To put things straight, this is no cookie baking lesson. No, this relates to all you website owners who generally leave the development of your site in the hands of them savvy techies; and to you techies who draft the code but leave the rest in the hands of the website owner.

Cookies are a type of technology that may be installed on user terminals, be it a computer, mobile or other browsing device. Intended primarily to record historical browsing information, cookies and similar technologies are generally used to facilitate and expedite the internet user’s experience such as, keeping a user logged-in to his email account or saving items in a shopping basket. Their application is significant also for technical reasons, such as for filtering spam, tracking website agents or for balancing out usage load over multiple servers.

However, as with many good things in life, cookies may be and often are exploited for behavioural analytics and marketing purposes by tracking, compiling and processing users’ preferences and patterns which are subsequently abused in targeted-advertising schemes, generally without the users’ knowledge let alone consent.

In fact do not be surprised at the fact that different types of cookies are plugged into your terminal on a daily basis – that is to say every time you use the internet. While several cookies are designed to expire after a period of time has lapsed, say after you close your browsing session, others are devised to persist for much longer periods whilst some, known as ‘flash cookies’, are preserved on your terminal indefinitely.

Of course few of us may have bothered, on remarkably rare occasions, to read a website’s privacy-policy and perhaps may have come across a polite note, neatly inserted by the website operator (an obligation at law), telling us that in order to function correctly the website needs to place (and shall place) a cookie on our computer terminal. Indeed, the small print also politely informs us that we may choose to alter our browser settings to limit or prohibit the use of such cookies, though this is always at our own risk as the website functions might just not function! Did you ever limit such use? I doubt it!

Anyway, this is bound to change – or at least law makers across the EU are trying to revolutionise the way cookies and similar ‘invasive’ technologies are managed. As from May 2011 a new EU directive on privacy law required that prior to installing cookies on a user’s terminal, the ‘website’ is to ask for and obtain “explicit consent” from the user who must have first been given “clear and comprehensive” information. Exceptions are allowed only in extreme circumstances, that is, when cookies are required to facilitate the transmission of a communication or otherwise are “strictly necessary” in order for the operator to provide a service that was “explicitly requested” by the user.

Website operators and techies should therefore watch this space! Legal Notice 239/2011 which transposes the directive in Malta is already published and is expected to come into force any time soon. In any case, if your website targets users in other member states, keep in mind that each of the 27 EU member-states are to have their own transposed version of the law – which you shall have to comply with. Easier said than done, no doubt.

Can one assume that a user has given explicit consent once his browser settings are set to accept cookies? Probably not. Will the acceptance of standard terms and conditions be accepted as an “explicit consent”? Perhaps, though a clear pop-up might be more transparent and explicit – albeit annoying. Some guidance from the Malta Data Protection Commissioner would be appreciated and perhaps a one-year ‘probationary period’ to comply (as afforded by the Commissioner’s UK counterparts) might be fitting here too.

Truth be told, even if the directive seems to have put all types of cookies in the same basket irrespective of their nature or effect (and indeed have controversially been regulated as one with other more compromising technologies such as viruses and Trojan horses), all website developers and operators need to take this on and must review their cookie recipe.

Therefore it is advisable for all websites to be audited. The manner of how cookies are disseminated, their level of invasiveness and the nature of information collected and processed should be studied.

A user-friendly yet compliant solution for obtaining explicit consent ought to be implemented, keeping in mind that a user is to be given clear information about (i) the operator’s identity, (ii) the purpose(s) of collecting the information and (iii) any other information necessary to make the processing fair and lawful in terms of data protection legislation.

Regrettably, there is no one-size-fits-all solution.

(www.fenechlaw.com)

The author is an associate at Fenech & Fenech Advocates specialising in ICT law and employment law.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.