Kooky Policy (sorry, I meant cookie..)

In my previous post on cookies and privacy in the new EU Directive, I mentioned, in passing, the question of user consent. I think it’s time to return to that for a closer look. First, a couple of references to set context:

  • Ralf Bendrath’s comment, here, on the recently-adopted Stockholm Programme. This, he notes, includes an amendment in which the European Parliament

“… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective”.
This is a clear indication of the way the Parliament thinks that balance ought to tilt.

  • This analysis from Pinsent Masons’ Out-Law blog, in which they compare the text of the new cookie law with the interpretation of the same by some online advertising bodies. The advertisers point to a clause in the preamble of the telecom package, which says:

“Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

According to the advertisers, this lets them off the hook – because a user’s consent can be inferred from the fact that their browser is set to allow cookies or block them.
However, there are several rather fatal flaws in that argument. A couple are pointed out by Struan Robertson (whose previous analysis I quoted in my other post):

“Most browsers don’t default to blocking all cookies and most people don’t change their browser settings, so it’s hard to say that effective consent is conveyed by browser settings,” said Robertson. “Also, browsers can’t tell you the purpose of a cookie.”

On a strict interpretation, the point about “purpose” ought to be fatal in itself: it would generally mean that relying on the browser setting to imply consent would fail the test of compliance with the Data Protection Directive (purpose of collection == purpose of use); if the user has no indication of purpose of collection, how can they meaningfully consent (and how can inappropriate use be detected)?
Next – given the number of people who pay little or no attention to the default cookie settings of their browsers (assuming they are even aware of them in every browser or internet terminal they use), it would be tough for a website owner to prove that the setting in effect on a given visit was chosen by the user, as opposed to merely being a default setting. What’s more, the new law repeatedly mentions the need for the user to be clearly informed before access is effected to their device – so this law isn’t just calling for implied consent, it’s calling for informed and explicit consent. (Note the clear qualification in the preamble: “Where it is technically possible and effective…”).
Now, it’s fair to argue that explicit consent is an unreasonable expectation unless and until there is a general change in people’s awareness of cookies… and advertisers will doubtless maintain that it’s not their fault we like to ignore or dispense with cookie warnings in the interests of convenience. But that argument can also reasonably be countered by saying that poor consent-seeking practice up to now can hardly be used to excuse it in future.
Finally, the Pinsent Masons article makes one other extremely valuable contribution to the debate, in quoting Commissioner Reding’s clarificatory comments on the question. I use the word clarificatory in its loosest possible sense.
According to the Commissioner, there are two kinds of cookie: “technical cookies”, without which the internet would cease to function (and which, therefore, we are presumably to allow without question), and “spy cookies”, which are the ones this law is clearly intended to regulate.
This reminds me of that Not The Nine O’Clock News sketch in which a disgruntled aide induces his president to include phrases like “cupcakes” and “big, floppy, dangly bits” in a public address.
Quite apart from the glaring absurdity of browser manufacturers now having to enhance their products to include a Privacy Settings option which allows users to turn “spy cookies” off while leaving “technical cookies” in place, there’s also the minor (though not entirely unexpected) problem that the law itself does not, of course, make any mention of these mythical creatures.
We all understand the difficulties which can arise when a legislator tries to express technical concepts in terms which are meant to be accessible either to other legislators or to the general public – but the perfectly-coiffured Commissioner has been in post now for almost exactly five years. Surely that – and her professional career as a journalist – must have taught her the danger of such ill-conceived dumbing-down?