Cookies: the new regime

May 19, 2011 Leave a comment

Back in March, I discussed the proposed changes to the law on cookies, to require prior, informed consent before most cookies are placed on users’ computers.

The new regulations have now been published by the UK government. Regulation 6 of the snappily-titled Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amends the previous rules so that most cookies will now only be permitted if the website user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • has given his or her consent.

In addition, however, the revised regulation also states that:

…consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

What does all this mean in practice? To help businesses understand what is required of them, the Information Commissioner’s Office has produced a guidance note on the new regulations (PDF). While this leaves a number of questions still unanswered (as we’ll see below), it does clarify a number of points that had been debated since the new law was first proposed last year.

1. Is your cookie “strictly necessary”?

The revised regulations retain the existing exceptions for cookies:

  • whose “sole purpose” is “carrying out the transmission of a communication over an electronic communications network”; or
  • which are “strictly necessary for the provision of an information society service requested by the subscriber or user”.

The second of these is the more important for most websites. It has been suggested that this could be interpreted quite widely, to include analytics cookies that track how people use the site: which pages they visit, how long they remain on the site, which search terms brought them there in the first place, and so on. The argument is that this enables sites to allocate resources as necessary to provide their services.

However, the guidance argues that the exception needs to be interpreted narrowly, and the cookie must relate to services “explicitly requested” by the user – not just the general functioning of the site. So a cookie to enable a shopping basket and checkout system to work would be fine. However:

The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

2. Can browser settings be used?

The reference to a website user “who amends or sets controls on [their] internet browser” has been read by some as allowing existing browser controls on cookies to be used to obtain consent. However, the ICO’s view is that:

most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.

In addition, people may be accessing using mobile devices that do not enable them to exercise even the crude levels of control (“cookies ON” / “cookies OFF”) found in current desktop browsers.

In the longer term, more sophisticated browser settings may be developed that enable websites to obtain consent in this way. However, for now it has to be assumed that some other means of obtaining consent is necessary.

3. How can we obtain consent?

The ICO’s guidance is not prescriptive, and discusses a number of ways in which websites can obtain consent.

One option is to use pop-ups as a means of informing users about your use of cookies and to obtain their consent, but the ICO recognises that this is “potentially frustrating” for users. Other means include:

  • Terms and conditions: sites that obtain users’ agreement to their terms and conditions (e.g. upon registering with the site or making a purchase) have a golden opportunity to obtain users’ consent. However, existing users should be made aware of the changes and asked to give their consent to the new terms.
  • Settings-led consent: where a cookie is necessary in order to enable a particular website feature, then users can be told at the point they enable that feature that a cookie will be used for this purpose.
  • Highlighted text: the website’s header or footer could include text that is highlighted when the site wishes to place a cookie, so that users can then agree to this.
  • Third-party cookies: these are widely used by advertising networks, and unfortunately the ICO guidance does little more than acknowledge that this “may be the most challenging area in which to achieve compliance with the new rules”. Clearly, though, finding techniques for describing the use of third-party cookies in such a way that users are inclined to agree to them will become something of an art form in the near future.

4. So what do I need to do?

While the new legislation comes into force on 26 May 2011, the ICO recognises that there will need to be a “phased approach” to enforcement, to give websites time to comply. The ICO’s key expectation at this stage is that organisations are at least giving serious thought to how to comply.

In particular, the guidance advises website owners to:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

“The key point”, they add, “is that you cannot ignore these rules.”

Over the next few months I will revisit this issue to see how websites are going about achieving compliance in practice, and what technical measures are being developed to facilitate this.

Filed under Behavioural Advertising & Cookies Tagged with ,

How distinctive is the App Store?

March 23, 2011 Leave a comment

Amazon has launched an “Appstore” selling applications for the Android mobile phone operating system. In response, Apple is suing Amazon in the US claiming that Amazon’s Appstore will “confuse and mislead customers” due to the similarity in name with Apple’s own App Store.

