Cookie-Cutter: UK Announces New Rules for Website Cookies
The United Kingdom Information Commissioner’s Office (ICO), which oversees compliance with privacy laws, announced this week new rules governing the use of website “cookies” that will come into effect on May 26, 2011, possibly following an as-yet unidentified grace period. The new rules will effectively require opt-in consent to use most kinds of cookies, and they will be particularly difficult to manage in the context of third-party cookies such as those employed by advertisers and advertising networks.
Since the new British rules are meant to implement amendments to the European Union’s ePrivacy Directive, this is an issue that will have to be addressed across Europe and is likely to impact any website aimed at a European market.
Cookies Everywhere
“Cookies,” small text files that a website automatically places on a visitor’s computer when the website is loaded, are ubiquitous on the Web. Session cookies track a user’s activity from page to page during a session, so that the user does not have to re-enter information or selections. Authentication cookies store logon credentials so that the user does not have to log on again after navigating to another website. Persistent cookies store user preferences for each successive visit to the website.
Tracking cookies may be used to collect analytic data on how an individual website is used, and some kinds of tracking cookies record the user’s activity across websites – which is more controversial from a privacy perspective. For example, “conversion tracking cookies” allow an advertiser to determine whether a user who clicks on a third-party advertising link ends up making an online purchase from the advertiser. Some behavioral marketing programs use cookies to collect information about the pages and sites visited by a consumer so that a profile can be constructed for targeted marketing purposes. Google Analytics uses cookies to create statistical reports for advertisers and website operators, without identifying the individual users other than by IP address.
The ePrivacy Directive
The European Union’s Privacy and Electronic Communications Directive (the “ePrivacy Directive”) essentially required transparency concerning cookies. Website visitors were to be informed about the website operator’s practices and available options to refuse or delete cookies. This has been the standard for website operators and advertisers since 2002.
In November 2009, the ePrivacy Directive was modified by amendments that included a revised Article 5(3) emphasizing the need for informed consent:
Member States shall ensure that the storing of or access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC [the EU Data Protection Directive], inter alia about the purposes of the processing.
There is an exception for storage or access that is “strictly necessary” to provide an explicitly requested service.
The UK Response
Member States were required to transpose the amendments into national law in 18 months. This explains the timing for the revision of Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 (“PERC”), which will require after May 25 that the user “has given his or her consent” to storing or accessing information on the user’s equipment.
ICO’s announcement this week concerning the rule change raises as many questions as it answers, and the announcement itself states that ICO will issue separate guidance on how it intends to enforce PERC with respect to cookies.
Key Issues
- ICO expects that the more intrusive cookies (such as those that create profiles of users, especially across multiple websites) will require more explanation and well-documented consent. Conversion tracking and behavioral marketing uses of cookies are clearly in the crosshairs.
- The recitals to the amended ePrivacy Directive discuss the possibility of relying on the user’s browser settings to accept or reject cookies. ICO rejects this as a current solution, however, given the variety of browsers and settings in use, their unfamiliarity to many users, and the increasing use of mobile devices to access websites.
- ICO mentions several other possible ways of informing users about cookies and obtaining consent, such as highlighted or scrolling headers, footers, or splash screens; disclosures on pages requesting personal information or offering particular downloads such as videos; website terms and conditions or pop-ups that require a user to click “I agree” before proceeding; website “settings” that could be selected by a user once and then remembered (presumably using a cookie) for subsequent visits.
- ICO frankly acknowledges that third-party cookies may present the most challenging compliance issues and simply concludes that “everyone has a part to play in making sure that the user is aware of what is being collected and by whom.” An ICO spokesperson mentioned the possibility of establishing advertising network policies and procedures that could be viewed (and consented to?) by clicking on an icon displayed with banner ads and other advertising links.
- ICO says the exception for “strictly necessary” cookies will be interpreted narrowly. It gives one potential example: cookies used to keep track of a user’s purchases in a “shopping basket” until the user is ready to “check out” and pay for the purchases. ICO advises that it would not be acceptable to use cookies without consent simply to make the presentation of the website more attractive or collect statistics about the use of the website.
