A round-up of developments

Transcription

1 IT & Outsourcing - May 2012 IT & Outsourcing - May 2012 A round-up of developments Share with a colleague SAS Institute v World Programming: When does copying not breach copyright? Cookie law enforcement: Coming soon to a website near you! HRH communicates intentions for a Communications Data Bill Oracle v UsedSoft: exhausting the sale of second-hand software licences? Pillage No More: Pirate Bay Shark Bait for Arnold J's Locker 1. SAS Institute v World Programming: When does copying not breach copyright? In the case of SAS Institute v World Programming Limited, the Court of Justice of the European Union (the "CJEU") has considered the limited extent to which certain elements of a computer program enjoy copyright protection. Background SAS Institute developed software which enabled users to write and run their own application programs, using a language proprietary to the SAS System (the "SAS Language"). WPL perceived that there was a market demand for alternative software capable of executing application programs written in the SAS Language, and produced the 'World Programming System' ("WPS"), designed to enable users of the SAS System to run the scripts which they have developed for use with the SAS System on WPS. To write WPS, WPL purchased a licence to the SAS System, which included the SAS manual and systematically used and observed the software in order to replicate its functionality. At no time did WPS have access to the source code of the SAS software components, either directly or through decompilation. SAS sued WPL for infringement of copyright: in the manuals to the SAS System (both through writing the WPS code and also by writing the WPS manual); and in the source code of the SAS System by WPL indirectly copying the SAS components by reference to the SAS manual. SAS also claimed that by making such use of its program during development of the WPS, WPL had breached the terms of its licence. 24 May 2012 Contact Mark Turner Partner Nick Pantlin Partner Miriam Everett Professional support lawyer Related links Herbert Smith website Herbert Smith TMT homepage Herbert Smith TMT publications Herbert Smith publications Herbert Smith news The case was referred by the English High Court to the CJEU regarding the interpretation of the Software Directive and the extent of copyright protection in computer programs. The CJEU decision The CJEU published its judgment in the case, finding that: Copyright would protect only the expression of the idea behind the computer program, and that this expression was only to be found in the source or object code of the program, or in the choice, sequence and combination of words, figures and mathematical concepts embodied within it. Neither the functionality of a computer program, the programming language itself, nor the format of the program's data files, were sufficient expressions of an idea to attract copyright protection. If the functionality of a computer program were protected, then it would amount to making it possible to monopolise ideas, to the detriment of technological progress Page 1

2 IT & Outsourcing - May 2012 IT & Outsourcing - May 2012 and industrial development. It was legitimate for the purchaser of a software licence to observe, study and test the operation of the licensed software to deduce the ideas and principles behind it (so they could be copied). Any contractual terms, for example in a licence agreement, which seek to prevent such studying and observing, are automatically unenforceable. However, there could be copyright infringement of a user manual to the extent that the new program and its accompanying manual copy elements of the original program's manual which are the 'intellectual creation' of the author. The Court did not consider that "keywords, syntax, commands and combinations of commands, options, defaults and iterations consisting of words, figures or mathematical concepts", on their own would be sufficient "intellectual creations" to attract copyright, but the "choice, sequence and combination of those words, figures or mathematical concepts" could be protectable. It would be for the national courts to decide whether this was the case on the particular facts. Business Impact This is an important case for the software industry. Software developers and rights holders will be concerned that the judgment clearly limits the extent to which they are able to protect their computer programs and bring claims for copyright infringement. It is now clear that copyright owners cannot prevent a licensee from observing, studying and testing their computer program in order to produce a program which has similar functionality. An infringement of copyright will only occur when a substantial part of the source code or object code has been copied. Software developers may therefore wish to consider whether other forms of intellectual property could apply to their software. For example, in some circumstances patent protection could be available. Further clarification on the issue of copyright in program manuals will be gained once the English High Court gives its judgment on that issue. Please click here to view our more detailed IP Newsflash regarding this case and here to view a copy of the CJEU judgment. 2. Cookie law enforcement: Coming soon to a website near you! In May 2011, the EU reforms to the eprivacy Directive were implemented into UK law. One of the key changes to the existing law was a requirement for organisations to get consent from end users in order to use cookies on their websites. At the time, the UK regulator, the Information Commissioner, announced he would grant a 12 month enforcement moratorium to allow businesses to achieve compliance (i.e. until 26 May 2012). At its simplest, a cookie is a string of data (usually letters and numbers) which, by being stored on a particular device accessing a website, functions as a unique identifier for it. Cookies are responsible for much of the website functionality that is both popular and taken for granted. For example, cookies can save users the time and trouble of re-entering site preferences or delivery addresses every time they access a favourite site. Cookies can be used for various (and sometimes multiple) purposes, but they can broadly be categorised as: Targeting or advertising cookies these might be used to deliver targeted advertising to users based on their previous browsing habits Functionality cookies these might be used to recognise a user when he or she returns to a website Performance cookies these might be used to monitor traffic across different pages of a website to report on visitor numbers and popular pages Strictly necessary cookies these include cookies that enable users to log into secure areas of a website or use a shopping cart Current Position The amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force in the UK on 26 May However, as mentioned above, at the time, the UK Information Commissioner granted a one year moratorium on enforcement of these new rules in order to allow organisations the opportunity to develop compliance strategies to address this Page 2