Apple has not yet been able to register App Store as a trademark in the US (and its application to do so is being opposed by Microsoft). However, APP STORE is registered as a European Community trade mark, effective from 21 July 2008. If Amazon were to launch their Appstore in the EU – and currently there is no information on if and when this will happen – then Apple would presumably want to bring trade mark infringement proceedings against Amazon.

To be honest, I’m amazed that Apple were able to register APP STORE as a trade mark. A mark must be distinctive in order to be capable of registration as a Community (or for that matter EU national) trade mark. In the words of the Community Trade Mark Regulation, it must be “capable of distinguishing the goods or services of one undertaking from those of other undertakings”. In particular a mark cannot be registered if it:

consist[s] exclusively of signs or indications which may serve, in trade, to designate the kind, quality, quantity, intended purpose, value, geographical origin or the time of production of the goods or of rendering of the service, or other characteristics of the goods or service.

To register APP STORE for the sale of computer software applications (that is, “apps”) is, to my mind, on a level with registering SHOE SHOP for the sale of footwear. No doubt Amazon’s defence to a claim would consist (in part) of a vigorous assertion that the mark should be revoked.

Against that, it is sometimes argued (though not, as far as I’m aware, by Apple itself) that Apple invented the word “app” in relation to software. There are two responses to this:

  1. Who invented the word isn’t relevant to whether it’s a valid trade mark. Even if Apple invented the word “app” for software, it is still widely used (even by Apple!) in a generic sense.
  2. It’s not true that Apple invented the word anyway: it’s not hard to find examples from before 2008 of the word “app” being used for software, particularly in the free/open source software world.

I do need to add a lawyerly disclaimer here. I am emphatically not arguing that readers of this blog post should rush out and start using the name “App Store”, confident in the knowledge that Apple’s trade mark registration is invalid. Apple could still run other arguments (such as a “passing off” claim), and would argue with equal vigour that their trade mark should stand (for example, on grounds of “acquired distinctiveness”). If you want to take on the world’s second largest company on an issue like this, be my guest – but take legal advice first…

Filed under Intellectual Property Rights Tagged with , , ,

Cookies and consent

March 17, 2011 9 Comments

As has been widely reported, the government has confirmed that it will implement new EU regulations on the use of cookies by 25 May 2011. What does this mean in practice for website owners?

What’s the current position?

The current law on cookies works on an “opt-out” basis: website owners are required to provide “clear and comprehensive” information on their use of cookies, and users must then have the opportunity to opt out of using them. In the UK at least, it has been seen as sufficient to provide information in your privacy policy and then simply allow users to disable cookies in their web browser settings.

What’s changing?

The Citizens’ Rights Directive, adopted by the EU in November 2009, changes this to require websites to obtain prior consent for the use of cookies. Despite some confusion over what exactly the Directive meant when it was first passed, there is now an increasingly clear consensus that it requires an opt-in approach to cookies.

This has caused considerable disquiet among website owners. Cookies are essential for the operation of almost all websites, and on the face of it the new regulations will require websites to use pop-ups or landing pages to obtain consent for this from users.

This is unlikely to be popular with users, who may find their web browsing interrupted by multiple requests for consent. It could also threaten the revenues of sites who depend on income from third-party advertisers, whose operations may be hindered by users rejecting cookies used by advertisers to track browsing activity – which is, of course, precisely what the regulations are intended to do.

Does this only affect third party cookies?

Some have suggested that the new law will only affect third party cookies – such as tracking cookies used by advertisers – and that cookies used for the normal operation of a website will not be caught. This is based on an exception under the law waiving the requirement for consent where the cookies are “strictly necessary” for the operation of the website.

However, in my view most website owners will still need to comply with the new law. Where a cookie is necessary in order for a shopping basket to function, this will probably count as “strictly necessary”. However, it is doubtful whether the same can be said for other common uses of cookies, such as compiling site statistics and tracking how people use the site.

Is this actually going to happen?

I was at an event this week at which a speaker from the Information Commissioners’ Office pointed out that, while the ICO had not wanted or asked for this change in the law, “the law is the law” and the ICO is required to enforce it. There may be a “grace period” before full enforcement begins, but website operators will be expected to comply once the “technical solutions” are available for them to do so.

