The Law on Cookies

Such a clickbait-y title. I am, of course, referring to internet cookies. You have probably seen a banner on most websites for many months now, asking you to agree to their cookie disclaimer, which looks something like this (you may have noticed it on this website too):

Screen Shot 2016-05-31 at 6.24.41 PM

This is primarily a European issue, but due to the worldwide nature of the web, everyone needs to comply. This post deals with the EU laws compelling websites to put up such a disclaimer, and discusses whether they are, in fact, an adequate solution.

Also, the word ‘cookie’ is going to start sounding like nonsense to you by the end of this post through sheer semantic satiation – fair warning. I speak from experience.


What is an Internet Cookie?

A cookie is just a text file stored by your browser that helps identify who you are to the website that generated that text file.[1] This allows them to save your settings for future use. Here’s how one looks like, taken from my computer while writing this post:

Screen Shot 2016-05-31 at 6.17.56 PM

Incidentally, note that this cookie expires by end of November, 2016 – six months from now. This brings us to the classification of cookies, which is as follows:

  1. Session cookies:[2] These last only as long as your browser is still accessing the website that generated that cookie. Tab/window closed – session ends, which instructs the browser to delete the cookie.
  2. Persistent cookies:[3] The sample cookie above is a persistent one. As long as I don’t force my browser to delete it, the text file shall remain in my system until end of November, ensuring my settings are available whenever I visit the page – such as the chosen language, or for the auto-login feature, since I am recognized through the cookie.

Cookies are used as a form of ‘memory’ for web pages. They are extremely useful in the sense of allowing the website to remember that it was you who made certain choices, or filled forms, on that website. Without them, the server on which the website is hosted would have collected your data, but would have no way of knowing that the data was yours the moment you followed a link to another part of that website. Imagine, for example, applying for a job or degree. Some of the most excruciatingly detailed online forms in existence, they ask you to fill them in two to three (or if they’re feeling especially evil, five or more) stages. Without cookies, each time the form moved to the next set of questions, the website would forget whose data it has – bringing you back to square one, and making you tearfully wonder if filling the form is truly worth the effort. In the example above, the random alphanumerical string under ‘Content’ uniquely identifies me, and allows me to finish the form.

The Legal Issue with Cookies

Advertisers and marketers have been at the cutting-edge of user tracking by their very nature. My choices across websites give them the ability to profile me and learn my spending habits – in the best case scenario, predicting them.[4] Advertisers buy banner ads across thousands of webpages in order to track the cookie that was generated by them and saved by a user’s browser.[5]

As must be clear, this raises immediate privacy concerns. While cookies in themselves are technically incapable of ever containing personal data (it’s just a randomized text string), powerful data analytics running behind the scenes does make it possible to find connections and correlations between datasets. You must have seen the same Amazon ads following you around webpages that are in no way interconnected.

Laws surrounding Cookies

Europe

As we have seen in an earlier post on drones, European lawmakers are quite sensitive to privacy issues. If you are new to privacy laws in the EU, please read the portions of that post which covers the basics of the law. This post will deal with the implications of the law on cookies.

The EU paranoia over privacy issues has been brought to bear regarding cookies as well.[6] The following points need to be considered:

  1. Consent: Article 7(a) of the Data Protection Directive (DPD)[7] requires users to provide unambiguous consent for the processing of personal data. Note that this will be replaced by Article 7(1)a of the General Data Protection Regulation (GDPR)[8], which is applicable from May 24, 2016 but comes into force on May 25, 2018. The principle remains the same, however – unambiguous consent.
  2. Use for a specific purpose: Another general principle of privacy law is that personal data can be collected only for a specific, legitimate purpose. This is covered under Article 6(1)(b) of the DPD and Article 5(1)(b) of the GDPR.
  3. Informed consent: Article 5(3) of the ePrivacy Directive[9] – which adds on to the DPD to cover new tech – mandates EU members to pass laws so that storage or use of personal data is only allowed “on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC [that’s the DPD], inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller” – this references the principle covered in point 2 above.

Finally, the three principles above, when combined, give rise to that banner I talked about at the very beginning of this post. This is because it is believed that the banner provides users with clear and comprehensive information about the fact that their data is being collected – and, by clicking ‘Accept’, apparently allows users to give informed consent to such collection and use. In fact, the European Commission’s website even provides a template for web developers to add the banner to that website[10], and forms the basis for the plugin used by yours truly for this very website.

Having said that, certain forms of cookies have been treated as exempt by the Working Party 29, a statutory body that provides non-binding interpretations of data privacy law in the EU.[11] These include cookies that simply aid in the website performing its functions (such as session cookies), those used for authentications, for third party content, user-centric security, multimedia players, etc.

Conclusion

Let’s be honest – did you actually read the banner before almost subconsciously clicking ‘Accept’, just to make it go away? Most people do not.[12] On the other hand, they have certainly made users aware of the fact that cookies are not just the soft, sweet pieces of heaven that I could finish a whole packet of. This has, in turn, raised plenty of awareness regarding privacy concerns.

Having said that, the cookie banner is definitely not a complete solution to the problem. Users typically do not have a choice about accepting such banner notices – what do I do, stop using the website? A far better solution, in my opinion, was the one implemented by Google a while ago, where the website forced you to make multiple privacy-related decisions (which were not simply the binary YES or NO).[13] Certainly not a perfect solution, but plugins could possibly be designed giving web developers or companies the ability to provide flexible options – leading to greater awareness and more choices.

Advertisers are, of course, always ahead of the game. “Super cookies”, which are beyond the control of regular users by being at the network level, have been noticed around the interwebs recently (instead of being stored on my computer, they are stored on the website’s server – to put it simply).[14] New ways must be developed, either legal or technical, to surmount issues raised by such new technologies.

[There are, of course, a multitude of websites available everywhere that provide tips on being personally secure on the internet, so I won’t go into it here.]


[1] http://www.allaboutcookies.org/cookies/, last accessed 1/6/2016

[2] http://www.allaboutcookies.org/cookies/session-cookies-used-for.html, last accessed 1/6/2016

[3] http://www.allaboutcookies.org/cookies/persistent-cookies-used-for.html, last accessed 1/6/2016

[4] Alex G. Büchner and Maurice D. Mulvenna. 1998. Discovering Internet marketing intelligence through online analytical web usage mining. SIGMOD Rec. 27, 4 (December 1998), 54-61. DOI=http://dx.doi.org/10.1145/306101.306124

[5] Google Analytics Cookie Usage on Websites, available at https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage#overview; last accessed: 1/6/2016

[6] http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm, last accessed: 1/6/2016

[7] Accessible at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

[8] Accessible at http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

[9] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), accessible at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML

[10] Ibid at 6

[11] Working Party 29, Opinion 04/2012 on Cookie Consent Exemption, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf; last accessed: 1/6/2016

[12] https://www.theguardian.com/technology/2015/mar/19/cookies-how-to-avoid-being-tracked-online; last accessed 1/6/2016

[13] Gizmodo, Go Check Up On Your Google Privacy Settings in the New Accounts Page, http://gizmodo.com/go-check-up-on-your-google-privacy-settings-in-the-new-1708171674; last accessed: 1/6/2016

[14] Considerati, Super cookies used in the Netherlands, http://www.considerati.com/blog/super-cookies-used-in-the-netherlands/, last accessed: 1/6/2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s