3 IT & Outsourcing - May 2012 IT & Outsourcing - May 2012 challenging change. During this "grace period", the Information Commissioner's Office (the "ICO") has been encouraging organisations to: (i) check which cookies and similar technologies are being used and how; (ii) assess how intrusive the use is and prioritise compliance efforts, starting with the most intrusive; and (iii) decide which solution for providing clear and comprehensive information and obtaining consent will be best in the circumstances. The moratorium on enforcement expires on 26 May From that date, the ICO may exercise a range of regulatory powers at its disposal in relation to breaches of the new rules, including Enforcement Notices, Information Notices, and fines (Monetary Penalty Notices) of up to 500,000. What's Next? Every website is unique and standard solutions are therefore unlikely to exist. To assist, the ICO has committed to updating its formal guidance with practical illustrations as it becomes aware of more examples of compliance solutions. However, UK organisations with a website using cookies or similar technologies should be considering their compliance strategy now. In addition, the new requirement originates from an EU Directive and so organisations with a European web presence will also need to have a compliance strategy covering the EU, where the rules are being implemented on a country by country basis. So far only a small number of Member States have implemented the rules, including France and the Netherlands. Click here for a copy of our recent PLC article on the Cookie Rules. 3. HRH communicates plans for a Communications Data Bill The Government's Draft Communications Data Bill was introduced in the recent Queen's speech as "measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to the scrutiny of draft clauses". The purpose of the draft bill would, according to the speech, be to protect the public by ensuring that law enforcement agencies and others continue to have access to communications data so that they can bring offenders to justice. Key elements from the draft bill include: Communications data is information about a communication, not the communication itself (i.e. not the content of the communication). Communications data includes the time and duration of the communication, the telephone number or address which has been contacted and sometimes the location of the originator of the communication. The legislation would establish an updated framework for the collection and retention of communications data by communications service providers to ensure communications data remains available to law enforcement and other authorised public authorities. The legislation would establish an updated framework to facilitate the lawful, efficient and effective obtaining of communications data by authorised public authorities including law enforcement and intelligence agencies. The legislation would establish strict safeguards including a 12 month limit on the length of time for which communications data may be retained by communications service providers, and measures to protect the data from unauthorised access or disclosure. The finer details of the bill are still to be clarified, such as the circumstances under which the authorities will be able to access such data. However, the proposals have been the subject of criticism and scrutiny due to their potential scope and data protection/privacy issues. A statement from the Information Commissioner's Office stated: "We are waiting to see the detail of what is proposed, including any role envisaged for the Information Commissioner. It remains our position that the case for this proposal still has to be made, and we shall expect to see strong and convincing safeguards and limitations to accompany the Bill". Click here for a copy of the Queen's Speech Briefing Notes. Page 3

4 IT & Outsourcing - May 2012 IT & Outsourcing - May Oracle v UsedSoft: Exhausting the sale of second-hand software licences? The European Advocate-General Yves Bot has given his opinion on a case between Oracle and UsedSoft in relation to the resale of computer software licences. In the case, UsedSoft resold Oracle software licences. Oracle brought proceedings against the company, arguing that its resale of these pre-owned licences for downloadable Oracle software amounted to a breach of Oracle's copyright. Under Article 4(1) of the Software Directive (2009/24/EC), the owner of copyright in a computer program has an exclusive right over distribution to the public, although this protection is 'exhausted' following the first authorised sale of the program within the EU. UsedSoft argued in its defence that this principle of exhaustion meant that its practices of reselling second-hand software licences did not amount to a breach of Oracle's copyright. In response, Oracle maintained that the principle of exhaustion did not apply, because Oracle's customers had only been granted a right to download its software from the internet, rather than being sold a tangible object. In his opinion, Advocate-General Bot concluded that the grant of a licence to download software is sufficient to exhaust the exclusive right to redistribution of that software. As such, the resale of a copy of computer software would be permissible, regardless of whether the software was first sold on a CD-ROM or was downloaded from the internet. However, he also noted that the principle of exhaustion does not extend to the right to reproduce a computer program. This means that the resale of a user licence, which essentially gives the right to create further copies of the software by downloading it from the internet, could still amount to a breach of copyright. Although the Advocate-General's opinion is not legally binding on the European Court of Justice, such opinions are generally followed by that court. If the European court adopts the Advocate-General's opinion in its judgment (due later this year), the result could have serious implications for the market in used software licences, as well as restricting the ability of software developers to prevent the onward sale of copies of their software. Click here for a copy of the Advocate General's opinion. 5. Pillage No More: Pirate Bay shark bait for Arnold J's locker In the case of Dramatico Entertainment Ltd and others v British Sky Broadcasting Ltd and others, High Court judge Arnold J has granted injunctions ordering five of the UK's six largest internet service providers ("ISPs") to block access to the Pirate Bay website. In July 2011, the British Recorded Music Industry ("BPI") asked Pirate Bay, a website that enables users to search for and download copyrighted films, music and software from each other, to remove content that infringed its members' copyright. The Pirate Bay did not respond. The BPI then asked the ISPs to voluntarily block access to the Pirate Bay website. The ISPs refused such a request. Subsequently, BPI brought an action in the High Court claiming that the copyright of its members had been infringed by the Pirate Bay. The Pirate Bay's defenders argued that, like Google, the Pirate Bay did not actually host the copyrighted material. However, in that case, Arnold J found that the Pirate Bay was nonetheless guilty of copyright infringement because it actively encouraged illegal file-sharing. In its latest action, the BPI has successfully sought an injunction under the Copyright, Designs and Patents Act 1988 ("CDPA") forcing ISPs to block access to the Pirate Bay website. To get an injunction under the CDPA, BPI had to show that the ISPs had actual knowledge of the Pirate Bay's copyright infringements. Arnold J determined that the ISPs had such knowledge because of the notifications they had received from BPI. As part of his decision, Arnold J also considered whether or not the injunction was "proportionate." He felt that the order was necessary to protect the rights of BPI's members and that those rights outweighed the Article 10 (Freedom of Expression) rights of the users and operators of the Pirate Bay website. Representatives of the music and film industries have welcomed Arnold J's Page 4