At present it is not clear how websites will comply with these obligations in practice. Discussions are under way to see if appropriate mechanisms can be built in to web browsers. However, websites will still need to be able to give information and obtain consent from users of older browsers or who are accessing the web by mobile phone.

So what do we need to do?

We are still awaiting the final regulations, and it also remains to be seen what technical approaches for compliance – pop-ups? landing pages? browser features? – will be developed over the coming months. Unfortunately, this does mean that website owners and developers are somewhat in limbo for the time being.

However, those developing or updating their websites should be aware of the need to build in scope for introducing appropriate consent mechanisms once the legal and technical position is clearer. And now is probably a good time to start thinking about how your use of cookies can be explained in a way that will make users want to accept them rather than reject them.

Filed under Behavioural Advertising & Cookies Tagged with , , ,

Don’t send a licence agreement to do a service agreement’s job

February 3, 2011 Leave a comment

In recent years, many software vendors have changed over from a traditional licensing model (where software is installed on their clients’ computer systems) to a “cloud” model in which they provide a hosted service.

However, I regularly see contracts from these “traditional-to-cloud” vendors that have clearly not changed from the days when they were licensing locally-installed software. The agreements continue to read as if customers will have the software installed on their own systems, and fail to address the fact that the software is now being provided as a hosted service.

This has a number of consequences:

1. Service levels aren’t clearly agreed

A traditional software licence will not cover issues such as availability and uptime. This can lead to disputes where there is a mismatch between the customer’s expectations of a 100%, 24 x 7 x 365 service, and what the service provider can actually deliver.

In short, the contract fails at one of its fundamental purposes: setting out what the supplier has agreed to provide and the customer has agreed to pay for.

2. Customer misuse isn’t addressed

A traditional licence will often require the customer not to reverse-engineer or decompile the software or not to install it on unauthorised hardware – actions that are literally impossible with a cloud-based service. However, it may not concern itself with the everyday use the customer makes of the software: whether the customer is breaching data protection laws or third-party intellectual property rights.

However, a hosted service provider is taking responsibility for holding customer data. That data may infringe other people’s rights. Even if it doesn’t, the provider is still exposing itself to liability for taking proper care of its customer’s data, in a way in never did previously.

The customer’s users may also engage in other misuse, using the system to transmit illegal or unethical material that can cause reputational damage or legal liability for the service provider.

If the contract fails to take account of these issues, the service provider could face significant legal exposure.

3. Liability may not be limited

Limitation of liability is a critical contract provision for most suppliers. In order for the supplier to be protected as intended, any limitation of liability provisions need to be drafted so they actually cover the type of liability that might arise, and in most cases they need to be reasonable in their scope.

The risks to the supplier under a service provision arrangement are very different from those in a software licence. The supplier will be hosting the customer’s data and will be responsible for maintaining continuity of access, in a way that is unlikely to have been the case under a software licence.

If the limitation of liability do not take all that into account, the supplier could end up facing unlimited liability should any problems arise.

4. Deals are delayed

Where a contract is inappropriate, customers are more likely to question the terms and push back for changes. The process of agreeing the contract becomes more protracted – it may even result in the service provider carrying out large amounts of work “on risk”, as the contract continues to be negotiated.

Setting out reasonable terms that reflect the reality of what is being provided are the best way to ensure that contracts can be concluded quickly, without the legal tail wagging the commercial dog.

5. It just looks bad

If you went to rent a house, and the landlord produced a contract saying that they were selling it to you, you’d object. The difference between licensing software and provided a hosted service is no less fundamental, and a contract that fails to recognise this can leave both the service provider and client exposed.

As a result, using the wrong type of contract can cause reputational damage to a service provider. Customers are left with the impression that the service provider doesn’t really understand the business that they’re operating.

Conclusion

Whether software is being licensed or provided as a hosted service, agreeing the contract should be neither box-ticking nor an exercise in legal pedantry.

