Taming the cookie monster with Dutch law – A tale of regulatory failure

https://doi.org/10.1016/j.clsr.2015.01.004Get rights and content

Abstract

Profiling the online behaviour of Internet users has become a defining feature of the Internet. Individual surfing behaviour is tracked by many enterprises for statistical purposes, but also for behavioural advertising and other personalisation services. Profiling implies the processing of personal data often facilitated by cookies and other markers placed on the terminal equipment of Internet users. The European rules for the regulation of cookies and similar technologies were modified in 2009 requiring prior consent of the user, in order to guarantee that the user has some control over the processing of their information. In 2013 the Netherlands introduced probably the strictest implementation of the European rules concerning the installation of cookies. However, in practice the new legal requirements resulted in neglect of the obligations regarding user information on the one hand and in the widespread deployment of annoying banners, popup screens and ‘cookie walls’ on the other. Not only the advertising industry, but also web publishers and even ordinary Internet users opposed the regulation. Furthermore, the regulation, certainly initially, did not lead to increased user control. These and other factors support the conclusion that the Dutch cookie regulation is a case of regulatory failure. This paper discusses the practices that were deployed in the Netherlands and assesses them based on a multi-site study that examined the practices of 100 Dutch websites with regard to the installation of cookies. It further reflects on the response of the Dutch regulator, who –under the pressure of industry and consumers outcry- amended the relevant provisions of the Dutch Telecommunications Act in 2014.

Introduction

What started as a simple fix1 to compensate for the lack of information about the state of interactions between web-browsers and websites, has become one of the most invasive tracking instruments in the information society: cookies. While cookies serve numerous invaluable uses, such as for keeping track of items added to an online shopping cart, or for storing user preferences, they are also, and maybe primarily, used to track users online. Cookies allow websites to recognize returning visitors, but also to recognise them across websites. They have given rise to fierce debates between privacy advocates, service providers, the ad-industry and regulators, and have inspired a significant body of literature on both sides of the Atlantic.2

Within the US, the use of cookies for behavioural tracking is largely unregulated, although the Federal Trade Commission, in view of regulating “unfair and deceptive trade practices” pursuant to Section 5 of the Federal Trade Commission Act, is currently taking actions.3 The FTC, in line with the US approach to privacy online, relies on a self-regulatory “notice and choice” model. Websites are required to incorporate detailed privacy policies that contain information on the ways how they collect and use information about users via cookies, while non-adherence to the obligations stipulated in the privacy policy could be treated “as a ‘deceptive trade practice’ actionable by the FTC”.4 Website users, in the “notice and choice” model, are supposed to decide whether or not to use a website on the basis of assessing its privacy policy. Given that most people do not read privacy policies,5 it is questionable whether US netizens are fully aware of the extensive tracking of their online behaviour by websites and their affiliates. The US “notice and choice” mechanism is based on action by the user to get informed and act on it.

Within the European Union, online tracking and the use of cookies is regulated under the Data Protection Directive,6 as well as the ePrivacy7 one. The ePrivacy Directive was amended in 2009 and brought about a number of implementation issues deriving from the introduction of new requirements for the installation of and access to cookies. More concretely, the Data Protection Directive contains the basic data protection principles, in accordance with which the processing of personal data should take place. The ePrivacy Directive lays down specific requirements for the legitimate use of cookies, requiring that the user or the subscriber is properly informed about the use of cookies and that the consent of the user or the subscriber is provided before their installation and use. Aim of the European legislator when requiring the consent of the user was to guarantee that the user gains control over the processing of their information. The European model is based on websites proactively informing users and offering them immediate choice.

This paper is going to present the new legal requirements relating to the use of cookies and will discuss the difficulties that arose in practice, which resulted in a public outcry not only from the advertising industry, but also from web publishers and Internet users, presenting the Dutch experiences as a prominent example. The paper will assess the practices that were deployed in the Netherlands based on a multi-site study that examined the practices of 100 Dutch websites with regard to the installation of cookies. It will further reflect on the response of the Dutch regulator, who –under the pressure of industry and consumers outcry-amended the relevant provisions of the Dutch Telecommunications Act in 2014.

Section snippets

Types of cookies

A cookie is a small amount of information containing the address of the cookie provider and some additional data in the form of the name of an attribute and its value, as well as an expiry date that can be stored by a website in the user's webbrowser.8

The European cookies rules

As part of regulating the confidentiality of communications, the European legislation regulates specifically the storing of information and the gaining of access to information that is already stored in the terminal equipment of users and subscribers in Article 5(3) of the ePrivacy Directive. In practice, these rules apply to a broad range of situations, most prominently involving cookies,17

Cookies in the new practice

Article 11.7a of the Dutch Telecommunications Act (Tw) came into force on June 5, 2012 after a period of intense debate in which a broad coalition including online service providers, but also consumers fiercely opposed art. 11.7a Tw (which implemented amending art 5(3) ePrivacy Directive) for different reasons.50

Opposition and reaction to the new cookies provisions

The opposition regarding the use of cookie-walls to coerce users into accepting cookies, leading up to questions in Parliament, is only one of the examples of issues resulting from the strict implementation of art. 5(3) ePrivacy Directive in the Netherlands. It is safe to say that the debates preceding the change of art. 5(3) have not died since the adoption of the new art. 11.7a Tw in the Netherlands. The arguments proposed cover a wide range of topics.

On the one hand industry has claimed that

The practical implementation of the cookie rules in the Netherlands, round 2

The Dutch Minister of Economic Affairs on 20 May 2013 published a Draft Bill for the amendment of Article 11.7a of the Dutch Telecommunications Act (hereafter Bill)102

The lessons learned from the Dutch practice

The Dutch experience illustrates how difficult it is to regulate contemporary socio-technical practices. Tracking user behaviour across websites has become a fact of life and an interesting question is whether this tracking can be regulated or even stopped, and if so how? Judging from what we have presented in this paper, the Dutch approach has so far not been very successful in achieving the aims set out in the ePrivacy Directive.112

Acknowledgements

The authors are grateful to Zhasmina Kostadinova for collecting the empirical data for multi-site study. The authors would also like to thank Marlou Brokx and Dr. Tjerk Timan. All errors and omissions remain the authors' alone.

Ronald Leenes is professor of regulation by technology at the Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University (The Netherlands)

References (0)

Cited by (0)

Ronald Leenes is professor of regulation by technology at the Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University (The Netherlands)

Eleni Kosta is associate professor of Technology Regulation at the Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University (The Netherlands)

View full text