Content deleted Content added
→EU cookie directive: Altered authors 1-1. Added ___location. |
→EU cookie directive: Archive |
||
Line 226:
In 2009, the law was amended by Directive 2009/136/EC, which included a change to Article 5, Paragraph 3. Instead of having an option for users to opt out of cookie storage, the revised Directive requires consent to be obtained for cookie storage.<ref name="ICO reference" /> The definition of consent is cross-referenced to the definition in European data protection law, firstly the Data Protection Directive 1995 and subsequently the [[General Data Protection Regulation]] (GDPR). As the definition of consent was strengthened in the text of the GDPR, this had the effect of increasing the quality of consent required by those storing and accessing information such as cookies on users devices. In a case decided under the Data Protection Directive however, the [[Court of Justice of the European Union]] later confirmed however that the previous law implied the same strong quality of consent as the current instrument.<ref name="eur-lex.europa.eu">{{Cite web|title=EUR-Lex - 62017CN0673 - EN - EUR-Lex|url=https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:62017CN0673|access-date=2021-06-06|website=eur-lex.europa.eu}}</ref> In addition to the requirement of consent which stems from storing or accessing information on a user's terminal device, the information in many cookies will be considered personal data under the GDPR alone, and will require a legal basis to process. This has been the case since the 1995 Data Protection Directive, which used an identical definition of personal data, although the GDPR in interpretative Recital 30 clarifies that cookie identifiers are included. While not all data processing under the GDPR requires consent, the characteristics of behavioural advertising mean that it is difficult or impossible to justify under any other ground.<ref name="Veale">{{Citation |last1=Veale|first1=Michael|last2=Zuiderveen Borgesius|first2=Frederik|date=2021-04-01|title=Adtech and Real-Time Bidding under European Data Protection Law|url=https://osf.io/wg8fq|doi=10.31235/osf.io/wg8fq|s2cid=243311598|doi-access=free|hdl=2066/253518|hdl-access=free}}</ref><ref>{{Cite journal|last=Zuiderveen Borgesius|first=Frederik J.|date=August 2015|title=Personal data processing for behavioural targeting: which legal basis?|journal=International Data Privacy Law|language=en|volume=5|issue=3|pages=163–176|doi=10.1093/idpl/ipv011|issn=2044-3994|doi-access=free}}</ref>
Consent under the combination of the GDPR and e-Privacy Directive has to meet a number of conditions in relation to cookies.<ref name=":0">{{Cite book|last1=Nouwens|first1=Midas|last2=Liccardi|first2=Ilaria|last3=Veale|first3=Michael|last4=Karger|first4=David|last5=Kagal|first5=Lalana|title=Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems |chapter=Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence |date=2020-04-21|chapter-url=https://dl.acm.org/doi/10.1145/3313831.3376321|series=Chi '20|language=en|___location=Honolulu HI USA|publisher=ACM|pages=1–13|doi=10.1145/3313831.3376321|arxiv=2001.02479|isbn=978-1-4503-6708-0|hdl=1721.1/129999|s2cid=210064317|hdl-access=free}}</ref> It must be freely given and unambiguous: preticked boxes were banned under both the Data Protection Directive 1995<ref name="eur-lex.europa.eu"/> and the GDPR (Recital 32).<ref name=":1">{{Cite web|title=EUR-Lex - 32016R0679 - EN - EUR-Lex|url=https://eur-lex.europa.eu/eli/reg/2016/679/oj|access-date=2021-06-06|website=eur-lex.europa.eu|language=en}}</ref> The GDPR is specific that consent must be as 'easy to withdraw as to give',<ref name=":1" /> meaning that a reject-all button must be as easy to access in terms of clicks and visibility as an 'accept all' button.<ref name=":0" /> It must be specific and informed, meaning that consent relates to particular purposes for the use of this data, and all organisations seeking to use this consent must be specifically named.<ref name=":2">{{Cite book|last=Information Commissioner's Office|url=https://cy.ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf|title=Update Report into Adtech and Real Time Bidding|year=2019|archive-url=https://web.archive.org/web/20210513192000/https://cy.ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf|archive-date=2021-05-13|url-status=live}}</ref><ref>{{Cite web|url=https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000038783337|access-date=2021-06-06|title=Délibération n° 2019-093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l'application de l'article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d'un utilisateur (notamment aux cookies et autres traceurs) (rectificatif)|website=www.legifrance.gouv.fr}}</ref> The [[Court of Justice of the European Union]] has also ruled that consent must be 'efficient and timely', meaning that it must be gained before cookies are laid and data processing begins instead of afterwards.<ref>{{Cite web|title=EUR-Lex - 62017CC0040 - EN - EUR-Lex|url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CC0040|access-date=2021-06-06|website=eur-lex.europa.eu}}</ref>
The industry's response has been largely negative. Robert Bond of the law firm Speechly Bircham describes the effects as "far-reaching and incredibly onerous" for "all UK companies". Simon Davis of [[Privacy International]] argues that proper enforcement would "destroy the entire industry".<ref name="sKaxf">{{cite magazine|title=EU cookie law: stop whining and just get on with it|magazine=Wired UK|url=https://www.wired.co.uk/news/archive/2012-05/24/eu-cookie-law-moaning|access-date=31 October 2012|archive-url=https://web.archive.org/web/20121115110013/http://www.wired.co.uk/news/archive/2012-05/24/eu-cookie-law-moaning|archive-date=15 November 2012|url-status=live|date=2012-05-24}}</ref> However, scholars note that the onerous nature of cookie pop-ups stems from an attempt to continue to operate a business model through convoluted requests that may be incompatible with the GDPR.<ref name="Veale"/>
| |||