What counts is making sure that the contract reflects reality and deals appropriately with the key risks for each party – and that the process of agreeing the contract (often at least as important as the contract itself) flushes out issues that might otherwise cause problems down the line, and doesn’t become an obstacle to concluding the deal.

Filed under Contracts and T&Cs Tagged with , ,

Data protection: tighter rules on the way in 2011?

December 6, 2010 Leave a comment

The European Commission last month announced plans to overhaul data protection legislation. The aim of the new legislation is to strengthen the rights of individuals and to ensure that data protection rules are more consistently enforced. However, the current proposals are likely to place an increased burden on data controllers who could face greater penalties for non-compliance.

In its discussion document, A comprehensive approach on personal data protection in the European Union (PDF), the Commission states that the revision process is intended to address a number of “specific challenges”:

  • the impact of new technologies;
  • the need for increased data protection harmonisation and legal coherence within the EU;
  • simplifying the law on international transfers of data; and
  • stronger enforcement and an enhanced role for national data protection authorities.

The overriding aim is:

to protect the fundamental rights of natural persons and in particular their right to protection of personal data.

The discussion document then sets out a number of ways in which these challenges can be addressed in order to accomplish that aim. Some of the key ones for businesses are:

  • Increasing transparency, especially in privacy policies and as regards children. This could include standard forms of privacy notice.
  • Mandatory notification of personal data breaches.
  • Increased rights for individuals to have their data deleted (the “right to be forgotten”) and to withdraw their data from a service provider’s systems (“data portability”).
  • “Clarifying and strengthening” the rules on consent to data processing, in order to ensure that truly “informed consent” is given for processing.
  • Adding new categories of “sensitive” data, such as genetic data.
  • A requirement for “Privacy by Design” covering the design, deployment, use and disposal of technologies.

Observers have pointed out a number of areas of potential difficulty. The “right to be forgotten”, for example, seems on the face of it to contain a contradiction – because companies would need to keep lists of people they were required to have “forgotten”. More pertinently, data may refer to more than one person: where you and I both feature in a group photograph on Facebook, your “right to be forgotten” may conflict with my wish for the photograph to remain available.

Similarly, it is difficult for data controllers to know they have been given “informed consent” for processing without a certain amount of information already being retained and processed about an individual. It also seems doubtful whether standard forms of privacy notice could cover the limitless variety of different ways in which personal data is used.

Conclusion

Current data protection law is far from ideal, and so an overhaul is to be expected. However, the track record on EU legislation in this area will leave many businesses concerned as to the impact of any changes. The Commission document refers to “the fundamental rights of natural persons”, but (apart from references to “enhancing the internal market dimension of data protection) says little or nothing about the role of data processing in encouraging business activity and economic growth. Some of the proposals floated in the document, such as requirements for “informed consent” and the “right to be forgotten”, could present considerable administrative challenges to data controllers.

From a UK perspective, moves to increase “harmonisation” and “coherence” for data protection are likely to mean a considerable tightening up of the law. To date the UK has tended to take a more relaxed view towards data protection issues than some other EU jurisdictions, for example in allowing “implied consent” for processing where others require explicit consent in writing.

The Commission is inviting responses to its discussion document in a consultation period closing on 15 January 2011, and draft legislation is then expected some time during 2011. It remains to be seen what form this will take, but companies whose business is based heavily on data processing will want to keep a close eye on developments over the next twelve months.

Filed under Data Protection Tagged with , , ,

Data protection penalties: the ICO bares his teeth

November 25, 2010 Leave a comment

The Information Commissioner’s Office (ICO) has announced the first monetary penalties (PDF) under new provisions introduced into the Data Protection Act earlier this year.

Hertfordshire County Council has had a penalty of £100,000 imposed on it after faxing highly-sensitive material (in one case relating to child sexual abuse) to the wrong recipients, while employment services company A4e faces a penalty of £60,000 after losing an unencrypted laptop containing the details of 24,000 users of community legal centres. The ICO will no doubt be glad that its first use of its new powers have allowed it to send a clear signal to both the public and private sector.