5 IT & Outsourcing - May 2012 IT & Outsourcing - May 2012 judgement as a victory for rights holders against online copyright infringement. By contrast, the Open Rights Group has voiced its fears that blocking the website will lead to calls for further and more drastic internet censorship. However, it will interesting to see what impact, if any, this type of judgment will have on the revised "Initial Obligations Code" under the Digital Economy Act, which the Government has recently announced is expected to be published in June. Click here for a copy of the judgment. Subscribe to other publications update my details To unsubscribe from this e-bulletin, please click here. The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication. Herbert Smith LLP 2012 This message is sent by Herbert Smith LLP, Exchange House, Primrose Street, London EC2A 2HS, United Kingdom, Tel: :Exchange House, Primrose Street, London EC2A 2HS, United Kingdom, Page 5

6 ingement in computer software - Andrew Moir and Heather Newton copyright infringement in computer software - Andre Copyright infringement in computer software: Access to the code is the key Share with a colleague 17 May 2012 London The CJEU has recently delivered its decision in C-406/10 SAS Institute v World Programming Ltd, answering questions posed by the English court on the extent to which computer software is protected by copyright under the Software Directive, in particular in relation to functionality and the extent of rights under a licence to use. Summary The decision concerned software written by SAS Institute which implemented a programming language which enabled users of that language to carry out a wide range of data processing and analysis tasks, based on data stored in files in a proprietary format. WPL wrote its own software to emulate that programming language and the underlying structure of the data files, so that scripts written for SAS could also execute on WPL s software. The CJEU found that copyright would protect only the expression of the idea behind the software, and that this expression was only to be found in the source or object code of the program, or in the choice, sequence and combination of words, figures and mathematical concepts embodied within it. The court did not consider that the functionality, the programming language itself, or the format of data files of the software were sufficient expressions of an idea to attract copyright protection. Contact Andrew Moir Partner Heather Newton Senior Associate Related links Herbert Smith website Herbert Smith IP homepage Herbert Smith IP publications Herbert Smith publications Herbert Smith news In the court's view, if the functionality were protected, then it would amount to making it possible to monopolise ideas, to the detriment of technological progress and industrial development. Further, it was legitimate for the purchaser of a licence to observe, study and test the operation of the licensed software to deduce the ideas and principles behind it (so they could be copied). A licence to use the underlying software entitles the licensee to load and run the program to observe, study or test the functioning of the program to determine the ideas and principles which underlie it, notwithstanding any term in the licence to the contrary. However, the software program manual could attract copyright protection and it was possible that the new program written by the licensee (or the manual which would accompany it) may infringe that copyright. Whilst the court did not consider that the keywords, syntax, commands and combinations of commands, options, defaults and iterations consist of words, figures or mathematical concepts which on their own could attract copyright protection, the the choice, sequence and combination of those words, figures or mathematical concepts could be protectable. It would be for the national courts to decide whether this was the case on the particular facts. Business impact Page 1

