Field Fisher head of privacy Eduardo Ustaran warns companies to expect little tolerance of foot-dragging on cookie compliance moves

In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing e-Privacy Directive which radically altered the rules affecting the use of internet cookies.

Before its amendment, the e-Privacy Directive permitted the use of cookies on a so-called 'opt-out' basis. It required online operators to provide individuals with clear and comprehensive information about the use of tracking technologies and to offer them the right to refuse.

The amended Directive now requires online operators to obtain informed consent to store or access cookies or any other tracking technologies on individuals' terminal equipment.

What is consent?

Relying on users' consent to use cookies is a bit like asking people to confirm that they are willing to allow electrons to flow before turning on the light – it is difficult to understand the relevance of moving electrons to light up a light bulb, but we know we don't want to be in the dark. So it is fair to assume that the cookie consent requirement needs a degree of flexibility in its interpretation.

The most obvious way of allowing for that flexibility is to accept that consent will often need to be implied. An accepted principle under data protection law is that where data processing is not intrusive in nature and there is no foreseeable risk or harm to individuals, the standard of consent required is lower than where the sensitivity of the processing is greater. So, to the extent that the use of internet cookies has only minimal impact on individuals' privacy, it is logical to assume that such use may be based on individuals' implied consent.

The crucial point is that the level of intrusiveness of the use of cookies in the privacy of internet users plays a direct role in determining a compliant mechanism for consent. The more intrusive the activity in question, the higher the standard of notice and consent that applies. Conversely, the less intrusive the activity, the greater the likelihood that consent can be implied.

How intrusive are internet cookies?

Cookies are often used to allow website operators to monitor traffic on their sites and to identify browsing patterns. The statistics generated by this monitoring can then be used to inform the development of the site, making the website more appealing to users. This is normally done through so-called analytics cookies. The purpose of cookies in this context is to enable analytics providers and website operators to collect aggregated or segmented data about website visitors to improve website services and for capacity planning. The cookies served for this purpose do not, as a rule, collect any information that enables individuals to be directly identified and, therefore, the level of intrusiveness is very low.

Cookies are also used for online advertising as they enable the collation of browsing-related information about a specific user. Advertisers can then display certain ads on the basis of that information. The purpose of cookies in this context is to collect certain information about users' online behaviour in a way that enables advertisers to improve the relevance of the banner advertising displayed.

The analysis of the intrusiveness factors affecting the use of analytics and advertising cookies will focus on the level of recognition of the users of a website and how that information may be used to make decisions that impact on specific individuals. On balance, taking into account that the cookies used for analytics and advertising are not inherently harmful, they should be regarded as being of limited intrusiveness to individuals' right to privacy.

This means that provided individuals can exercise effective control over the cookies being served on their terminal equipment, there is no reason why individuals should not be able to provide 'freely given, specific and informed' consent to analytics and advertising cookies on an implied basis.

How can consent be obtained in practice?

Taking into account the concept of consent as defined by data protection law and the most common uses of internet cookies, two approaches aimed at ensuring compliance with the e-Privacy Directive emerge: one that relies on implied consent and another one based on explicit consent.

Implied consent

When relying on the implied consent approach, website operators will seek to deploy some kind of prominent 'cookie consent' message spelling out the use of cookies served via that website. This message will also explain how to access a full list of the types of cookies used and, crucially, link to a mechanism to control and decide which cookies are accepted and which ones are not.

This approach is aimed at meeting the legal standards in the most commercially pragmatic way. It will therefore be compatible with the requirements of the e-Privacy Directive where following the relevant intrusiveness assessment, an implied consent approach is regarded as sufficiently adequate. Under this approach, the users' indication of wishes is impliedly given when they see the message, understand its meaning and rely on the functionality available to make their choice.

Explicit consent

When relying on the explicit consent approach, website operators will present the user with a 'barrier page' or banner that refers to the use of cookies served via that website and prompts users to give their consent by clicking on a button or elsewhere on the page before proceeding to access the relevant site.

The explicit consent approach will obviously provide a greater level of certainty in respect of the consent given by users of the website through which the cookies are served. Individuals will be able to choose whether or not to consent to the use of cookies by means of a link to a mechanism listing the types of cookies used and giving those users the opportunity to accept or reject such cookies. The users' indication of wishes is then explicitly given when they click on a button or somewhere on the page.

What should be done?

Having completed an inventory of cookies served, website operators must then decide the type of consent that is necessary to meet the legal requirement on the basis of the level of intrusiveness of those cookies.

If implied consent is going to be relied upon, it will have to be obvious to the average user what is happening – which in practice means that, as a minimum, a suitably visible and clear notice must be displayed and made available for long enough to be seen and digested. Anything less than that would make it very hard to argue that consent was obtained and is likely to be dismissed as insufficient by regulators and the courts.

The lack of technological solutions to overcome this challenge is no longer an excuse. Technology companies such as Evidon have developed mechanisms that can be tailored to achieve compliance in a viable and effective manner.

Regulators have been waiting for this type of technology to be developed for some time, so old methods such as sticking the words "By using this site, you agree that we can place cookies on your device" in a privacy policy will no longer cut it.

One thing is clear: the time for pondering about what to do is now running out and so is the patience of the regulators. Cookies which are strictly necessary for the provision of an online service requested by an internet user are exempt from the consent requirement. But in respect of other types of cookies, every European website needs to implement some form of consent – implied or explicit – or risk enforcement action.

Eduardo Ustaran is partner and head of the privacy and information law group at Field Fisher Waterhouse