Tuesday 17 May 2011

Restraining cookies: the new privacy rules

On 26th May 2011, a new law — the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 — comes into force which will change fundamentally the legal regime governing cookies and other similar locally stored data. As I will explain, the legal change is a big deal, but the practical effect may, at least in the short term, be small.

The Information Commissioner has published some useful practical guidelines (alas only as a PDF). They are not definitive (so they may not protect you in the unlikely event someone tries to sue you for damages caused by a breach of the regulations) but since the Information Commissioner (or his office at least) has the primary role in enforcing the regulations, complying with his guidelines will go a long way to avoiding any possible legal repercussions. If you have a short attention span and wish to read only one thing about the new cookie law then I'd advise you go there (see you another time and thanks for visiting).

The new rules apply to storing (or accessing information stored) on a public network user's computer. That includes not only cookies and "flash cookies" but any other information that might be stored on a local computer, for example they would certainly apply to the iPhone's storage of location data. For brevity I'll talk about cookies, storing cookies but all that follows applies much wider than that.

Overview

The amended regulation 6 will forbid anyone from storing cookies unless one of the following applies:

  • the user has given their prior, informed, consent (an opt out is no good)
  • it is for the sole purpose of "carrying out the transmission of a communication"
  • it is strictly necessary for the provision of an information society service that was requested by the user

In practice this means that, except in very limited circumstances, prior explicit permission will need to be given by a user before using cookies. The limited circumstances might include situations where the illusion of a session (http being stateless) is needed in order to provide the user with the service they want, for example via a "shopping cart".

Tracking what a user does (eg with a tool like google analytics) or supplying additional services they might want (eg "other users also bought...") would not be for a service "requested by the user" and so would need consent.

Consent may be given by the user explicitly setting their browser to accept cookies. At the moment most browsers will, by default, accept cookies and so it is not, at present, realistic to rely on a user's browser settings to gain the necessary consent. Browser technology may change to make such a reliance tenable and I expect there to be some pressure in that direction.

Clauses in a website's terms and conditions which do not have to be explicitly accepted by a user (for example because they are linked to at the bottom of a page) are, in my view, also not going to be any good.

One small consolation to online service providers is that the ICO has said that in the early stages of this new law all he will look for is a plan to get things right, rather than expect 100% compliance from 26th May. That isn't an excuse to be complacent, but does give some breathing space.

Detail

The origin of the new law is in an amendment to the directive on privacy and electronic communications (directive 2002/58/EC). There doesn't appear to be a consolidated version in html format online, but for the purposes of this post all we care about is replace article 5(3) which was added by directive and reads:

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

One one analysis it is not the web server (and thus the operator of the server) who stores or gains access to cookies on a user's machine, rather the server returns a "Set-Cookie" response which a web browser has no obligation to honour. It is also the web browser that transmits the value of a cookie back to the web server.

The directive is not intended to be understood in so narrow a sense. Only a small minority of web users understand how http works. The majority will not realise that information is being stored by their web browser on someone else's behalf. It is clearly the risks associated with this lack of knowledge that the directive aims to address. Recital 24 says:

(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

Recital 25 makes it clear that "cookies" are one such device. It concedes that they can be legitimate and useful but that any use must be with informed consent.

Article 5(3) is very broad in its application. It catches storage on any "terminal equipment" (so mobile devices as well as traditional PC's) and is not restricted to the web or web browsers. The terminal equipment need only belong to a "user" which is defined in article 2(a) as anyone using the network for private or business purposes. So it does not seem to be possible to agree with a subscriber to (say) an ISP or mobile phone service in advance that they consent to the storage of cookies etc on any terminal equipment using their connection if others might use it with different equipment.

The only obvious restrictions to 5(3) are:

  • It only applies to services available over public communication networks and so does not apply to (i) private network services or (ii) to gaining access to a computer without using a network at all.
  • Unsurprisingly, member states are allowed to create their own exceptions where necessary for the purposes of public security, defence and the prevention of crime. Just such an exception was made by the UK in regulation 28 .

Who is responsible? For example, at present I publish this blog using google's blogger service. If google choose (say) to track those reading my blog using cookies without my asking them to, what then? In my view it is the service provider (in this case google) that is carrying out the unlawful activity rather than I, although if I have expressly asked them to do so, then we may both be responsible. If, on the other hand, my blog was made available on a "dumber" hosting service - for example if I installed my own wordpress isntance on a server on which I had shell access and I decided to use cookies, then it would be I, not the provider of my shell access account, who would have to take care of the legalities.

There are two ways that a user (or subscriber)'s rights may be enforced. First by the information commissioner in much the same way as data protection obligations are enforced. Second, regulation 30 permits an individual who has suffered damages as a result of a breach (who might not be the user or subscriber whose equipment was accessed) to bring a claim for damages against the person who committed the breach. There is a defence of reasonable care against such a claim.