7 ingement in computer software - Andrew Moir and Heather Newton copyright infringement in computer software - Andre This decision clarifies a "grey area" in the protection of computer programs, but is unlikely to please software developers. To protect computer programs, copyright owners will now need to focus on whether there has been access to either the source code or the object code of the program. A licensee simply replicating functionality is, by itself, not sufficient for infringement. Copyright owners may take some limited comfort from the court's comments on copyright in the manual. However, it will not be clear how this is to be applied until the English court gives its decision on those aspects of the case. In particular, the fact that SAS s software was implementing a programming language (the underlying operation of which would necessarily be described in the manual to allow users to understand the language in order to write their own scripts) may mean that SAS is afforded more protection in this regard than other types of software where such a detailed description is not included in the manual. Software developers should consider whether other forms of intellectual property could apply to their software. For example in some circumstances patent protection could be available. Read More Subscribe to other publications update my details To unsubscribe from this e-bulletin, please click here. The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication. Herbert Smith LLP 2012 This message is sent by Herbert Smith LLP, Exchange House, Primrose Street, London EC2A 2HS, United Kingdom, Tel: :Exchange House, Primrose Street, London EC2A 2HS, United Kingdom, Page 2

8 Compliance for UK cookies The deadline approaches As the Information Commissioner s Office prepares to adopt its new enforcement powers, Kate Brimsted, Mark Turner and Miriam Everett of Herbert Smith LLP consider how to comply with the new rules. The rules on the use of internet cookies and other similar devices changed significantly across the EU as a result of amendments made to the E-Privacy Directive (2002/58/EC). These changes affected practically all businesses with a website, and introduced a requirement to obtain consent from users or subscribers (see Glossary) in order to use cookies. Illustration: Getty Images EU member states were required to implement the changes into their national laws by 25 May The UK government was one of the few member states to meet this deadline by amending the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (the Regulations) with effect from 26 May 2011 (see News brief New electronic communications rules: that s the way the cookie crumbles, ). However, the Information Commissioner s Office (ICO) granted a year s grace period before enforcing the new requirements; this was in recognition of the considerable technical challenges involved in putting the new rules into practical effect. The period expires on 26 May 2012 (26 May deadline). Practical Law Publishing Limited Subscriptions +44 (0)

9 This article: Outlines what a cookie is, and describes the four main types of cookie. Summarises the key regulations. Looks at some of the advice given by the ICO to help organisations achieve compliance before the 26 May deadline. Summarises the industry response so far. Considers the ICO s new enforcement powers. (References to regulations in this article are to specific provisions in the Regulations, unless otherwise indicated.) WHAT IS A COOKIE? At its simplest, a cookie is a string of data (usually letters and numbers) which, by being stored on a particular device accessing a website, functions as a unique identifier for it. Cookies are responsible for much of the website functionality that is both popular and taken for granted, such as saving us the time and trouble of re-entering our preferences or delivery address every time we access a favourite site. Consent requirements Confidentiality of communications Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) provides as follows: 6(1) Subject to paragraph 6(4), a person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. 6(2) The requirements are that the subscriber or user of that terminal equipment: (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. 6(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this Regulation that the requirements of paragraph 6(2) are met in respect of the initial use. 6(3A) For the purposes of paragraph 6(2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. Exemptions Regulation 6(4) provides an exemption for cookies which are used: For the sole purpose of carrying out the transmission of a communication over an electronic communications network; or Where such storage or access is strictly necessary for the provision of an information society service (see Glossary) requested by the subscriber or user. However, because cookies allow a link to be made between the computer and the particular websites visited (as well as a user s behaviour on those websites, to a degree), the use of cookies has potential privacy implications. This is despite the fact that using cookies may not necessarily involve processing directly identifiable information about individuals. It is because of their potential impact on privacy that cookies and other similar technologies come within the remit of the E-Privacy Directive. The rules also apply to similar technologies when used for storing information on terminal equipment such as Local Shared Objects (also known as Flash Cookies ), web beacons or web bugs (including transparent or clear gifs). To the extent that the use of particular cookies involves personally identifiable information, compliance with the Data Protection Act 1998 may also be relevant (however, this is outside the scope of this article). Main uses of cookies Cookies can be used for varied (and sometimes multiple) purposes, but the key uses are set out below. Targeting or advertising cookies. These tend to be served by third parties, rather than by the website being visited, and form the foundation of online behavioural advertising (OBA). Uses include recording that a user has visited a particular website, which suggests which interest segment to assign to that user. That information is then typically shared with third parties, such as advertisers, so that when the user visits websites participating in the same advertising network, the advertisements served will be tailored to interests suggested by the sites previously visited: that is, tailored to the user s online behaviour. Functionality cookies. These are used to recognise a user when he returns to a website; for example, enabling a personalised greeting and remembering a user s choice of language or region to display relevant weather updates or local news stories. Performance cookies. Analytics cookies fall into this category: they might be used to monitor user traffic across 2 Practical Law Publishing Limited Subscriptions +44 (0)

