The UK ICO’s last-minute revisions to its official guidance on the cookie laws focused on the possibility of “implied consent” for the use of cookies. This softening of the ICO’s position was sensible, notwithstanding that the whole cookie law saga brings EU tech law into disrepute. There was, however, another option open to the ICO. They could have taken the position that consent could be indicated by browser settings.
They chose not to take this path. But why not? None of the relevant laws mention implied consent. However, both the Directive and Regulations mention browser settings as a possible way of obtaining consent.
Directive 2009/136/EC
The sixty-sixth recital to the Directive on which the cookies laws are based makes express reference to browser settings: “Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.” You need to be little bit careful with Directive recitals. They are not the law – but they do shed light upon the meaning of the law.
Directive 95/46/EC, referred to in this quotation and also known as the Data Protection Directive, is the legislative root of EU data protection law. The UK’s Data Protection Act 1998 is based on that Directive. The Directive is concerned with the processing of personal data. So what this reference appears to be saying is that, where the use of a cookie or similar technology also involves the processing of personal data, then the browser based consent must be in accordance with the consent requirements of the Directive.
The “relevant provision” is presumably the definition of consent in the Directive. The “data subject’s consent” is defined therein to mean “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
It is hard to see how, in reality, consents given by way of browser settings will generally meet this standard. If you doubt this, try asking your non-techie parents or grandparents how they use their browser settings to manage web cookies. Do you think they have freely given “specific and informed” consent to Google to collect data about their operating system? Many won’t even know what OS they are using.
Of course, much cookie use does not involve the processing of any personal data, so there is perhaps the possibility of a lower consent hurdle.
The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011
In the UK, a reference to browser settings was introduced into the implementing Regulations: “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”
Notwithstanding these clear words in the Regulations, the ICO’s guidance casts serious doubt on the utility of browser setting-based consent:
At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie. For consent to be clearly signified by the browser settings it would need to be clear that subscribers had been prompted to consider their current browser settings and, had either indicated in some way they were happy with the default, or have made the decision to change the settings. The other difficulty is that not everyone accessing websites will do so with a traditional web browser.
Government is working with the major browser manufacturers to establish which browser level solutions will be available and when. In future many websites may well be able to rely on the user’s browser settings as part, or all, of the mechanism for satisfying themselves of consent to set cookies. For now relying solely on browser settings will not be sufficient and even when browser options are improved it is likely not all website visitors will instantly have the most up-to-date browser with these enhanced privacy settings.
There something rather puzzling about all this.
Almost 2% of this site’s visitors who use Internet Explorer are on version 6 (released in August 2001), while almost 10% are on version 7 (released October 2006). It might be 15 or 20 or 25+ years before all or almost all our users have moved on to sufficiently sophisticated browsers. And then there remains the problem with the visitors who are not using a traditional browser.
If browser-based consent is not going to be effective within the likely effective lifetime of this legislation, why was the reference to it included at all?
Perhaps our legislators imagined that website owners across the EU would all implement a system that: (i) checked the browser type and version used by all visitors; (ii) compared this information with a regularly updated database that differentiates those browsers that have sufficiently sophisticated cookie consent settings from those that don’t; and (iii) asks for consent from the latter but not the former. If our legislators think this, they are deluded.
Moreover, is the problem really one of “sophistication”? Most users don’t know and – whatever the ICO’s surveys may say – don’t really care about cookies as such. They care about their privacy, to an extent; but that’s not the same thing at all. More sophistication in settings probably just means more confusion amongst a public that has is largely uninterested in learning about the nuts and bolts of the internet.
All in all, I wouldn’t be surprised if a court disagreed with the ICO’s interpretation of the browser consent provisions of the Regulations.
Would you?
Add a new comment