2013 providing

This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its ...

0 downloads 21 Views 312KB Size
ARTICLE 29 DATA PROTECTION WORKING PARTY

1676/13/EN WP 208

Working Document 02/2013 providing guidance on obtaining consent for cookies

Adopted on 2 October 2013

This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate General Justice, B-1049 Brussels, Belgium, Office No MO-59 02/013. Website: http://ec.europa.eu/justice/data-protection/index_en.htm

Since the adoption of the amended e-Privacy Directive 2002/58/EC in 2009, implemented in all EU Member States1, a range of practical implementations have been developed by websites in order to obtain consent for the use of cookies2 or similar tracking technologies (hereinafter referred to as “cookies”) used for various purposes (from enhanced functionalities, to analytics, targeted advertising and product optimisation, etc., by the website operators or third parties). The range of consent mechanisms deployed by website operators reflects the diversity of organisations and their audience types. The website operator is free to use different means for achieving consent as long as this consent can be deemed as valid under EU legislation. The assessment as to whether or not a particular solution implemented by the website operator fulfils all the requirements for valid consent is considered later in this paper. Although the ePrivacy Directive stipulates the need for consent for the storage of or access to cookies the practical implementations of the legal requirements vary among website operators across EU Member States. Currently observed implementations are based on one or more of the following practices, although it is important to note that whilst each may be a useful component of a consent mechanism the use of an individual practice in isolation is unlikely to be sufficient to provide valid consent as all elements of valid consent need to be present (e.g. an effective choice mechanism also requires notice and information):  an immediately visible notice that various types of cookies3 are being used by the website, providing information in a layered approach, typically providing a link, or series of links, where the user can find out more about types of cookies being used,  an immediately visible notice that by using the website, the user agrees to cookies being set by the websites,  information as to how the users can signify and later withdraw their wishes regarding cookies including information on the action required to express such a preference,  a mechanism by which the user can choose to accept all or some or decline cookies,  an option for the user to subsequently change a prior preference regarding cookies. Taking into account the different interpretations of the e-Privacy Directive among stakeholders and the respective practical implementations, the emerging question is: what implementation would be legally compliant for a website that operates across all EU Member States? Article 2(f) and recital 17 of Directive 2002/58/EC define the notion of consent in reference to the one set forth in Directive 95/46/EC. Article 2(h) of Directive 95/46/EC provides that consent of the individual for processing his or her personal data should be a freely given specific and informed indication of his or her wishes by which the individual signifies his or her agreement to this data processing. According to Article 7 of Directive 95/46/EC consent should also be unambiguous.

1

As from January 2013. As described in Opinion 04/2012, the term cookie encompasses a range of technologies but centred on the HTTP cookie. 3 E.g. social plug-in tracking cookies, third party advertising or analytics as mentioned in the Cookie Consent Exemption Opinion. 2

2

In its opinion on consent4 the Working Party has acknowledged the differences in the notion of consent that may occur in different Member States. The opinion on consent provides further clarity on the requirements of valid consent and its main elements: 1. Specific information. To be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable. 2. Timing. As a general rule, consent has to be given before the processing starts. 3. Active choice. Consent must be unambiguous. Therefore the procedure to seek and to give consent must leave no doubt as to the data subject's intention. There are in principle no limits as to the form consent can take. However, for consent to be valid it should be an active indication of the user’s wishes. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject's wishes, and to be understandable by the data controller (it could include a handwritten signature affixed at the bottom of a paper form, or an active behaviour from which consent can be reasonably concluded)5. 4. Freely given. Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent. In line with the above clarifications and elsewhere6 on what constitutes valid consent across all EU Members States, the Working Party elaborates that should a website operator wish to ensure that a consent mechanism for cookies satisfies the conditions in each Member State such consent mechanism should include each of the main elements specific information, prior consent, indication of wishes expressed by user’s active behaviour and an ability to choose freely. 1. Specific information The mechanism should provide for a clear, comprehensive and visible notice on the use of cookies, at the time and place where consent is sought, for example, on the webpage where a user begins a browsing session (the entry page). When accessing the website, users must be able to access all necessary information about the different types or purposes of cookies being used by the website. The website could prominently display a link to a designated location where all the types of cookies used by the website are presented. Necessary information would be the purpose(s) of the cookies and, if relevant, an indication of possible cookies from third parties or third party access to data collected by the cookies on the website. Information such as the retention period (i.e. the cookie expiry date), typical values, details of third-party cookies and other technical information should also be included to fully inform users. The users must also be informed about the ways they can signify their wishes regarding cookies i.e. how they can accept all, some or no cookies and to how change this preference in the future.

4

Opinion 15/2011 on the definition of consent. Also, the proposed text of the future EU Regulation on data protection refers to consent as signified by “clear affirmative action”. 6 Clarifications in the Opinion 2/2010 on Online Behavioural Advertising. 5

