Time to pay attention to those cookies

We may be too quick to dismiss pop-ups and ignore website policies

Compliance or lack thereof with the law on cookies is coming under fresh attention from Europe’s data protection authorities – five years after an amended EU eprivacy directive governing the use of cookies came into force.

A tricky area that poses challenges for companies and organisations, it’s also one perhaps not well understood by those who impatiently dismiss pop-ups or who fail to properly read website policies to see what information those sites may be accessing and collecting.

The level of complaints – ie almost none – to the Data Protection Commissioner here about any misuse of cookies suggest it isn’t something that exercises Irish consumers in the same way as marketing spam to their mobile phones or email inboxes.

But a representative body of all of Europe’s data protection authorities – including Ireland’s – has taken the view that given the nature of behavioural advertising, transparency requirements around cookies are “a key condition for individuals to be able to consent to the collection and processing of their personal data and exercise effective choice”.

READ MORE

Solicitor and data protection expert Paul Lambert of Merrion Legal in Dublin says it is important for organisations delivering a service "to be able to track and try and build up databases, patterns and profiles in relation to individuals".

But he adds: “From an individual’s perspective, it’s increasingly important that a person’s activities and what they do electronically is their personal activity and their personal life and they do have legal rights in relation to that – one is privacy and one is data protection.”

“Things like the backdrop to the Snowden revelations and all of the fallout from that really emphasise how important it is for users and individuals to apprise themselves [of the issues], but also for organisations to make sure they are legally compliant in terms of their data protection obligations.”

Information security consultant Brian Honan of BT Consulting says many people are not aware of how much information cookies can capture and how they can be used to trace their activity on a website, or, indeed, across the internet.

“This information can be a gross infringement of their privacy and under EU law Irish website owners are obliged to notify visitors to their sites as to how they use cookies on their sites.”

He says his company has observed with a number of Irish companies “a lack of awareness of these regulations and quite a few sites have no cookie notices at all”.

“We need better awareness for consumers as to how to protect their privacy online and part of that education should be on cookies.”

Honan notes most modern browsers can be configured to automatically delete cookies when the browser is being shut down which can remove a lot of unwanted tracking cookies.

He suggests third-party plug-ins such as DoNotTrackMe and the Collusion Extension for the Chrome browser to protect people from cookies or to highlight how they are being tracked online.

France's data protection body, known as CNIL, will later this month carry out cookie "sweep" days, examining the privacy issues around cookies. It plans to share the results with other data protection authorities in Europe.

In October, the authority will start auditing websites, checking to see what types of cookies and trackers are set – this will include flash cookies, HTTP cookies and fingerprinting.

Crucially, it will also examine the purposes for which cookies are used, whether site operators are aware of all the cookies being set, and whether there are cookies that require the consent of those using the site.

Separately, the Dutch data protection authority found in May that an advertising agency had violated the law on cookies by using people’s personal data for behavioural ads without first obtaining their “prior unambiguous consent”.

In December 2012, Ireland’s Data Protection Commissioner (DPC) sent letters to 80 of Ireland’s “most popular” companies and organisations reminding them of their obligations on cookie compliance.

Ultan O’Carroll, technology adviser and assistant data protection commissioner, said that over the course of the following year, the office carried out follow-up inspections and things were “much improved”.

The office rated websites under various criteria using a “traffic light approach”, rating them good, very good or brilliant.

“To be honest, very few of those would’ve gotten in to the gold/amber/orange. Very few got into the brilliant category. A lot didn’t get into any category and a lot got into the bottom category as well,” he says.

Irish ‘sweep’

The results of the Irish sweep were fed back to Europe and into the so-called Global Privacy Enforcement Network (GPEN), an informal international network of privacy authorities.

O’Carroll says the latest pan-European sweep on cookies and privacy may be targeted at a particular industry sector, but that this isn’t yet confirmed.

He says Government bodies tend to be “generally all right” in terms of compliance because they are not using commercial beacons and trackers on their sites.

