EU warns on consent by inertia
In January, the EU Commission proposed a welcome reform and harmonisation of privacy and data protection directives, some of which are particularly relevant to UK website operators.
Perhaps the most significant change for website owners in the revised EU directives was outlined in a speech by Jan-Philipp Albrecht. He explained that businesses will no longer be able to pre-tick boxes on, for example, shop checkouts or consumer agreements. Consumers should not have to opt out from automatic settings in order to avoid businesses claiming that they have given consent to privacy and personal data questions. Consent can only be obtained if the user has made clear affirmative action.
As consumers, we should welcome such additional protection, but the UK interpretation and enforcement of privacy directives leaves a lot to be desired. For example, 2012 saw the formal introduction of the so-called "cookie law" which, in its original EU form said that consumers have the right not to be tracked unnecessarily, and that websites can only engage in such tracking if the customer has given their informed consent. However, the UK interpretation of this has been entirely weighted to business interests and is a delight for bureaucrats and lawyers.
Nowadays it is common for UK websites to present the user with a message upon entry which says "Like many websites, this website uses cookies. Please click the button to consent to our use of cookies". Such a request is hardly "informed" consent, it does not distinguish between the explicitly allowed cookies (such as shopping basket functions, login systems etc) and those which offer no functionality and are used to track your web usage. Usually it is impossible to proceed on such sites without clicking the "I consent" button and often there is no option to decline the cookie. Alternatively, they will say "If you continue to use the site, we'll assume you have consented to accept cookies".
So is the UK consumer any better off now than they were before the "cookie law" came into force? No, not at all. If anything you now have less online privacy than before because you now have to formally consent to any and all tracking in order to use a website. This was clearly not the intent of the original EU Directive. Websites cannot demand you sign away your rights under Distance Selling Regulations as a condition of using their online shop so why should websites be able to demand that you sign away your right to Electronic Privacy as soon as you set foot on their home page?
In speaking about the new directive, Albrecht said "In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice". I've read that quote several times and feel it surely puts a spanner in the works for those websites that demand cookie compliance. Those sites do not give me "a genuine and free choice" in the matter.
However, Britain's relationship with the EU has become a hot political topic and the timing of this proposal may well mean it is one which David Cameron attacks in the coming months as an example of "expensive EU over-regulation affecting struggling small businesses and weighing industry down". I would disagree with that view. Companies which respect the spirit of the Electronic Privacy directive and respect people's online privacy do not find these regulations onerous in the slightest and will suffer little if any overhead from the EU privacy reform proposals.
25th January 2013
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.