10 the different pages of a website, and to report on the visitor numbers and most popular pages. Strictly necessary cookies. These include cookies that enable users to log into secure areas of a website, use a shopping cart or make use of e-billing services. They are likely to fall within regulation 6(4) and therefore to qualify as exempt for the purpose of the consent and notice requirements in the Regulations (see Exemptions below and box Consent requirements ). These categories are identified by the International Chamber of Commerce UK in their April 2012 guidance on how to approach cookies compliance (see box ICC UK cookie guide ). THE REGULATIONS Regulation 6 sets out the requirements for notice and consent for cookies and other similar technologies (see box Consent requirements ). It also explains that when these requirements have been met once in respect of a particular website, they do not need to be repeated for each subsequent visit by a user. Consent Consent for the purposes of the Regulations must meet the standards of the Data Protection Directive (95/46/EC) and therefore must be a freely given informed and specific indication of an individual s wishes by which he signifies his agreement to personal data relating to him being processed. Under regulation 6(2), an organisation must both provide clear and comprehensive information, and obtain consent, in order to use cookies or similar technologies on its website. There is an obvious overlap between the obligation to provide clear and comprehensive information and obtaining consent because valid consent must be specific and informed. Getting the information provision correct therefore forms the bedrock of obtaining consent. ICC UK cookie guide As well as the Information Commissioner Office s guidance, other organisations such as the Interactive Advertising Bureau and the International Chamber of Commerce UK (ICC UK) have been working on guidance to support organisations trying to meet the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended). In particular, ICC UK published a cookie guide in April 2012 after drawing on expert members (including this firm) to help website operators obtain consent for the use of cookies in an open and transparent way while not disrupting the online environment for both consumers and business ( co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cook ie_guide.pdf). The guide designates four types of cookie (see Main uses of cookies in the main text) and suggests a standard user notice for each type, explaining what those cookies do. Encouraging websites to adopt common (or at least similar) language should make it easier for consumers as they move from site to site to understand why operators want to use cookies. The guide is not prescriptive and, moreover, it is designed to be adapted and used for all manner of solutions. The cookie guide should be seen as a tool to support compliance rather than a guarantee of compliance. In its guidance on the rules on use of cookies and similar technologies (ICO guidance), issued with the ICO s halfterm report on cookies compliance on 13 December 2011, the ICO states that consent must involve some form of communication where the individual knowingly indicates their acceptance ( Consent cannot therefore generally be inferred from lack of response or mere inactivity. It could be indicated by a user clicking on an icon, sending an or subscribing for a service. The difficulty in obtaining valid consent is magnified by the generally low level of consumer understanding of the functions and uses of cookies (a PwC survey commissioned by the Department for Culture, Media and Sport (DCMS) in 2011 showed that over a third of those surveyed did not understand how cookies worked). Consent is not a straightforward concept: the ICO is not prepared to endorse any specific solution and instead advises organisations to adapt their approach depending on the type of cookie being used and the relationship with the users. The ICO guidance sets out a range of options, including pop-up boxes or banners (see box Mechanisms: advantages and disadvantages ). Unfortunately, these mechanisms can irritate website visitors and can be viewed as spoiling or disrupting their online experience. Whose consent is needed? The Regulations refer to obtaining consent from the subscriber or the user. This is likely to be a technical distinction, rather than a practical difficulty. The owner of a website may not be able to differentiate between consent by the subscriber and consent by the user. However, the critical point is for a valid consent to have been provided by either the user or the subscriber. An example where consent might be provided by the subscriber would be via browser settings adopted by an employer on the IT system used by an employee; however, browser settings are largely an option for the future rather than of immediate assistance (see Browser settings below). The ICO recognises the possibility of conflict between the wishes of the user and those of the subscriber (for example, in an employment situation), and acknowledges that there is no simple rule for resolving such conflicts. In practice, the website operator may decide to rely on consent by either the subscriber or the user as being sufficient. Practical Law Publishing Limited Subscriptions +44 (0)