For a long time the Data Protection Act was perceived to lack teeth: fines for breaching the Act could only be imposed by the Information Commissioner if a data controller breached an enforcement order put in place after a previous breach. This meant that even very serious breaches (such as when HMRC lost details of millions of child benefit recipients) could go unpunished if they were a “first offence”.

The new monetary penalties regime (s.55A DPA) allows the Information Commissioner to impose civil monetary penalties where there has been a serious contravention of the Data Protection Act (occurring on or after 6 April 2010) of a kind likely to cause substantial damage or substantial distress, and where either:

  • the contravention was deliberate; or
  • the data controller knew or ought to have known about the risk (and the likely consequences) but failed to take reasonable steps to prevent it.

The maximum penalty that can be imposed is £500,000.

The civil penalties regime significantly alters the risk profile for data protection breaches. Previously the main consequences for most organisations from a data protection breach have been reputational rather than financial. The ICO has shown how keen they are to use the new powers to make data protection a far higher priority for businesses and other organisations. Hertfordshire County Council and A4e will surely be only the first of many cases over the next few months and years.

Filed under Data Protection Tagged with , ,

easyDispute over trade mark

July 21, 2010 Leave a comment

My colleague Ed Weeks (on his Boardroom Disputes blog) has written a number of times over the past couple of years on the dispute between Sir Stelios Haji-Ioannou and the easyJet board.

This dispute has now developed an intellectual property angle, with Sir Stelios threatening to terminate the airline’s licence to use the “easyJet” trade mark. The trade mark is owned by Sir Stelios’ company easyGroup IP Licensing Limited, and is licensed to easyJet Airline Company Limited under an agreement which Sir Stelios is now threatening to terminate.

easyGroup has issued a “cure notice” to easyJet threatening to terminate the licence agreement unless there is an improvement in easyJet’s punctuality record within the next 90 days. This follows newspaper reports that fewer than 50 per cent of easyJet flights from Gatwick were on time in June.

Should easyGroup proceed to terminate easyJet’s licence, the result would undoubtedly be a huge court battle, given the importance of the easyJet name for the airline. I doubt that the licence agreement contains an express right to terminate for poor punctuality performance: presumably easyGroup are relying on more general obligations, as typically found in trade mark licences, for the licensee to provide services under the licensed mark to a high standard and not to bring the trade mark (or its owners) into disrepute.

Given the risks to both sides of this course of action, I would be very surprised if the licence were terminated. More likely this is being used by Sir Stelios as leverage in his long-running battles with the easyJet board.

Sir Stelios’ ire has no doubt only been increased by the way in which his own personal name and image have been dragged into the controversy over easyJet’s punctuality (and its reluctance to release its performance figures) by easyJet’s main competitor, Ryanair. Ryanair apologised for its ads referring to him as “easy Jet’s Mr Late Again”, but its newspaper ads printing this apology provided another opportunity for it to take a dig at easyJet.

As a final observation, I notice that the Telegraph news item refers to Sir Stelios threatening to remove “the easy brand name”. easyGroup – which owns a large number of trade marks which include “easy” as a prefix – has made a number of attempts over the years to claim the name “easy” itself as a trade mark, without success. I wonder if easyGroup have taken the opportunity themselves to provide a small boost for their claim to “easy” as a brand name.

Filed under Intellectual Property Rights Tagged with , , , ,

“I have read, understood and agree to… unfair treatment?”

July 9, 2010 Leave a comment

Go to almost any website selling goods or services online, and at some point in the transaction process you are likely to find a statement along the following lines:

I confirm that I have read, understood and agree to the terms and conditions [link].

The FSA has released a guidance note (PDF) stating that, in their view, this declaration is “unfair” under the Unfair Terms in Consumer Contracts Regulations 1999 (“Unfair Terms Regulations”). As the FSA put it:

Firms should draft contracts in plain and intelligible language and must also give consumers a proper opportunity to read all the terms of the contract. Consumers should check the details of the contracts they enter into. But a contract term requiring consumers to declare that they have read and understood the terms of the contract is likely to be unfair because it binds customers to terms which, in practice, they may not have any real awareness of.