Some local authorities, however, use Google Analytics and they were given some guidance by the DPC.

Overall, he says the DPC recommends the “explicit” approach to getting consent for cookies – ie a “positive, intentional action” on the part of the user.

Consultant in data protection and data governance issues Daragh O’Brien says the sequence for consent and delivery of the cookies is important.

The notice should be shown to the user, who then consents (or not), followed by the cookie being dropped.

“It’s easy. Do you want a surgeon to cut you open while telling you about the operation or after they’ve told you? Sequence is important.”

Lambert notes that privacy policies and cookie policies “are two very distinct things, and there are very distinct legal obligations”.

They will require input from different people within the organisation.

In the context of cookies or optimisation this needs to involve the technical people behind the site, and may also involve third parties to whom certain services are outsourced.

Lambert suggests sites and apps handling sensitive personal data, such as health information, are currently “a red flag area” and that there may be hidden things happening with the collection of data or with cookies.

He believes a lot of this activity may involve smaller organisations or individuals who simply don’t have the depth of experience of compliance knowledge in data protection law.

“This applies particularly for apps which may be created outside the EU, where it’s typically recognised that less stringent or less individually protective data protection laws may apply.”

Dr TJ McIntyre, a lecturer at UCD school of law and chairman of Digital Rights Ireland, says he was "not a particular fan" of the cookies directive to begin with and that it is also limited to websites operating under European law.

“There’s also a problem with the implentation of it. You have to get a cookie to remember you’ve seen the opt-out notice which means that if you don’t store cookies, you see it every time which gets extremely annoying.

“Technically, I think it could have been better implemented.”

He adds: “The idea of a cookie being a thing that’s stored on your equipment to monitor you is very much based on a 2002 piece of legislation, it’s not something that really reflects modern tracking techniques.”

Some EU privacy experts have already warned, however, that the use of new technologies such as canvass profiling is unlikely to allow organisations evade the cookies directive, because that law is agnostic as to the technology used to gain access to or to store information on a user’s computer or device.

Regulating cookies: what the Data Protection Commissioner recommends

The so-called e-privacy regulations (SI 336 of 2011) implemented the EU’s amended eprivacy directive on July 1st 2011.

The DPC says that in order to meet the legal requirements, the minimum requirement is “that clear communication to the user as to what he/she is being asked to consent to in terms of cookies usage and a means of giving or refusing consent is required”.

The regulations do not prescribe how consent to drop cookies is to be obtained but they envisage that, “where it is technically possible and effective”, such consent could be given by the use of appropriate browser settings, as long as reliance is not placed on the default browser settings.

The office says it is particularly important that the requirements are met where third-party or tracking cookies are being deployed, “such as when advertising networks collect information about websites visited by users in order to better target advertising”.

It says it would be satisfied with a “prominent” notice on the homepage informing users about the website’s use of cookies with a link through to a cookie statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies.

Ultan O’Carroll of the DPC says the office will carry out a quick, visual assessment for anyone who has a website and who is looking for guidance on compliance.

He notes there are differing approaches to cookies consents across Europe, depending on whether local legislation requires “explicit” or “implicit” consent from the consumer for the use of cookies.

A lot of cookie statements “don’t read well, are hard to understand or they’re just plain, factually wrong”, he says.

“We often find that companies don’t really make it clear how you can clear cookies or reject them or delete them. Very often they’ll make reference to a third party site - maybe allaboutcookies.com or a wikipedia page.

“We’d expect as best practice that entities don’t advocate in that way. They need to take responsibility for their own users and to at least make some effort to outline how an individual can go about doing (dealing with cookies).”

Referring users to a UK website to tell them how to manage cookies is also a “no-no” as this is specific guidance designed for compliance with UK legislation.

O’Carroll suggests that any company with a multi-jurisdictional presence in Europe “needs to be compliant with the most restrictive practices” and that any data combinations with Google Analytics is one the DPC always examines.

Further information is available at data protection.ie