11 Exempt and non-exempt cookies Exempt cookies Non-exempt cookies A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket. Cookies used for analytical purposes such as counting the number of unique visits to a website. Cookies that provide security essential to comply with the seventh data protection principle of the Data Protection Act 1998 for an online banking services activity which the user has requested. First and third party behavioural advertising cookies. Cookies used to help ensure that the content of a website page loads quickly and effectively by distributing the workload across numerous computers. Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored: for example, Welcome back, Bob!. The ICO advises that the key to resolving problems in practice is to ensure information about cookies and mechanisms for making choices are as easily accessible as possible (page 7, ICO guidance). Browser settings According to regulation 6(3A), browser settings could offer a way of indicating consent to the use of cookies. This would work by a user visiting a website which would detect that the user s browser was set up, for example, to allow cookies of types A, B and C, but not of type D (if this was merely the default or factory setting, it would not be sufficient). This would allow the website owner to be confident that it had the user s consent to set cookie types A, B and C, but no consent to set cookie type D. Browser settings are not the panacea that they at first appeared to be. The DCMS has been working with the major browser manufacturers to establish which browser level solutions will be available and when. While they may possibly offer a partial solution in the future, the ICO, the DCMS and the Article 29 Working Party all take the view that most current browser settings are not sophisticated enough for websites to infer that consent has been given to allow a cookie to be set. It would need to be clear that the individual had been prompted to consider their current browser settings, and had either indicated in some way that they were happy with the default, or had decided to change the settings. This approach will inevitably be limited: not everyone accessing websites will do so by using a web browser as they are currently known. It is also worth bearing in mind that, even once a browser with enhanced privacy settings becomes available, not all website visitors will instantly switch to the most upto-date browser. Third party cookies The Regulations do not specify on whom the obligation falls to provide information about cookies and to obtain consent. It can be inferred, however, that a person who operates an online service that sets and uses cookies for its own purposes will be responsible for ensuring that regulation 6(2) is complied with. The position is more complex where a website owner allows a third party to set cookies, or even where the owner sets those cookies using third party functionality. Third party cookies may be the most challenging area in which to achieve compliance according to the ICO guidance; this is of great interest to the OBA community, which relies on cookies to customise advertisements shown to users. In these situations, the ICO considers that both the website owner and the person setting the cookies are responsible for ensuring that users are given clear information about cookies, and for obtaining consent. It is not clear how the responsibility is to be shared in practice. That said, the ICO is likely to be less interested in which of the participants obtains the consent, and more focused on ensuring that valid, well-informed consent has been obtained. Website owners using third party cookies should do everything they can to communicate appropriate information to users to allow them to make informed choices about what will be stored on the devices and how it will be used. It may be easier for the website owner, as the party with the direct contact with users, to obtain consent, and the website owner may also be more likely to receive complaints from users about the use of the cookies set via the website. Regardless of the finer points of interpretation, it is in the interests of both parties to collaborate in order to analyse the purpose of third party cookies, and then agree and delineate responsibilities for informing users and obtaining their consent to them. Timing of consent Initially, as part of the government s attempts to achieve a more pragmatic implementation of the E-Privacy Directive, the DCMS appeared to be indicating that consent did not necessarily have to be obtained before a cookie was downloaded onto a user s device, and could be collected after the event. 4 Practical Law Publishing Limited Subscriptions +44 (0)

12 Mechanisms: advantages and disadvantages Mechanism Pop-up boxes or header bars Advantages Greater certainty that the user has read and consented (limited amount of text to read). May be a common feature for some types of websites. Disadvantages Can spoil the user experience. Requires more complex technical changes to achieve. Terms and conditions (T&Cs) Less disruptive to the user experience. Easy to achieve. Can readily cover consent for broad range of cookies. Less certainty that the cookie information has been read and consented to. Need to make users aware when changing the T&Cs. Settings led (for example, user setting location or language, or otherwise how site should operate) Features led (for example, user choosing to watch video clip) Greater certainty that the user has read and consented. Greater certainty that the user has read and consented. Works best for consent to limited cookie types related to the settings (for example, functionality). Works best for consent to limited cookie types related to the features (for example, functionality). However, this position was not easy to reconcile with the language of the Regulations. The ICO guidance states that setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. The ICO recognises that this may not be possible for all websites as they are currently configured because, for example, they may automatically set a cookie as soon as they are visited. In such situations, website owners should be able to demonstrate that they are doing as much as possible to reduce the amount of time between setting a cookie and providing a user with information and options. Exemptions The current signs are that the categories of cookies that will be exempt from the Regulations under regulation 6(4) will be narrowly construed. The ICO guidance gives some examples of types of cookies likely to be considered exempt from regulation 6(2), and those which are unlikely to be exempt (see box Exempt and non-exempt cookies ). It is difficult to imagine that many businesses will operate websites that use only exempt cookies. A possible example would be an e-commerce site which provided a shopping cart function but no personalisation, third party advertising or even analytics. Most organisations are required to take steps that will inevitably have some impact on users experience of their website, even if some of the cookies used are strictly necessary and therefore exempt from the regulation 6(2) requirements. ICO ADVICE Acceptable technological compliance options are the subject of ongoing work between the DCMS and industry. Nevertheless, the ICO expects businesses with websites that use cookies to have taken steps by the 26 May deadline to prepare for compliance. The ICO guidance advises organisations to: Check which cookies and similar technologies are being used and how. Assess how intrusive the use is and prioritise compliance efforts, starting with the most intrusive. Decide which solution for providing clear and comprehensive information and obtaining consent will be best in the circumstances. Conducting a cookie audit The purpose of carrying out an audit is to identify and review what cookies are being used by a website, to understand the purposes for their use, and to assess the potential privacy impact they have on users. A review may reveal cookies that have become obsolete and can therefore be removed (see box Checklist for cookie review ). During this fact-finding process it is essential to have a good and clear dialogue between website designers, marketing and commercial representatives, as well as legal input, whether in-house or external. Some businesses have no in-house technical expertise. If they have websites that integrate functionality provided by a third party (for example, quoting Practical Law Publishing Limited Subscriptions +44 (0)

