The online world is nervously awaiting the outcome of the debate in the Dutch parliament about the new telecommunication law. It will have a major impact on how data in the online world is collected, shared, traded and matched. In 2009 the European Parliament passed a Directive, which require business to obtain the consent of a consumer (i.e. consumers must actively opt-in) in order to store or access information on his or her computer. For online businesses this means uncertainty because exactly how each member state will enforce this law in 2011 is left to the discretion of their national authorities.
The Interactive Advertising Bureau (IAB) on behalf of online businesses, have been lobbying heavily for a practical interpretation of this directive and have been successful in convincing the politicians to adopt a view that self-regulation by the industry is better than regulation by the state. Last week OPTA, the regulator of the telecommunication law, dropped a bom by publishing a report that stated that current practices in online advertising are already unlawful. This triggered a very angry reaction by the IAB in an open letter to parliament.
A fight has broken out between the self-regulatory body of the industry (IAB) and the regulator (OPTA), for the hearts and minds of our politicians and the public (you).
The issue at hand is very complex and confusing. By breaking the discussion down into three different aspects I want to try to untangle the confusion and bring some insights in what is going on here:
- Discussion on the practical implementation
- Discussion on online privacy
- Discussion on regulation: Self versus State
Part 1 Discussion on the practical implementation
The principle behind the EU directive is that a computer is personal property and that access to this property is at the discretion of the owner. So that is why the EU decided that there should be a law that states that storing or accessing information on a computer without the owner knowing or agreeing to it is forbidden. It is important to understand that the EU when stating this principle was not thinking about cookies but were mostly concerned with spyware and other malware that is stored on your computer without you knowing about it. Clearly nobody can disagree with this principle, so far so good.
But then the confusion started: what about cookies? Cookies are stored on your computer without your consent so the Directive implies that this is going to be forbidden. Funny enough the debate is now completely focused on cookies and we are even calling it the ‘cookie law’. We do not need a big debate that secret spyware should be illegal but you can argue that there is nothing wrong with the regular use of cookies.
So what are we trying to make illegal and why exactly?
This question has brought a complete new dimension into the discussion which has to do with online privacy. The online privacy discussion will be untangled in the next post. What we will discuss here are the practicalities of asking for consent whenever you drop a cookie.
Cookies are used for lots of things, most of which makes surfing on the web more easy. It is easy if a site remembers who you are and that they learn from your preferences and give you relevant content. The Dutch Consumer Authority did a test and some of the Dutch websites are real cookie monsters. In visiting 27 websites a staggering total of 541 cookies were dropped. Tvgids.nl was the winner with 71 cookies placed in one visit.
So here is the practical issue in your face: how can you inform a consumer about the cookie and ask for consent without completely ruining the smooth experience made possible by the same cookies?
So if cookies make our lives easier and the practical implementation around the required consent is impractical, why not make an exception for cookies ? Well, cookies were originally used to facilitate browser-server interaction but lately, driven by the advertising industry, they are used for other purposes; e.g. advertising management, profiling, tracking, etc. As said, the online privacy discussion is for the next part. For now it is important to understand that the possibilities to misuse cookies both exist and are being exploited.
So how can we make easy use of good cookies and avoid the bad cookies?
OPTA argues that we therefore should distinguish between first party cookies (‘good cookies’) and third party cookies (‘bad cookies’). The first party cookies are most commonly used for convenience and third party cookies mostly for ad networks. This distinction I think is confusing the debate. First of all both types are used for all purposes. Secondly I am not convinced that all ad networks are bad, which this argument implies. Moreover, the information connected to first party cookies are often more sensitive (e.g. credit card details). What if a bad website drops a first party cookie? So this distinction does not make sense in the discussion and will only make things unnecessarily complex. As promised, I will try to keep it simple so let’s ignore the complex cookie family and stick to cookies in general, whatever the type (first/third party cookies, flash cookies, session cookies, persistent cookies whatever).
The debate is simply how to practically implement the requirement for consent around cookies, nothing more or less. A pop up before a cookie is dropped is clearly impractical and just annoying. Most member states, including the Netherlands, are therefore looking for a browser based solution. This would practically mean that by allowing through your browser settings cookies, the required consent is given by default. Looks like a simple an elegant solution but off course it is not as simple as that.
First of all, with this solution nothing will change. We can already allow or disallow cookies via browser settings so how will this enhance the protection of the user from bad cookies? Secondly, this is a rather indiscriminate measure; you either allow or disallow cookies so you are basically throwing away the good cookies with the bad cookies.
So the big browsers (Internet Explorer, Firefox, Chrome) have come up with new features to address this. These features will allow the user to accept or reject cookies from certain networks or parties using blacklists or other solutions. It can also allow the user to accept cookies but not be tracked by ad networks.
The problem with this solution is that different browsers have different solutions so the way the law is enforced is depended on the type of browser you use. I am not a lawyer but that seems like a legal novelty. Would that also mean that browsers without these features are illegal? Probably not. The other legal issue here is the meaning of the word explicit consent. There are legal experts who are saying that this interpretation of the meaning of consent makes for a dangerous precedent for other areas where apparently consent can be given implicitly.
Lastly and most importantly, and here I can violently agree with the OPTA report, the average consumer currently is lacking the understanding and knowledge to appropriately configure the browser settings to protect against bad cookies.
What will the consumer do with these new features?
If they do not really understand will they just disallow all cookies by default? If they do not understand, and maybe do not care, will they just allow all cookies out of ignorance? Can they truly discriminate between bad and good? And if not, who will do that for them and for what reasons and with what moral authority?
The discussion is not about the principle but about the practical implementation.
Following the discussions now for months I haven’t come across a reasonable alternative for the browser based solution (please let me know if I have missed something). So maybe it’s the least worse? The industry through the IAB has therefore come up with some self-regulatory solutions which are interesting and which I will explore in the third post. But before we do I will cover the online privacy angle of the big cookie debate in the next post.
To be continued.
Go to Part 2: How personal is your computer ?