By Dan Cooper and Mark Young

This week, the Article 29 Working Party (the “WP29”) released an opinion paper on what constitutes “consent” for purposes of complying with the EU’s “cookie” rules — rules that were revised to include a consent requirement nearly four years ago.  The paper will be relevant to website providers that are subject to the EU’s cookie regime.

The timing of the paper is curious.  After EU Directive 2009/136, amending Directive 2002/58, was passed in 2009, the market was in a state of limbo as Member States worked out what the consent rules meant and how to implement them in national law (see here).  To everyone’s relief, a consensus slowly began to emerge, arguably spurred by guidance from the UK Information Commissioner’s Office (the “ICO”) in late 2011 and May 2012 (see here and here).  Now, the latest WP29 guidance — which is not legally binding but carries significant weight — threatens to revive the old debate and compel industry to revisit issues that many thought were resolved.

For example, the paper suggests that going forward websites “operating across all EU member states” — although it is not clear what this actually means — will need to adopt the following mechanisms to ensure that user consent is valid:

  • Specific information.  In addition to other relevant disclosures, operators will have to inform users about how to accept all, some or no cookies, and how they can change their preferences in the future.
  • Prior consent.  Website operators will be expected to obtain consent from users before deploying non-essential cookies, such as analytics or behavioral advertising cookies, on the user’s device.
  • Affirmative action.  Even more controversially, websites will have to capture affirmative user consent through the clicking of a button or a link, or the ticking of a box positioned near the relevant cookie notice (as opposed to passive pop-ups or banners, commonly used by industry at present).  The WP29 also points out that information on cookies should remain visible on the site until the user has expressed his or her consent; which again runs contrary to current practices.
  • Real choice.  Users should be given a real choice about the types of cookies deployed on their machine, which in practice would mean being allowed to access a website without accepting non-essential cookies.  Such granularity is only a recommendation and it remains to be seen how, and if, it will be adopted by websites.

 

By way of background, it is worth recalling what leading European Parliamentarians thought when the consent requirement was first introduced into EU law. Alexander Alvaro, the European Parliament Rapporteur on the e-Privacy Directive, stated in an interview in 2010:

When the Parliament debated amendments to Article 5, the ‘‘prior consent’’ formulation was considered and rejected in favor of a wording where the Parliament left more room for flexibility. This flexibility is also reflected by the fact that the Parliament eventually adopted Recital 66 that was intended to clarify that use of browser settings could be considered an indication of ‘consent’. . . . Had the Parliament intended [for example] the placing of all cookies on a user’s terminal to require ‘‘prior’’ and/or ‘‘explicit’’ consent, it would have adopted such language, consistent with the other occurrences of such terms elsewhere in the text and it would not have adopted the language of Recital 66 as it currently appears in the Directive.

Notwithstanding such statements, the new law gave rise to differing views over an “opt-out” versus “opt-in” approach to procuring user consent. In May 2012, the UK ICO released guidance that supported a business-friendly compliance approach. In other Member States, there was an active debate on the adequacy of various consent practices — for example, in The Netherlands, the Dutch Parliament passed a controversial law — now undergoing a review and likely repeal — requiring websites to obtain explicit, opt-in consent before deploying cookies. Meanwhile, an industry consensus and uniform practices were slowly beginning to emerge, involving the use of various on-screen pop-ups, banners and related devices.

Against this backdrop, the new WP29 Opinion now attempts to set out how websites “operating across all EU member states” can comply with the notice and consent requirements. Unhelpfully, the guidance fails to provide a definition for the websites likely to be caught within its remit. For example, it is not clear whether a global “.com” website, not expressly targeting European users, would be expected to comply with the WP29’s recommendations. This ambiguity in scope is likely to cause further consternation amongst industry, not least because the WP29 seems to adopt a stricter approach to consent mechanisms than had been emerging in practice. It is too early to tell whether this paper will have a material impact on existing industry practices, although many website providers understandably are likely to re-examine their reliance upon more passive screen displays, consider whether users can be furnished with greater choice with respect to cookies, and revisit the timing of when cookies are actually conveyed to a user’s machine.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.