13 engines) and/or have a large number (sometimes several hundred) of websites, it is particularly important to involve all the relevant stakeholders in the process. In addition to uncovering what cookies there are and what purpose they fulfil, it is also useful to understand whether there may be alternatives to privacy intrusive cookies that can still deliver the required functionality (see Privacy intrusiveness below). A website operator should therefore consider whether it needs to involve some or all of the following in the audit: The website designer: to check if the cookies are embedded, for the purpose of efficient technical operation. Checklist for cookie review Cookie ID: ID of the cookie as it appears in the browser cache. Cookie name: label of the cookie. Cookie type: session or persistent (see Glossary). Cookie life: if persistent, how long does the cookie last? Cookie owner: fi rst party or third party. Source domain: domain that the cookie is associated with. Data collected: type of data each cookie collects and whether it links to other information held about users. Purpose: what the cookie is used for. Tracking: does the cookie allow tracking across a number of websites? The website host: to identify if further cookies are being used. The internal IT department: to consider if analytics information is required to optimise performance. The marketing department: to consider if analytics information is required, and whether there are arrangements to display third party advertisements. Corporate communications: to consider if cookies are required for company newsletters or press release sign-ups. HR (recruitment): to check if cookies are required to support online job applications made on the website (for example, via a secure area). Legal advisers (in-house or external). Third parties who provide embedded services (for example, video streaming on the website). Privacy intrusiveness The ICO also encourages assessing the privacy intrusiveness of the cookies used. As an approximate guide, the four broad types of cookies could be thought of as progressively decreasing in intrusiveness: so targeting/advertising cookies being the most intrusive, and strictly necessary cookies being the least (see Main uses of cookies above). Designating cookie categories and linking these with likely levels of intrusiveness is a constructive starting point for analysis. However, it should be kept in mind that there are practical limitations: for example, a cookie may serve several different purposes, not just one, and some may be third party cookies while others may be first party cookies. Assessing the potential intrusiveness of a particular cookie s use can be more of an art than a science. The ICO accepts that intrusiveness is partly a matter of the user s perception but expects organisations to make sensible, good faith judgments in order to direct their compliance efforts. By way of example, a first party session cookie facilitating secure access to part of a website may be unlikely to affect privacy; indeed, it could even qualify as an exempt, strictly necessary cookie and so not even require clear and comprehensive information or consent to be obtained under regulation 6(2). However, a third party persistent cookie that is used to track an individual s internet browsing and search activities across a range of websites has far greater potential intrusiveness as it could enable a fairly detailed profile to be created. In the middle of these two extremes would be a performance cookie, which may be used to analyse website visitor traffic in order to improve the website. The purpose of trying to assess the degree of intrusiveness is that the more intrusive the use of a cookie is, the more priority will need to be given to explaining this to users in order to obtain a meaningful consent. Information to provide Unfortunately, the Regulations do not prescribe what sort of information should be provided, but the ICO recommends that the information should be full and provided in plain and accessible language to allow non-technical users (who generally have a low level of awareness of cookies) to understand clearly what the potential consequences are of agreeing to allow the cookies to operate on their devices. An explanation of how cookies work, the categories and function of cookies used on the site and what that means for the individual user is more likely to meet this requirement than a long detailed list of every cookie used with basic references to their function. 6 Practical Law Publishing Limited Subscriptions +44 (0)

14 Users will generally expect details about use of information about them or their internet usage to be explained in the website s privacy policy, so this will extend to information about cookies. The privacy policy is typically accessible through a link at the bottom of the home page. Measures to bring new cookies information to the attention of users could include: Using different or larger font or colour for the privacy policy link or adding NEW! alongside it. Moving the link from the bottom of the page to somewhere more likely to be noticed: for example, next to a log in link users are likely to be looking at. Changing the link from just privacy policy to cookies and privacy policy, adding a separate cookies policy with a separate link, or adding a link to how we use cookies with some explanatory text behind it. Use of icons or clickable images, which then provide further information similar to the advertising option icon supported by the Interactive Advertising Bureau. In addition, users must have a means of withdrawing consent to cookies. The privacy policy would be a sensible place to communicate how to achieve this to users. RESPONSE SO FAR When the ICO published its half-term report, it said that organisations must try harder to comply with the Regulations and needed to get to work ahead of the 26 May deadline. Over the past year, there has been considerable liaison between the ICO and businesses and organisations trying to comply with the Regulations; these discussions have tended to set a benchmark as to what is technically and commercially achievable. The ICO recognises that complying with the new rules may not be easy, but does expect to see some efforts being made. Glossary First party cookies. Cookies set by the website being visited by the user (the website displayed in the URL window). Information society service. Any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service (Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013)). Persistent cookies. Cookies that persist on the device after the end of a browser session and therefore can allow the preferences or actions of the user to be remembered when the site is revisited. Quoting engine. A software tool that enables multiple queries to be run simultaneously for a range of service providers to support a price comparison service (for example, for insurance quotes). Session cookies. Cookies that expire at the end of a browser session (starting In March 2012, the digital marketing association Econsultancy published the results of a survey of more than 700 e-marketers on their views on the Regulations and any preparatory steps they had taken to comply. Unsurprisingly among e-marketers, there was considerable opposition to the rules on consent (an opt-in in marketing terms) and widespread concern that the opt-in would have a serious impact on online marketing and e-commerce itself; some commentators even said that it would kill e-commerce. A number of respondents reported that they were not intending to take any compliance steps, not just out of defiance of what was felt to be deeply flawed law, but also because to comply would put them out of business (for example, where their business model depended on tracking users online). with the time when a user opens the browser window, and finishing when he exits the browser). Subscriber. The person who has the contract with the service provider giving internet access; this may not necessarily be the same as the user at any given time (for example, the subscriber may be the employer, and the user the employee). Terminal equipment. The device that a cookie is stored on, usually a computer or mobile device; it could also be a games console or internet-enabled TV. Third party cookies. Cookies that are set by a domain which is different from the one being visited by the user, for example, where a third party advertising network sets a cookie for online behavioural advertising purposes. User. The individual using a public electronic communications service: that is, the person using the device to browse the internet. The survey suggested that 54% of respondents had already conducted a cookie audit. It also indicated that e-marketers thought that consumer awareness of cookies was low: only 7% thought that users would understand what cookies are. ICO S ENFORCEMENT POWERS After 26 May 2012, the ICO may exercise a range of regulatory powers at its disposal in relation to breaches of the Regulations, including Enforcement Notices, Information Notices and fines (Monetary Penalty Notices) of up to 500,000. Assessing compliance Initially, if the ICO approaches an organisation about cookie use (perhaps because complaints have been received), and the website has not achieved full compliance with the Regulations, the Practical Law Publishing Limited Subscriptions +44 (0)