So, where cookies are used to illicitly track an individual's preferences and sold to advertisers to allow advertising to be targeted, there is unlikely to be any actual damage and enforcement would have to be by the information commissioner. By contrast, where the use of cookies results in someone's bank details being obtained by a third party (entirely possible with some of the more poorly written systems out there) there may well be financial loss and a right of action. In practice I don't expect to see very many claims, interesting though they would be.

Update

An anonymous commenter asks about other forms of content stored by a web browser. A web browser will almost always store the http response(s) to any request. Some of the information contained in that response may be sent back to the server. A simple example being the value of any fields set in an HTML form, but there are many other, in some cases very sophisticated, mechanisms for doing the same thing. Even the URL in an href attribute can be used to store information — as those with long web memories will recall, one of the earliest example applications using HTML created a noughts and crosses game doing just that.

I suspect that the courts will read the directive as applying only to data stored on a user's computer that can (in principle) be later retrieved by the person storing it or by some other third party. It seems to me that the directive is intended at that kind of mischief which arises where someone or some people track what a user does and keep secret information about them that they can use for their own purposes. Of course there are still risks if information is stored without your knowledge even if it is accessible only to the user of the computer, so the courts may decide to read the directive more widely than that.

Most of these forms of storage will be lawful because they are strictly necessary to provide the service sought by the user. HTML stored by the browser which is displayed to the user is a necessary part of browsing any web page. Ditto where form fields are used for any kind of web transaction such as logging in or purchasing a product. The service can't be supplied without some local state being maintained one way or another. The user will expect it to be so.

On the other hand, keeping a complicated session key that tracks (or allows the tracking) of the user's behaviour without forming part of the functionality the user wanted, would, in my view, fall foul of the directive and need express consent. The fact that cookies aren't used is irrelevant.

9 comments:

Anonymous said...

The PECR (which I understand is the only part that is actually law?) makes no specific reference to cookies whatsoever. When a user requests a page their browser stores not just cookies but every element of that page and in the case of links, form fields, flash, applets, etc. can send information back to my server. So on what legal basis does this require extra consent for cookies and not for other page items where it is assumed that the request for the page is consent?

Doktorb said...

In short then - I use Google Anayltics for my blogspot. Will I need to make any changes whatever?

Francis Davey said...

@Anonymous - the recitals in a European regulation or directive are as much part of the law as the articles and are relevant to interpreting the law. Recital 25 expressly mentions "cookies" as I explained above.

I'll answer the rest of your question in an update later.

Francis Davey said...

@Liam - my reading of the law is that google analytics requires either a user's express consent (not much use for an open blog) or fundamental changes in the way that both analytics and web browsers work.

It seems to me that no-one is likely to be suing you for damages (though who knows if someone comes up with an interesting exploit?) and the ICO won't be pressing you for changes if it seems that you and the industry generally are working to sort it out. Not entirely satisfactory I know.

Anonymous said...

If Facebook is a private network not a public one, then presumably the directive does not apply.

Do you have any opinions on whether Facebook is a public network?

Francis Davey said...

@drj11 - well. There are two places that "public" comes in. First, article 5(3) depends on the nature of access to a user's terminal equipment. That access must be via a public communication network. So, if you access facebook via its internal network (say you work there) then A5(3) is not engaged.

But article 3(1) appears to restrict the directive's application to "the provision of publicly available electronic communications services". So it would not apply to a service which was not "available" to the public. Facebook is publicly available and so the directive applies.

In fact its clearly at just services like facebook that this directive is aimed.

AlisonW said...

Useful notes, thanks. Where are the lines drawn though?

If a site is hosted in the USA does it have to comply? is there even jurisdiction? (eg the facebook example above). What about sites where their target market is purely local, eg. Japanese sites targeting that nations' residents?

And where I host a site in the UK am I obliged to get permission for non-UK (non-EU) residents too? ie if I can show by IP lookup that they are in USA, Oz, etc can I just use cookies without worry?

Of course, the whole idea seems to have not been worked through with someone technical (The number of companies and individuals who use turnkey / packaged solutions, for example)

holizz said...

I've been following this "cookie" law closely since I'm very sceptical that it's going to be possible or worthwhile in the long run. This is a great analysis - thanks.

There is one thing I want to ask though. You seem to have skipped over the middleground between having a Blogger account with Google Analytics and hosting your own site with your own cookies: if I host my own site, and then I use Google Analytics - who is responsible for gaining consent?

I've embedded the Analytics JavaScript, however Google are the ones who are actually sending the cookies and not me.

zhochaka said...

TThere's a recent story on The Register about BT being able to access data on and about what may be user terminal equipment. And they seem to think that they don't need to ask permission.

It seems to be on the fuzzy borderlines of the directive, in several different ways, and might also interact with such things as the Computer Misuse Act.

As I recall, the ICO also warns that IP addresses might be personal data under the Data Protection Act, so any records should be kept safe and secure. A cookie used here might be storing a username and password of some sort: it had better be transmitted in a secure form.

There's more to doing these things right than asking for permission.