Cookies, and other means of tracking user activity online, have been regulated in Europe since 2009, via the European Union’s (EU) “e-Privacy Directive”. In its current form, agreed in 2011, this directive sets out that browsing data, and other information collected online, may only be obtained and used by businesses if they display a statement of intent and offer their visitors the opportunity to opt-out or personalise the level of micro-data they share from their activity on a website.
The Directive serves as a minimum baseline for the EU Member States, although, for multi-national organisations, the stipulations on Metadata collection will vary depending on the country to country legal text.
In some of the more privacy-minded member states, such as Austria, Germany, Denmark, the Netherlands, and Sweden, to name a few, additional provisions, beyond the Directive, have been written into domestic law. While in France and the UK, the country’s regulatory bodies, the Commission Nationale de l’Informatique et des Libertés (CNIL) and Information Commissioner’s Office (ICO) have gone significantly further, by pre-empting some of the changes that were expected to have been set out in the EU’s draft ‘e-Privacy Regulations, with upwards revisions to their legal texts.
In both cases, serious change is being wrought–and, ultimately, will mean that organisations may soon have to demonstrate a user’s consent by demonstrating that it is:
• Freely Given: The user should not suffer any major inconvenience if they refuse to give or withdraw their consent. The practice of blocking access to a website or a mobile application, unless consent is provided, does not comply with the GDPR;
• Specific: The user must give his or her consent specifically for each distinct purpose. Blanket acceptance of general terms and conditions of use does not constitute valid consent;
The current line is that UK enforcement action will focus on organisations that refuse to take steps to comply or have been using privacy-intrusive cookies without notice after an “appropriate period”
• Informed: Information provided by organisations should be clearly and simply written, enabling users to be fully informed about the different purposes of the cookies and/ or trackers used. The information must be complete and conspicuously visible at the time of obtaining consent;
• Unambiguous: Consent should require positive action, to constitute opting-in. Merely, continuing to browse a website or scrolling a page will no longer be considered valid consent. Similarly, the use of pre-checked boxes and/or the blanket acceptance of terms and conditions will also no longer be considered valid consent;
• Revocable: Users should be able to withdraw their consent at any time. User-friendly solutions must, therefore, be implemented by organisations to allow users to withdraw their consent, where desired.
The ICO’s guidance, for UK operators, is comparable in many ways, and also includes some coverage over social media. It notes that organisations’ privacy notices should include references to any social media presence that they may have, and should detail how users can control any non-essential cookies once they visit any such social media site, even if this control cannot be covered by the organisation’s consent mechanism. This reflects the recent judgement of the CJEU, in Unabhängiges Landeszentrum für Datenschutz (ULD) Schleswig-Holstein against Wirtschaftsakademie Schleswig-Holstein GmbH, which found that this may not be the case where a company has a presence on a social media platform and gathers statistics from that platform based on user interaction.
There are some other distinctions, too. The CNIL stipulations, for one, appear to be more relaxed on the subject preference cookies – at least in their draft form. For example, they currently state that actions, such as a user expressing his/her preference for using a website in a certain language, will be exempt from consent requirement. They alsogrant organisations a twelve month “grace period” to ensure compliance with its guidance – whereas, in the UK, there is no published limit, as yet, although there has been talk of a maximum six months. The current line is that UK enforcement action will focus on organisations that refuse to take steps to comply or have been using privacy-intrusive cookies without notice after an “appropriate period”. A further, arguably more important divergence is that, whereas CNIL provides no specific guidance on the prominence of “options” for web visitors on how they consent to their data being collected, the ICO sets out that if organisations use a “agree” or “allow” cookie opt-in, and display it ahead of “reject” or “block” opt-outs, they will not be compliant and could be subject to action. No clear preference should be visible; it should, ultimately, be left to the user to decide, in their free mind.
So, there’s a lot to consider, as both sides set out their stall ahead of the ePR. The guidance won’t be of concern for some, including those who use management systems such as OneTrust – which has already adapted to meet the challenge of these new stipulations – but other organisations, will be short, and will need to revisit and update their current cookie practices and policies.
The moves by CNIL and the ICO are, in the main, representative of something far more substantial: growing appetite by national regulators to out-do one another, and push for upward revisions in their privacy regulations. It’s a popular move, publicly, given current news of MNC misdemeanours – and business leaders, and their data privacy staff, would do best to prepare and implement these new changes, now, so they’re ahead of the curve.