3

2. Timing As the Working Party concluded in the previously mentioned opinion7, consent has to be given before the data processing starts. The opinion clarifies that this applies also in the context of article 5(3) of the e-Privacy Directive. Therefore to achieve compliance across all EU Member States consent should be sought before cookies are set or read. As a result a website should deliver a consent solution in which no cookies are set to user’s device (other than those that may not require user’s consent8) before that user has signalled their wishes regarding such cookies. 3. Active behaviour In addition to information about the types and purpose of cookies, the website must also present clear and comprehensive information to the users on how they may signify their consent, most likely on the page where the users start their browsing experience. Tools to obtain consent may include splash screens, banners, modal dialog boxes, browser settings, etc. As to the latter, Recital 66 of the Citizens’ Rights Directive 2009/136/EC specifies that “where technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.” Where the website operator can be confident that the user has been fully informed and actively configured their browser or other application then, in the right circumstances, such a configuration, would signify an active behaviour and therefore be respected by the website operator. Conditions for browser settings to be able to deliver valid and effective consent are described in Working Party Opinion 2/2010. The process by which users could signify their consent for cookies would be through a positive action or other active behaviour, provided they have been fully informed of what that action represents. Therefore the users may signify their consent, either by clicking on a button or link or by ticking a box in or close to the space where information is presented (if the action is taken in conjunction with provided information on the use of cookies) or by any other active behaviour from which a website operator can unambiguously conclude it means specific and informed consent. For the purpose of this paper active behaviour means an action the user may take, typically one that is based on a traceable user-client request towards the website, such as clicking on a link, image or other content on the entry webpage, etc. The form of these types of user requests are such that the website operator can be confident that the user has actively requested to engage with the website and (assuming the user is fully informed) does therefore indeed consent to cookies and that the action is an active indicator of such consent. In any case it must be clearly presented to the user, which action will signify consent to cookies. It must be made sure, that the choice expressed with active behaviour is actually based on clear information that cookies will be set due to this action. The information should be presented in such a way that the user is most likely to acknowledge it as such (and not mistake it for advertising, for example). Therefore ensuring that the button, link or box which indicates the active behaviour is within or close to the location where information is presented is essential to be confident that the user can refer the action to the information prompted. Furthermore the 7 8

Opinion 15/2011 on the definition of consent. For further clarifications on exemptions see Cookie Consent Exemption Opinion.

4

information should be present on the website and not disappear until the user has expressed his/her consent. In the latter case, the website operator can be assured that unambiguous consent was given. Additionally, only a click to a »more information on cookies« link cannot be deemed consent, due to the fact that the user explicitly requested only for more information. Absence of any behaviour cannot be regarded as valid consent. If the user enters the website where he/she has been shown information on the use of cookies, and does not initiate an active behaviour, such as described above, but rather just stays on the entry page without any further active behaviour, it is difficult to argue that consent has been given unambiguously. The user action must be such that, taken in conjunction with the provided information on the use of cookies, it can reasonably be interpreted as indication of his/her wishes. 4. Real choice – freely given consent The consent mechanism should present the user with a real and meaningful choice regarding cookies on the entry page. The user should have an opportunity to freely choose between the option to accept some or all cookies or to decline all or some cookies and to retain the possibility to change the cookie settings in the future. In some Member States access to certain websites can be made conditional on acceptance of cookies9, however generally, the user should retain the possibility to continue browsing the website without receiving cookies or by only receiving some of them, those consented to that are needed in relation to the purpose of provision of the website service, and those that are exempt from consent requirement. It is thus recommended to refrain from the use of consent mechanisms that only provide an option for the user to consent, but do not offer any choice regarding all or some cookies. Granularity in the options available to the user is highly recommended. The above argumentation is based on recital 25 of e-Privacy Directive 2002/58 (EC), which provides that access to specific website content may be made conditional on the wellinformed acceptance of a cookie or similar device, if it is used for a legitimate purpose. The emphasis on “specific website content” clarifies that websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies (e.g.: for e-commerce websites, whose main purpose is to sell products, not accepting (non-functional) cookies should not prevent a user from buying products on this website). Additionally, recital 10 of e-Privacy Directive 2002/58/EC specifies that in the field regulated by the said directive, Data Protection Directive 95/46/EC applies in particular to all matters concerning protection of fundamental rights and freedoms, which are not specifically covered by the provisions of this Directive, including the obligations on the controller and the rights of individuals. Directive 95/46/EC applies to all data controllers. Since storing information or gaining the information already stored on users’ devices by way of cookies can entail the

9

Under Swedish law, websites are allowed to require that the user gives his/hers consent to the use of cookies, in order to allow access to the website. A data subject who does not consent will then have to opt for a different service provider. The exception are websites providing certain public sector services, where the user could be seen as having few or no other options but to use the service and therefore seen as having no real choice as to the usage of cookies.

5

processing of personal data10, in this case data protection rules clearly apply. One of the principles that need to be taken into account is that the processed data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (Article 6.1(c)). If certain cookies are therefore not needed in relation to the purpose of provision of the website service, but only provide for additional benefits of the website operator, the user should be given a real choice regarding those cookies. The types of cookies that might be disproportionate in relation to the purpose of the website may vary depending on the context. An example, where consent to non-necessary cookies would be considered disproportionate are websites providing certain services, where the user could be seen as having few or no other options but to use the service, and thus having no real choice as to the usage of cookies. In most EU Member States this is particularly the case with public sector services11. Users should also be offered a real choice regarding tracking cookies. Such tracking cookies are generally used to follow individual behaviour across websites, create profiles based on that behaviour, infer interests, and take decisions affecting people individually. When tracking cookies are being used to single out people in this way, they are likely to be personal data. For the processing of the personal data that goes together with the reading and setting of tracking cookies the data controller needs to obtain the unambiguous consent of the user. A decision regarding a breach of the mentioned principle would be made on a case by case basis by the national authority competent to oversee the relevant provision of the data protection legislation.

Done at Brussels, on 2 October 2013 For the Working Party The Chairman Jacob KOHNSTAMM

10 11

As was clarified also by the Opinion 2/2010 on Online Behavioural Advertising In most EU Member States making access to public service websites conditional is not seen as lawful.

6