Implications for Website Operators
- Websites hosted in Europe are clearly subject to the new rules as they are implemented in each country this year. Data protection authorities and courts in some European countries may also assert that websites hosted elsewhere but targeting European residents should conform to the new cookie rules. When a company offers a UK or EU version of a website, for example, it may be required (or at least expected by users) to follow the EU rules.
- The trend toward requiring fuller disclosure and explicit consent, especially for behavioral tracking, is likely to be seen in the US as well, as suggested by the Federal Trade Commission’s December 2010 report on consumer privacy.
- Website operators should stay abreast of official interpretations and enforcement policies, such as those promised by ICO, that may offer more detailed guidance on cookie notices and consent mechanisms.
- It’s a good time to inventory your organization’s cookie practices, make sure they are fully disclosed in website privacy policies, and consider how to operationalize express consent requirements in Europe. Watch how popular commercial websites in the UK adapt to the new rules. (Right now, even the privacy policy on ICO's website would be inadequate!)
- Contracts with third-party advertisers, advertising networks, providers of website and browsing statistics, and business partners involved in co-branded websites should clearly delineate who is responsible for providing cookie notices and obtaining (and preserving evidence of) consent where required.
Electronic Signatures Come of Age: From Elections to Commerce and Beyond
Yesterday, the Utah Supreme Court, interpreting Utah's version of the Uniform Electronic Transactions Act (UETA) held that electronic "signatures" gathered through the website of an independent candidate for Utah state governor are valid to put the candidate's name on Utah's November ballot. Court's Opinion. The court's decision is a huge step forward in recognizing the legal efficacy of electronic signatures that may reverberate around the nation.
UETA and ESIGN
Legislatures in 47 states have enacted a version of the UETA aimed at achieving the speed, efficiency and cost benefits that can be realized through electronic legal, business, commercial and governmental transactions, while assuring reliability and authenticity. Wikipedia on UETA. Congress has enacted the Electronic Signatures in Global and National Commerce Act (ESIGN) with similar goals for interstate and international commerce. Wikipedia on ESIGN. The Utah decision yesterday is one of the most detailed UETA decisions in the country, and appears to be the first to apply UETA to state or federal election law.
UETA and ESIGN are rare examples of law leading technology. States began enacting UETA in 1999, and ESIGN was adopted in 2000. Few technology systems existed at the time that met the reliability requirements of the statutes. The technology has been catching up to the law ever since. UETA is intended to remove barriers to electronic commerce by defining acceptable electronic recording standards to assure the authenticity and integrity of the electronic communications, electronic signatures and electronic storage.
Authenticity of Signatures over the Internet
The Internet, including blogs and social networks such as Facebook and Twitter, is changing the economics of mass communication, allowing messages to find an audience more because of the power of the message than the wealth of the person sending the message. This leveled power of communication is affecting all human interaction around the world. As applied to commercial and legal transactions, including elections, a critical issue in Internet communication is how to authenticate the person to make sure that the person is who he purports to be and to make sure that his apparent expression of intention is real and reliable. The increasing percentage of commerce done electronically shows that people are becoming more and more confident in the reliability of Internet commerce.
The Utah Case
But courts, companies and individuals have been slow to implement the available state (UETA) and federal (ESIGN) legislation aimed at encouraging and validating electronic commerce and electronic signatures. Yesterday's opinion by the Utah Supreme Court will help change that.
Farley Anderson wants to run for governor of Utah without affiliating with a major political party. Anderson collected the minimum 1,000 signatures consisting both of pen-and-paper signatures and of electronic messages to his website announcing his candidacy. Anderson tendered these paper and electronic signatures to the county clerks for the counties in which the signers live, and the county clerks certified that Anderson had obtained more than the minimum number of valid signatures if both the paper and the electronic signatures were counted. The Utah Lieutenant Governor, Gregg Bell, however, rejected all of the electronic signatures as invalid under Utah election law, and held that Anderson had therefore not qualified to have his name placed on the November ballots.
