At work, I have been given the assignment to write my professional opinion about the handling of cookies on my employer’s websites, and come up with a recommendation. That is probably not the most glamorous assignment during my career, the reason being there are very few who like the consequences of following the cookie law. Namely, chapter 6, § 18 of the Swedish Electronic Communications Act (2003: 389, LEK) as it is part of. What you hear most often is that people complain that they probably cannot keep Google Analytics, a third party functionality that 81% of the municipalities used when I researched it last spring. Given that the law in its current form is over four years old, it is probably time to stop hesitating.
I usually have to point out that I, also, prefer tools like Google Analytics, but when I try to exclude my own needs out of the equation, the recommendation becomes obvious – we should focus on the visitor’s integrity, first and foremost.
In Sweden, the Swedish Post and Telecom Agency is late to come up with a guide on how to adhere to this law (which virtually all sites violate today). The origin of law is an EU directive, so the same law is probably in almost all European countries. There are plenty of material for the curious, but I thought I’d summarize it for you at EU level.
Legal interpretation summarizing the Cookie Act in Europe
During my research, I have found a pretty good summary of how we probably should interpret the law and its intent, that is, a reasonable outcome the guidance will clarify. The four points are taken from a report produced by the Data Protection Working Party wrote in 2013, it is also something that a lawyer at our national Post and Telecom Agency tipped me to read while waiting for the guidance. The following points is on how to handle the informed consent of a visitor of a website, you know, those messages asking for your consent when visiting many European websites.
1. Specific information.
To be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.
As a general rule, consent has to be given before the processing starts.
3. Active choice.
Consent must be unambiguous. Therefore the procedure to seek and to give consent must leave no doubt as to the data subject’s intention. There are in principle no limits as to the form consent can take. However, for consent to be valid it should be an active indication of the user’s wishes. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller (it could include a handwritten signature affixed at the bottom of a paper form, or an active behaviour from which consent can be reasonably concluded)
Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.
— end citation
Probably we’ll return to this subject in the future. If you want to start blocking content like cookies or other form of trackers then check out Ghostery for your computer and content-blockers such as 1Blocker if you have a Ios device.
Also, listen to The Big Web Show episode about digital law and web design.