As Google prepares to pay a £14.5m fine in the US for allowing cookies to be installed via the Safari browser without a user’s consent, pressure may be about to increase on the high percentage of companies that are still failing to comply with the new EU cookie directive that came into force at the end of May.
Under the cookie law, which is part of the EU Directive on Privacy and Electronic Communications, websites must obtain a user’s opt-in consent before installing cookies that pass on information about browsing activities to a third party.
This directive also places obligations on businesses for certain types of web analytics, according to Karin Retzer, partner at law firm Morrison & Foerster.
“Article 5.3 requires businesses to give notice to a user whenever information is stored on any user device, and in order to operate tools like Google Analytics in most instances, you need to store and access cookies,” she told Computing.
She explained that Article 5.3 provides two exemptions for businesses to provide a notice to users of a website.
“The first is when a cookie is necessary for the communication purposes of the website, and the second is when a cookie is strictly necessary in order to provide a service specifically requested by a user.
“There was a lot of discussion as to whether analytics would qualify for the second exemption, because in order to have a well-designed and easy-to-navigate website a business has to have analytics, and because the website has been requested by the user, there would be no need for consent,” she said.
Retzer said that this is how France’s data protection organisation – the CNIL – interprets the second exemption, but only in the case of certain officially approved analytics tools.
The UK and German data protection authorities – The Information Commissioner’s Office (ICO) and Düsseldorfer Kreis respectively – have taken different stances.
“In Germany, Google had to enter into an agreement with the Düsseldorfer Kreis that for analytics to comply with German data protection laws, namely the Telemedia Act and the Federal Data Protection Act, specific compliance measures were required,” Retzer said.
“After two years of discussions, Düsseldorfer Kreis reached a compromise that Google would provide users of major browsers with the possibility to opt-out of the use of Google Analytics via its browser add-on function. Google will also anonymise IP addresses collected from German users,” she added.
Retzer explained that in the UK, the ICO has taken an approach that sits between the restrictive German position and the more liberal approach in France.
“The ICO has realised that analytics isn’t very intrusive and accepts implied consent, but the website still needs to get [some form of] consent,” she said.
In its cookie guidance released in May, the ICO acknowledges that “gaining explicit opt-in consent for analytics cookies is difficult and that implied consent might be the most practical and user-friendly option”.