Article 29 Working Party Publishes Opinion on Exemptions for Cookies

by Mehmet Munur

The Article 29 Working Party published an opinion (WP194) today on the exemptions to the consent requirement for cookies or similar technologies under the revised E-Privacy Directive. The Working Party elaborated on types of cookies that may not require consent under certain circumstances, such as cookies that track user’s input on forms or shopping carts and cookies that store users’ language preference. Most importantly, the Working Party stated that first-party analytics cookies are not likely to create privacy risks when they are strictly limited to first-party aggregated statistical purposes, provide clear notice about these cookies in their privacy policy, and provide adequate privacy safeguards. While the Working Party deems such cookies not to be strictly necessary for the operation of a website, they also admit that the privacy risks are limited when they are configured properly.

The Working Party elaborated on the two exceptions to consent under Article 5.3 of the amended E-Privacy Directive 2009/136/EC. Under the Directive, service providers may only store information, or gain access to information already stored, on equipment if the user has given consent after having been provided with clear and comprehensive notice. The first exception to the consent requirement is information stored for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The second exception to the consent requirement is information strictly necessary for provision of services explicitly requested by the user.

With regard to in construing the first exception, the Working Party stated that the following elements may be helpful:

1) The ability to route the information over the network, notably by identifying the communication endpoints.

2) The ability to exchange data items in their intended order, notably by numbering data packets,

3) The ability to detect transmission errors or data loss.

Therefore, cookies or similar technologies that fall in any of the above criteria should satisfy the exception to the consent requirement.

With regard to construing the second exception and due to the complexities in what constitutes the service, the Working Party stated that the following elements should be met:

1) A cookie is necessary to provide a specific functionality to the user (or subscriber): if cookies are disabled, the functionality will not be available.

2) This functionality has been explicitly requested by the user (or subscriber), as part of an information society service.

The Working Party then moved to the terminology relating to cookies and created some distinctions between session cookies, persistent cookies, first-party cookies, and third-party cookies. Importantly, the Working Party stressed that they would be moving away from the distinction between first-party and third-party cookies as used in the browsers. Most web browser settings would classify a cookie placed on a user’s device by the domain visited by the user as a first-party cookie and any cookie placed by another domain as a third-party cookie. The Working Party uses a slightly different definition. Using the definition of the third-party under the Directive to state that cookies that are placed on a user’s device “to describe cookies that are set by data controllers that do not operate the website currently visited by the user.” On the other hand, first-party cookies “refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.”

In order to determine whether the cookie is strictly necessary, the service provider must determine the lifespan of the cookie, whether it is session based or persistent, and the purposes of the processing. Therefore, the Working Party creates a continuum where first-party session cookies may be strictly necessary whereas third-party persistent cookies may not be. However, the Working Party stresses that these distinctions must be used in conjunction with the purposes of the cookies in order to determine whether consent is required.

The Working Party then discussed different examples of cookie use scenarios that may be exempt from the consent requirements. 

User Input cookies: Looking at session cookies that track user’s inputs on a webpage, the Working Party stated that these cookies would likely not require consent.

Authentication cookies: The Working Party came to a similar conclusion for sessions based authentication cookies. However, persistent cookies for logins would require consent.

User centric security cookies: User centric and user requested security cookies, for example those related to log in attempts, would also not require consent. However, this may not be the case for other cookies relating to the security of the website.

Multimedia player sessions cookies: Default flash player cookies may also not require consent to the extent they relate to technical data such as image quality, network link speed and buffering parameters. However, they should be session cookies.

Load balancing session cookies: Sessions based cookies used to balance users across different servers is likely not to require consent, either.

UI customization cookies: Session or persistent cookies relating to the user’s preference over language or appearance may also not require consent, mostly because the user shows his preference by clicking on a box or link to set these preferences. However, notice relating to the use of cookies may be required for persistent cookies.

Social plug-in cookies: The Working Party states that consent may be required from users who are not logged into the service or are not customers of the service. However, consent may not be required for users that are logged in and are requesting the service.

In addition to the above examples relating to the exempt cookies, the Working Party stated that the following cookies would not be exempted from the consent requirement: social plug-in tracking cookies, third-party advertising cookies, and first-party analytics cookies. To the extent that these cookies are used for the tracking of the individual, consent would be required. With regard to the first-party analytics cookies, the Working Party stated that these cookies “are not likely to create a privacy risk when they are strictly limited to first-party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards.” These safeguards should include a method for opting out and anonymization of identifiable information such as IP addresses. Therefore, first-party analytics cookies with the appropriate privacy controls would likely not require consent even though they are not in an exempted category. The Working Party notes, however, that the privacy risks relating to third-party analytics cookies that track users across websites are higher and would require consent.