Relying heavily on Utah's version of UETA, the Utah Supreme Court held that the web-based communications that Anderson gathered constituted "signatures" within the meaning of the state statute setting the number of signatures required to get on the state November ballot.
Impact of Anderson Around the Nation
The Utah decision resolved many of the fundamental issues presented by UETA, and resolved them in a way that energizes UETA. UETA will have a broader application in states that follow Anderson than most commentators would have predicted.
"Transaction"
For example, UETA applies to transactions between two or more persons who agree that all or part of the transaction can be consummated and/or recorded electronically. A “transaction” is “an action or set of actions occurring between two or more persons relating to the conduct of business, commercial, or governmental affairs.” “Transactions” specifically include real estate and real estate recording transactions. UETA applies to most of the instruments used in real estate transactions, such as liens, deeds, mortgages, affidavits, non-testamentary trusts and notes, but “does not apply to a transaction to the extent it is governed by: (1) a law governing the creation and execution of wills, codicils, or testamentary trusts" and certain transactions under the Uniform Commercial Code. Lt. Governor Bell interpreted "transaction" as not including Anderson's method of acquiring signatures. The court disagreed. It held that the foregoing four exceptions (wills, codicils, testamentary trusts and certain UCC transactions) are narrow, and by implication UETA applies to a broad range of transactions, including elections.
Purpose: Facilitating Electronic Transactions
UETA provides that the act must be construed and applied (1) to facilitate electronic transactions consistent with other applicable law; (2) to be consistent with reasonable practices concerning electronic transactions and with the continued expansion of those practices; and (3) to effectuate its general purpose to make uniform the law with respect to the subject of this Act among States enacting it. UETA provides that, in general, the same deference given to tangible media such as paper should be extended to intangible media that are capable of storing, transmitting and reproducing information in human perceivable form. The Utah Supreme Court recognized that the policies sought to be advanced by UETA suggest that close questions will be resolved in favor of validating electronic recording.
State Agency Exemptions
Lt. Governor Bell argued that UETA allows governmental agencies to reject the use of electronic signatures. The Utah Supreme Court interpreted the language that Bell relied upon ("a state agency may ... make rules that identify specific transactions that the agency will never conduct by electronic means") narrowly. The court held that a state agency could exempt transactions that otherwise would be governed by UETA only if the agency complied with detailed rulemaking requirements.
Agreement to Electronic Transaction
UETA “applies only to transactions between parties each of which has agreed to conduct transactions by electronic means. Whether the parties agree to conduct a transaction by electronic means is determined from the context and surrounding circumstances, including the parties' conduct.” Lt. Bell argued that the "transaction" in question was between him as the chief election officer of the state and Anderson, and that the electronic transaction was invalid because Bell had not agreed with Anderson to conduct the transaction by electronic means. The court rejected this argument and held that the parties whose consent was needed were the nominee-hopeful and persons who signed the petition. Since Bell was not a party to the transaction whose authenticity was at issue, Bell's consent was irrelevant.
Preventing Fraud
Lt. Bell's final argument was that good ol' tactile paper is just plain more reliable than ephemeral electrons. The Utah Supreme Court's reaction to this is worth quoting:
The Lt. Governor ... contends that electronic signatures attached to a certificate of nomination lack 'apparent authority' as genuine signatures. This position is based on a theory that a holographic signature is self-authenticating because the reviewing party may merely look at the signature and see that someone put pen to paper to sign their name. In contrast, an electronic signature lacks apparent authority, because it appears as a typed list of names.... We are unpersuaded that an electronic signature presents special concerns regarding candidate fraud; a candidate could as easily handwrite or type fraudulent names onto a certificate of nomination.
Moreover, electronic signatures may be a better deterrent to candidate fraud because an electronic signature incorporates readily verifiable personal, but non-public, information. For instance, the signors of Mr. Anderson's petition apparently had to enter a security code that corresponds to the last four digits of their drivers license number before their signature would be counted.
