Further to European Directive 2002/58/CE, as amended, e-privacy laws across the European Union are implementing changes which will affect the way businesses operate their websites.

In France, the directive was transposed into law by an ordinance of 24 August 2011 which is immediately effective but still requires ratification by the legislator before end of November 2011. Given the requirement to comply with European implementation deadlines, the ordinance is mainly based on the principles laid down by the Directive may require so additional regulation or guidance by the regulator.

As for the UK, this new law provides a new framework for the use of “cookies” on websites, with heavier duties than existed before.
1 What Are Cookies?

Cookies are small text files that are stored onto a user’s device when visiting a website. The cookie assists the website in recognising the user’s device in order to deliver a more tailored and user-friendly experience to the user. Cookies may also be stored on a user’s device by third parties who may use the information obtained to tailor their advertising to that particular user (this technique is often used in the context of online behavioural advertising).

2 Requirement to obtain prior consent

What has changed?

As at today, Article 32 II of the French Data Protection Act required website operators to inform users about the fact that cookies are being used and provide guidance as to how these may be disabled and a result, in France as in many other European countriesn the principle of “opting out” as prevailed, under which users tacitly adhered to the use of cookies unless they specifically chose to opt out of their use.

Following implementation of the revised “Cookies” Directive (2002/58/EC), Article 32 II has been amended by the ordinance of 24 August 2011 to create an “opt in” system in relation to the use of cookies. It requires website operators not only to ensure that users are informed but that, in line with such information, users provide their informed consent to the use of cookies before these are stored on their devices (include for instance laptops, desktops and mobile devices).

Are there any exceptions?

Article 32 II of the French Data Protection Act has kept unchanged two exceptions which are consistent with the e Privacy Directive. There is no obligation to obtain consent where use of cookies is (1) for the sole use of allowing/facilitating e-mail communication, and (2) strictly necessary for the provision of an online communication service at the express request of the user. This exception would apply, for example, to cookies used for a virtual shopping cart.

3 How do you obtain consent?

There have been a lot of debates on this topic at the time of the amendment to the e privacy directive and in France in relation to French Bill on “safeguarding personal data in the digital age” presented by the Senate to the Assemblée nationale on 24 March 2010. The issue at stake has been to adopt a user-friendly approach that will not impact the ease with which you can navigate. The emphasis is above all on transparency (users being provided with clear and comprehensive information on the purpose of the processing, the nature of the information collected and the recipients, all SET out in a specific and permanent “rubric”, as well as being clear and accessible).

Browser settings

The new legislation has taken the approach suggested by the recitals of the directive that introduced this prior consent requirement. The revised article 32 II of the French Data Protection Act provides that the consent can be expressed by way settings of the browser of the user or another device that is under its control.

There is the full extend of the current French regulation in this respect and further regulation and guidance from the legislator or the French data protection authority is expected including on the issue of browser settings. In this respect the UK government has indicated that consent would not require a actual change in the browser settings but could be done by way of keeping the browser’s default setting whereas WP 29 position’s seems to be the opposite. The ICO’s (the UK data protection authority) current view is that the majority of browsers will not have the level of sophistication required to reliably obtain user consent.

What other options are there?

Pending guidance from French authorities it is interesting to look at guidance provided by the ICO on a range of methods available for obtaining consent, which include:

 Pop ups and similar techniques
Using a pop up is a clear way of obtaining express consent from the user. However, this is likely to be disruptive for a user’s experience if numerous cookies are being used and many online operators have already indicated that this option is unlikely to be very practical.

 Terms and conditions
Consent could be obtained through changes to website terms of use that would reflect the new regime. However, these changes must not only be brought to the user’s attention but should also be understood and agreed by users before cookies are SET on their device. Users would need to actively show their acceptance by, for instance, ticking an “accept” box, which brings this technique for obtaining consent close to a “pop up”.

 Settings-led and feature-led consent
Users can choose certain settings to SET their preferences (e.g. personalised greeting or language choice) or personalise the subject matter that the user receives (e.g. by, for example, remembering the user’s history).Website operators could ask the user whether they would like the website to remember these settings/preferences each time they visit, reminding them that their consent to this would only have to be given once. Users could also indicate their consent when the link is opened or when agreeing to the functionality being switched on.

 Functional uses
Cookies which are beneficial to the website operators, by recording certain information (e.g. how often certain pages are visited by a specific user), will require consent. Such practice should be explained to the user, with further details made available. The ICO has suggested that one way of doing this would be to include information in the header or footer of the page which, when highlighted, brings up additional text prompting the user to read further and make relevant choices.

For operators that operate in more than one European country the choice of the appropriate method(s) will require to take into account the constrains or specificities outlined in the regulation of each of these countries many of which have still to implement the directive and or provide guidance.