New Rules for Cookies
Cookies are small information files originating from visited
websites which the browser stores on the user's computer. Those
same websites can read the information in the files during a next
visit of the user. This way the website recognizes the user and it
can thus be prevented, inter alia, that the user has to
submit this information again during a subsequent visit to the
website. It is also possible, to a limited extent, to use cookies
to track the surfing behavior of users.
In principle, the cookies are for the users' convenience. On
the other hand, by means of cookies extensive information about
internet users can be collected in a simple way. It is possible -
for instance for advertisers - to create user profiles in a simple
and unnoticed manner and - especially if the users can be
identified - to infringe their personal privacy.
The applicable laws
The use of cookies is regulated in Article 5 (3) of the e-Privacy
Directive (2002/58/EC), in which it is stipulated that the storage
of cookies is only allowed on condition that (i) the user concerned
is provided with clear and comprehensive information in accordance
with Directive 95/46/EC, inter alia about the purposes of
the processing, and (ii) that the user will be offered the
opportunity to refuse such processing.
Incidentally, these two requirements do not apply if the sole
purpose of installing the cookie is to carry out or facilitate the
transmission of the communications, or if this is strictly
necessary in order to provide a service requested by the user.
In the Netherlands, the provision of Article 5 (3) of the e-Privacy
Directive has been implemented in Article 4.1 of the Universal
Service and End Users Decree (Besluit Universele
Dienstverlening en Eindgebruikersbelangen (BUDE)), which
stipulates that the required provision of information must be made
prior to the installation of the cookie. In this regard
the BUDE clearly deviates from the Directive and prescribes that
during the first visit to a website information must first be
shown, for instance by means of a pop-up or lead-in page, before a
cookie is installed. In practice, this poses such a hindrance that
almost all websites suffice by giving information about cookies in
their online privacy statement. In the Netherlands this practice
seems to be tolerated.
The question is what the amended e-Privacy Directive will change in
this respect. The new Article 5 (3) stipulates with respect to the
installation of a cookie that the permission of the user
is required, after he has been provided with clear and
comprehensive information about, inter alia, the
purposes of the processing.
Permission
Therefore, in order to install a cookie the user's permission
is required. It appears from the preamble pertaining to the amended
directive that the permission by the user can also be given by
means of the settings of the browser or a different application.
Apparently, in the eyes of the Commission this also meets the
requirements regarding permission that apply on the basis of the
general Privacy Directive (95/46/EC). On the basis of this
Directive there must in any case be a freely-given, specific and
informed expression of will. In concrete terms this seems to mean
that when the browser of the user is set in such a manner that the
installation of a cookie is accepted, the requirement of permission
has been met.
As a standard almost all browsers automatically accept cookies.
Therefore, a user must actively change the settings in order to
ensure that cookies are refused. Many users, however, are not aware
of their browser settings or how they can be adjusted. Therefore
the question is whether changing or not changing the settings of a
browser can indeed be regarded as a freely-given and specific
expression of will of a user. If the European legislator is of the
view that this is the case, this may have far-reaching consequences
for the interpretation of the concept of permission under the
general privacy legislation. As a result, the requirement of
permission would become an empty shell. It will mainly depend on
the Dutch legislator who has to implement the amended Directive and
who has to substantiate the concept of permission whether it will
come to this.
Information
According to the second requirement, prior to the request for
permission the user will have to be provided with certain
information. This provision of information must be clear and
comprehensive and must also take place in a user-friendly way as
much as possible. Just like under current Dutch law it now also
seems to be required on a European level to first show a pop-up or
lead-in page during the first visit to a website in order to meet
the requirement of information before obtaining permission via the
browser settings. In practice this is a method that is not very
practicable and extremely unfriendly to users.
It is clear that the European legislator had little attention for
practice when the new cookie rules were elaborated. Moreover, the
question is whether on the basis of the new European legislation
the national regulatory authority (in the Netherlands: OPTA) will
now indeed take action against a practice that seemed to
be tolerated in the Netherlands to date.
In that case the current practice must be adjusted and informing
the user about cookies via the privacy statement is not sufficient
anymore. But how can websites give substance to the requirement of
permission and information in a user-friendly manner? Time will
have to tell how the new rules will be implemented in the
Netherlands and how practice will subsequently deal with them.
All this does not alter the fact that cookies may violate the right
to respect of the personal privacy of mostly unknowing users. It
would show vision if the Dutch legislator would take this into
account and propose a system in which the advantages of cookies may
be maintained while the risks will be limited. It is obvious that
in that case there should especially be looked at possibilities to
prevent the link between the cookie and an identified user.