the real world is anyone's guess. Messy and contradictory laws and regulations are nothing new in politics, but if you're an engineer, what are you supposed to code?
I always think transparency and user choice are the linchpins of privacy. But a legislated solution which forces people to click like mad on cookie consent pop-ups is hardly the right way forward. At least tennis has clear rules, and they're the same everywhere.