15 Related information Links from This article is at user s preferred language, or other preferences necessary to provide the requested service, as exempt from notice and consent. This appears to differ from the ICO s view. Topics Advertising and Marketing Consumer Data Protection E-commerce Practice notes Data protection toolkit Complying with the new cookie regime: practical steps Unfortunately, this appears to be another example of imperfect harmonisation which will need to be accommodated by businesses operating websites across the EU. In practice, this often leads to the highest common denominator approach: the highest prevailing standards imposed by the relevant member states laws being adopted by an organisation. Previous articles EU data protection reforms: less red tape but more housekeeping? (2012) ICO will expect an explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved, and specific details of what work is being done to make that happen (ICO s half-term report). Even if compliance has been delayed because, for example, cookies are embedded in the current version of software being used and an upgrade would be expensive, an organisation would still be expected to show that it has made some effort to mitigate privacy risks for users. The ICO is unlikely to accept it s too expensive or it s too difficult as justifications for long-term failure to comply with the Regulations. When assessing compliance with the Regulations, the ICO will take into account whether or not the ICO guidance has been followed, and whether there are other relevant industry sector codes or standards, even in the informal sense. If industry peers have completed a cookie audit and changed the way they explain things to users, then the ICO might reasonably ask if they can do it, why can t you?. Formal action According to the ICO s Regulatory Action Strategy, any regulatory response that the ICO decides to take must be For subscription enquiries to PLC web materials please call proportionate. While it cannot be ruled out, it seems unlikely that many breaches of the Regulations in relation to cookies would be met with a fine. The ICO might consider taking formal action (though not necessarily a fine) against an organisation that refuses to make any effort to comply or is involved in a particularly privacy-intrusive use of cookies, without telling individuals or obtaining consent. This can be contrasted with a breach involving a first party cookie used just for analytical purposes: the ICO guidance says that this would be unlikely to be an enforcement priority (page 27). PAN-EUROPEAN COMPLIANCE The two main difficulties for organisations that operate throughout the EU when it comes to a strategy to comply with the cookie requirements of the E- Privacy Directive are: The status of implementation: some member states have still not brought the law into effect. There are likely to be significant differences in interpretation (for example, in relation to exempt cookies). Guidance from the French regulator, the CNIL, indicates that it regards cookies used to record the LOOKING AHEAD Every website is unique and therefore standard solutions are unlikely to exist. The ICO has committed to updating its formal guidance with more practical illustrations as it becomes aware of more examples of compliance solutions. Looking ahead to the medium term, the proposed revisions to the European Data Protection Framework (most notably, the draft Data Protection Regulation) are likely to make this area of compliance more difficult; in particular, because the standard for consent is also likely to be raised (see News brief EU data protection reforms: less red tape but more housekeeping?, Just as international data transfers have shown no real signs of having been curbed by the introduction of restrictions in the Data Protection Directive, it seems unlikely that the deployment of cookies will be extinguished, or even seriously dampened, by the revised E- Privacy Directive s stipulations. Reports of the death of the cookie are therefore probably exaggerated. In an online world largely funded by advertising that is increasingly driven by online behaviour, cookies are far from being past their sell-by date yet. Kate Brimsted is of counsel, Mark Turner is a partner, and Miriam Everett is a professional support lawyer, at Herbert Smith LLP. 8 Practical Law Publishing Limited Subscriptions +44 (0)