Thursday 10 March 2011

Delete cookies?! ... on changes in ePrivacy Directive

Recently I have mentioned on this blog one of the consequences of the revised ePrivacy Directive 2002/58/EC (revised by Directive 2009/136/EC of 25 November 2009), namely the requirement of the notification of the breach of privacy to internet users and authorities. Another important for consumers consequence of changes in this law concerns cookies.

I don't mean here chocolate cookies, but HTTP cookies - small pieces of information that are downloaded to your computer when you browse through internet that then may track the pages you visit, login information or other data and transfer them back to the cookies' creators. Doesn't sound like a cookie you would like to have, right? Well, as of 25th of May 2011, when the new law is supposed to be transposed to national laws, consumers should be able to (politely) refuse such HTTP cookies. And contrary to refusing acceptance of a regular, freshly-baked cookie, saying no to HTTP cookies should come easy to most of us. ... most of us. ;)
Member States are left with a problem of how to implement the new law in a way that it would not completely distort the practice of using European websites. It all sounds nice in theory - let's limit the possibility of businesses to store consumer data and to use them to track consumer preferences and then to target consumers with behavioural advertising. In order to do prevent such 'abuse', the consumers are to be informed every time their information is being stored in a cookie, what it is being used for and why, as well as how to remove the cookie. Does it mean that consumers will now be immune to having their data collected and stored, and the consumers' life will get this one step easier? No, most likely it will actually become more complicated and annoying, since what is foreseeable is a bunch of pop-up windows opening when you enter a new website, asking you whether you grant permission to let that site gather your data. Doesn't sound like something you would like to have to do with, still, right? *sigh* Let's see how these provisions will end up being implemented and what changes do we actually notice in our e-environment.

Recital 66 of the Directive 2009/136 mentions that:

"It is (...) of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such [of information - JL] storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. (...) The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."

New article 5(3) of the Directive 2002/58 says as a result:
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."