Out-Law News | 23 Jun 2011 | 3:18 pm | 4 min. read
Small text files called 'cookies' record users' online activity. Websites store the information on a user's computer, but new EU laws say users should be given the choice whether they consent to websites tracking their behaviour.
Users must be able to tell websites not to track their online behaviour and know exactly what the companies mean when they are told their activity is not recorded said EU Commissioner Neelie Kroes, who is responsible for the Commission's Digital Agenda programme.
"I urge all interested parties to come to the standardisation table. And I challenge you to agree a 'do not track' standard by June 2012," Kroes said in a speech at privacy workshop.
"The standard must be rich enough for users to know exactly what compliant companies do with their information and for me to be able to say to industry: if you implement this, then I can assume you comply with your legal obligations under the Privacy and Electronic Communications Directive," Kroes said.
Kroes said that businesses should pick measures that achieve a legal standard for gaining consent, and says it will take action to protect users if businesses do not comply.
"We need a uniform approach to the law and solutions that reinforce our principles of transparency, fairness and user control," Kroes said in her speech.
"If I don't see a speedy and satisfactory development I will not hesitate to employ all available means to ensure our citizens' right to privacy," Kroes said.
In 2009 the EU's Privacy and Electronic Communications Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.
The Directive had to be added into national laws by 25 May, but only five EU countries, including the UK, have introduced measures to implement it, Kroes said.
Before the changes the Directive had said that users can only be tracked if they are given the opportunity to opt out of the tracking. The new laws have divided business groups and privacy watchdogs on how user consent can be obtained in practice.
In the UK new regulations implementing the Directive have been introduced that require websites to obtain "informed consent" to tracking from users.
The UK's privacy watchdog, the Information Commissioner's Office (ICO), has issued guidance on how online businesses can meet the new requirements. It has suggested websites use 'pop-ups' that ask users directly whether they give tracking consent, but has also said companies could obtain users' agreement by specifying the right to track behaviour in website terms and conditions.
The ICO detailed a number of other features and settings options some websites could use to obtain consent but said it hoped web browsers would develop enhanced settings that would detail whether users consented to being tracked. The Government has announced it is working with Microsoft, Mozilla, Google and other browsers to help develop this technical solution.
Kroes said that establishing consumers' trust and confidence about their right to protection of privacy was vital to achieving the European Commission's goal of having half of the European population buying online by 2015.
"Without privacy, consumers will not trust the online world," Kroes said. "Without trust, the digital economy cannot reach its full potential," she said.
"If those doing business online get together and agree on a common way to comply with the law, everybody will benefit: companies will know what they need to do, citizens will quickly learn what to expect and the competent authorities will benefit from simplified enforcement," Kroes said.
The online advertising industry should help to find a solution to the problem, Kroes said.
Companies can learn from the advertising sector's self-regulation which requires companies to notify users about behavioural advertising practices, Kroes said.
Adverts that track users' behaviour will display an icon if businesses sign up to voluntary regulations that were set out by the Internet Advertising Bureau Europe (IABE) in April. If users click on the icon they are taken to a website that will enable them to switch off behavioural adverts delivered by companies that use the icon.
"What I like about this solution is that it is active," Kroes said."Industry is not just saying – as some unfortunately still do – that all is fine because users can disable cookies in their web browsers."
"Instead, a vital section of the online industry has understood that the ... [Privacy and Electronic Communications] Directive is addressed to them and requires action," Kroes said.
The European Commission is prepared to give further guidance on how countries can implement the Directive, said Kroes. But she warned that it would take action against countries that do not implement its rules.
"This revision of the ... Directive has brought a material strengthening of protection for citizens and Member States need to make sure this is reflected in national law," Kroes said."The Commission will use its full powers against Member States that delay."
At the time of Kroes' speech only the UK, Denmark, Estonia, Finland and Sweden had introduced measures implementing the Privacy and Electronic Communications Directive. The Netherlands are the latest member state to implement the Directive into domestic law on 22 June.
Technology law news is also available from Bootlaw, a free resource for technology start-ups, with regular events hosted by Pinsent Masons.