California’s recent amendments to the California Online Privacy Protection Act require certain online services to make additional disclosures about how they respond to browser-based Do Not Track signals―new obligations that went into effect on January 1.  Along with Joanne McNabb of the Office of the California Attorney General, Kurt Wimmer and I will be discussing

By Dan Cooper and Mark Young

This week, the Article 29 Working Party (the “WP29”) released an opinion paper on what constitutes “consent” for purposes of complying with the EU’s “cookie” rules — rules that were revised to include a consent requirement nearly four years ago.  The paper will be relevant to website providers that are subject to the EU’s cookie regime.

The timing of the paper is curious.  After EU Directive 2009/136, amending Directive 2002/58, was passed in 2009, the market was in a state of limbo as Member States worked out what the consent rules meant and how to implement them in national law (see here).  To everyone’s relief, a consensus slowly began to emerge, arguably spurred by guidance from the UK Information Commissioner’s Office (the “ICO”) in late 2011 and May 2012 (see here and here).  Now, the latest WP29 guidance — which is not legally binding but carries significant weight — threatens to revive the old debate and compel industry to revisit issues that many thought were resolved.

For example, the paper suggests that going forward websites “operating across all EU member states” — although it is not clear what this actually means — will need to adopt the following mechanisms to ensure that user consent is valid:

  • Specific information.  In addition to other relevant disclosures, operators will have to inform users about how to accept all, some or no cookies, and how they can change their preferences in the future.
  • Prior consent.  Website operators will be expected to obtain consent from users before deploying non-essential cookies, such as analytics or behavioral advertising cookies, on the user’s device.
  • Affirmative action.  Even more controversially, websites will have to capture affirmative user consent through the clicking of a button or a link, or the ticking of a box positioned near the relevant cookie notice (as opposed to passive pop-ups or banners, commonly used by industry at present).  The WP29 also points out that information on cookies should remain visible on the site until the user has expressed his or her consent; which again runs contrary to current practices.
  • Real choice.  Users should be given a real choice about the types of cookies deployed on their machine, which in practice would mean being allowed to access a website without accepting non-essential cookies.  Such granularity is only a recommendation and it remains to be seen how, and if, it will be adopted by websites.


Continue Reading European Regulators and the Eternal Cookie Debate

By Katherine Gasztonyi

Last week, Judge Robinson of the District of Delaware dismissed a multi-district lawsuit claiming that Google, Vibrant Media, Media Innovation Group, and WPP violated federal privacy and computer security laws by allegedly circumventing browser privacy settings in order to track users online.

This lawsuit stems from a February 17, 2012, Wall Street Journal article describing these companies’ use of a loophole in Safari’s privacy settings to set third-party tracking cookies even where the browser had been configured to block such cookies.  Lawsuits alleging violations of the federal Wiretap Act, Stored Communications Act, and Computer Fraud and Abuse Act (as well as various state laws) were filed in courts across the country, and ultimately were consolidated before Judge Robinson in Delaware.

Judge Robinson granted the defendants’ motions to dismiss all of the plaintiffs’ claims on the grounds that the plaintiffs had not adequately alleged standing to sue in federal court and, in any event, had failed to state a claim for relief under any of the statutes invoked in their complaint.

Continue Reading Court Tosses Claims Against Google and Others Based on Safari Hack

A U.S. district court has approved the Federal Trade Commission’s $22.5 million settlement with Google.  The FTC had charged that Google misrepresented to users of Apple’s Safari browser that it would not place tracking cookies or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC. 

The settlement is

Today the Federal Trade Commission has announced its approval of a consent decree to settle charges that Google misrepresented to users of Apple’s Safari browser that it would not place tracking “cookies” or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC.  The decree requires Google to pay a

On Tuesday, June 12, the Article 29 Working Party (WP29), a group of European data protection authorities, published an opinion on the exemptions available to the new cookie rules introduced by the revised EU ePrivacy Directive.  The opinion provides guidance on the implementation of the available exemptions to the requirement to obtain internet users’ informed consent for the use of cookies.  Specifically, the WP29 explained the criteria for relying on one of the two available exemptions: 

  • A user’s informed consent is not required where the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.  In other words, the transmission of the communication must not be possible without the use of the cookie.  Simply using a cookie to assist, speed up or regulate the transmission of a communication over an electronic communications network is not sufficient.   
  • A user’s informed consent is not required where the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.  There must be a clear link between the strict necessity of the cookie, i.e., that the service would not work without the cookie, and the delivery of the service explicitly requested by the user.  The key is to examine what is strictly necessary from the view of the user, not the service provider.


Continue Reading Article 29 Working Party Publishes Guidance On Cookie Rule Exemptions

By Brian Ryoo

The United States District Court for the Western District of Washington recently dismissed in part an online privacy lawsuit alleging that Amazon “circumvented” browser privacy controls in order to track users’ web browsing activities.  The plaintiffs in Del Vecchio v. Amazon had alleged that Amazon “exploit[ed]” browser controls in Internet Explorer by

On May 25, 2012, the UK’s data protection authority, the ICO, issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011).  As we have reported here and here, when the rules were first introduced in May 2011, the ICO granted UK website operators a “honeymoon” period of

On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive.  The guidance is intended to help website operators and those using cookies understand how the rules