This opinion from the Working Party opinion falls in line with the latest opinions from the UK ICO and the CNIL. The ICO and the Working Party appear to have taken a step back from the strict interpretation of the amended E-Privacy Directive that would require informed consent even for first-party analytics. In fact, the Working Party now calls for a revision of the Directive to explicitly allow for

This long awaited opinion from the Working Party brings some more detail around the difficult challenges faced by most companies in complying with the revised E-Privacy Directive. It does not negate the need to conduct audits and due diligence relating to cookies and similar technologies used by companies. It does, however, make first-party analytics cookies easier to implement.

Read More...

FTC Settles with Six Companies with Lapsed Safe Harbor Certifications

By Mehmet Munur

On October 6, 2009, Federal Trade Commission filed six complaints against companies falsely claiming that they were self-certified to the Department of Commerce EU Safe Harbor when their certification had lapsed. This FTC action should serve as a reminder to Safe Harborites either to keep up their annual recertification or to avoid misrepresenting that they are self-certified to the Safe Harbor.

The EU Safe Harbor is one of the methods allowing US corporations to export data from the EU while complying with the Article 25 of the EU data Protection Directive, which requires that data only be transferred to countries with adequate data protections—with exceptions. The Department of Commerce, European Commission, and the Article 29 Working Party negotiated the Safe Harbor. US companies self-certify for the Safe Harbor and the DoC maintains a list of these companies on its export.gov website. However, the Federal Trade Commission and the Department of Transportation have the authority to enforce the Safe Harbor. While the Safe Harbor plays a crucial role for multinational corporations in transferring personal data from the EU without violating the EU Data Protection Directive’s adequacy requirements, now more than ever, failure to abide by the Safe Harbor requirements can result in enforcement actions by the FTC.

Six companies, World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive GaitWays LLC, each represented that they were self-certified to the Safe Harbor when in fact their certification had not been renewed for several years. At least three of the companies had failed to either recertify or remove their representations related to their certification from their websites for two to three years. For example, ExpatEdge had certified for the Safe Harbor in 2002 but had failed to recertify since 2006. Onyx Graphics had certified in 2006 but failed to recertify since 2007. Progressive GaitWays had certified in 2004 but failed to recertify since 2006. Since the FTC enforcement, the remaining three companies have recertified for the Safe Harbor.

The six companies each entered into consent agreements with the FTC related to their infringing activities. The consent agreements are similar to the previous FTC settlement on the Safe Harbor. The consent agreements prohibit any of the companies from “misrepresent[ing] in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.” Furthermore, the companies must make all documents related to compliance with the consent agreement available for inspection for the next 5 years.

In our previous blog post, we had stated that the FTC’s enforcement was tacked onto other issues related shipment of goods. This time the FTC has squarely addressed Safe Harbor violations using its deceptive trade practices powers. According to the FTC policy statement on deception, a material representation, omission, or practice that is likely to mislead the consumer is needed for any enforcement activity. Any “act or practice is likely to affect the consumer's conduct or decision with regard to a product or service” is considered material. Additionally, any express claims are presumed material. Furthermore, the Safe Harbor Principles and FAQ 11 of the Safe Harbor clearly state FTC’s jurisdiction to bring actions against Safe Harborites for deceptive trade practices. Therefore, the companies’ express claims that they were self-certified with the Safe Harbor when their certifications had expired are clearly material misrepresentations that would mislead a reasonable consumer under the circumstances.

The recent enforcement actions in this area are certainly signs of FTC’s willingness to bring enforcement actions in this area in the future. The recent changes to the list showing organizations certified to the Safe Harbor is possibly another indication of things to come. International Trade Administration website used to host the Safe Harbor list. Recently, it has moved to the Department of Commerce’s export.gov/safeharbor/ website, which is where all other Safe Harbor related documents used to reside. The list now more readily identifies non-compliant companies.

The FTC is likely to bring more enforcement actions against companies in the Safe Harbor list that represent that they are certified but have not in fact kept up their certifications with the Department of Commerce. The FTC is also likely to expand its enforcement activities into more substantive issues related to the privacy practices of Safe Harborites in the near future. Therefore, Safe Harborites intending to leave the Safe Harbor should either promptly renew their certifications or remove any public representation that they are certified with the Safe Harbor. This should help alleviate any FTC deceptive trade practices claims. However, note that obligations undertaken by a Safe Harborite do not disappear with the organization leaving the Safe Harbor. Therefore, removing such representations only resolves part of the issues involved in joining then leaving the Safe Harbor.

Read More...

Article 29 Working Party Releases 11th Annual Report

By Mehmet Munur

On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.

While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.

The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.

The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”

The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”

The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.

The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.

The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.

In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.

Read More...