Conclusion
Even advocates of electronic signatures and electronic commerce will be surprised that electronic signatures have been accepted in what might have seemed the most unlikely of contexts -- in validating signatures for nominating a candidate in a public election. The Anderson opinion is an important development in recognizing and interpreting UETA and in the march toward the expanded use and understanding of digital transactions.
Welcome! The InformationLawGroup is Here
We are thrilled to announce the official launch of the InformationLawGroup!
The InformationLawGroup is a group of attorneys that love the law and technology. We concentrate on legal issues concerning privacy, data security, information technology, e-commerce and intellectual property. We are a full service firm addressing a broad spectrum of matters, including transactions, compliance, breach notice and incident response and litigation.
We come together today after many years in large law firm and in-house roles. We are seasoned attorneys, including former “BigLaw” lawyers, smaller practitioners with clearly defined expertise and reputation in the field, and former in-house lawyers with specific information law experience and talent. These factors result in greatly increased efficiency and better results at a significantly lower price for the firm’s clients.
So who are we? Read more after the jump.
Tanya Forsheit. Litigation is my first professional love, and privacy and data security are a close second. Prior to founding the InformationLawGroup, I was the Co-Chair of Proskauer Rose LLP’s Privacy and Data Security practice group, where I launched the firm’s Privacy Law Blog in 2007. I work with clients to address legal requirements and best practices for protecting customer and employee information. I also have extensive experience handling complex commercial and appellate litigation for corporate and individual clients before federal and state courts. In 2009, I was honored to be named one of the Daily Journal’s Top 100 women litigators in California. I am First Vice President of the Women Lawyers Association of Los Angeles, I sit on the Executive Committee of the Los Angeles County Bar Association Entertainment and Intellectual Property Section, and I am co-chair of the American Bar Association’s Information Security Committee Cloud Computing Law Working Group.
David Navetta. Dave has over 12 years of legal experience, including in the areas of information security and privacy contract and policy drafting, breach notice legal services, risk management consulting and regulatory compliance. Prior to starting his own firm, InfoSecCompliance LLC in 2005, he worked as an assistant general counsel for a major insurer’s eBusiness risk group, where he analyzed and forecasted information security, privacy and technology risks and drafted policies to cover such risks. He was a litigator at the Chicago office of an international law firm prior to going in-house. He currently serves as a Co-Chair of the ABA’s Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. Dave is now working on a book concerning PCI contracting.
Scott Blackmer. Scott has practiced information technology law since 1982. He has been listed in several peer-reviewed directories of prominent IT lawyers, including the Legal Media Group’s Guide to the World’s Leading Technology, Media & Telecommunications Lawyers. Formerly a partner in the Washington, D.C., and Brussels offices of WilmerHale, Scott serves on the executive management team of the First Law International legal network in Brussels. He also consults on privacy, data protection and security issues in association with HR Privacy Solutions in New York and Jeitosa Group International in San Francisco. He also serves as general counsel to the Trusted Computing Group, XDI.org, and OpenID Foundation, and he counsels other industry associations, corporations and entrepreneurs. He has advised federal and state agencies as well as the European Commission on privacy and security issues, and he currently serves as a privacy advisor to the U.S. Social Security Administration. Scott also arbitrates Internet domain name disputes brought before the World Intellectual Property Organization (WIPO) in Geneva. Over his long career, he has worked on transactions and licensing, compliance issues, litigation, and arbitration matters in over 100 countries.
All three of us frequently speak and write on privacy and data security issues. Dave and I are both Certified Information Privacy Professionals through the International Association of Privacy Professionals.
We have successfully served a diverse range of clients: from large Fortune 500 multinationals and name-brand traditional brick-and-mortar companies, to small start-ups and technology service providers. Our law practice uses an integrated approach combining technology and administrative controls, legal compliance, contractual vendor management and risk.
We look forward to meeting you soon!