While this guidance relates specifically to financial services, it is consistent with the OFT’s guidance on consumer contracts generally. Online sellers, especially those dealing with consumers rather than business customers, should therefore consider wording along the lines of the FSA’s proposed alternative for such declarations. For an online seller this might read:

These are our standard terms and conditions [link] upon which we intend to rely. For your own benefit and protection you should read these terms carefully before signing them. If you do not understand any point please ask for further information.

Sellers should also ensure that they review their online consumer contracts carefully to ensure the terms themselves comply with the Unfair Terms Regulations. To assist in this, the OFT has produced a number of guidance documents. These include their Unfair Contract Terms Guidance (PDF) and its annexes giving specific examples of unfair terms (PDF), as well as specific guidance for a number of sectors.

Filed under Contracts and T&Cs Tagged with , , ,

Competition closed?

February 23, 2010 3 Comments

Apple has upset the developers (and users) of thousands of adult-themed apps, which it has pulled from its iPhone app store in the past few days.

One developer accused Apple of “experimenting with our livelihoods” and said the iPhone ecosystem was being “run by puritans”. However, Apple argued that it had received thousands of complaints from customers, in particular women and parents, objecting to material such as “Wobble” – an app which displayed pictures of women’s breasts.

This story demonstrates the effects of one of the growing trends in computing over the past couple of years: the adoption of closed platforms for mobile computing. Apple has led the way in this, but other platforms – such as Moblin, Android and Nokia’s Ovi store – are now encouraging (or even requiring) users to obtain their software from official app stores.

The point is not whether those who control these platforms are puritans or libertarians: rather, it is that (unlike “traditional” open computing systems) the applications which users can install and run on their devices are under that control in the first place. This is a significant change in computing practice, and the rows such as that over adult iPhone apps may be what propels this from being a “geek” issue to one of wider concern. (What happens when China, say, requires Apple to block politically-unacceptable apps?)

I wonder also how long it will be before someone brings a challenge against Apple and other gatekeepers under competition law. In the context of UK and EU competition law, there would seem a good case for saying that Apple has a “dominant market position” in the iPhone apps market – after all, setting aside “jailbroken” iPhones, its app store has a 100% market share for iPhone apps.

Developers finding themselves locked out of the iPhone app store may well consider Apple to be abusing that dominant position, in breach of competition law – especially given the rather different treatment of apps for “established” adult entertainment brands, such as Playboy, whose own app apparently remains available.

It would be interesting if the European Commission ended up forcing Apple (and others) to open up their platforms – though perhaps the market will take care of it in the meantime, as platform owners decide the risks of relaxing their grip on their devices are outweighed by the consequences of having to get involved in controversies such as that over Wobble and its fellow apps.

Filed under Competition Law, Legal Issues Tagged with , , , ,

Google’s “superphone”: who’s in control?

January 11, 2010 1 Comment

The Google Nexus One “superphone” has been attracting a great deal of media coverage since its launch last week – though the coverage has turned sour for Google today, with widespread reports of customer dissatisfaction as early adopters receive their new purchases.

Most complaints relate to technical problems (such as getting the phone connected to a 3G network) or to the availability (or otherwise) of discounted deals. A further layer of “meta-complaints” then quickly sprang up as people expressed their dissatisfaction with how Google had handled their original complaints. However, the complaint that caught my eye was the seemingly more minor one of the 190 MB limit on installed applications.

The Nexus One’s storage capacity can be expanded to 32 GB using a Micro SD card. However, at present applications have to be installed on the phone’s internal memory of 512 MB. In practice the amount of space available is reported at only 190 MB. Google explained at the Nexus One launch event that this is to “protect [software developers] from piracy”, and that they are working on other means to achieve this through encryption.

The point is that it is Google that has imposed this restriction, not the customer who buys the device. If I buy a netbook – a concept seen by some as threatened by the rise of the smartphone – I can install any software I like on it and use the hardware as I choose. (Indeed, the netbook on which I’m typing this has an entirely different operating system from the one with which it was supplied). If I buy a smartphone, I’m subject to whatever restrictions the manufacturer and/or network operator decide to impose on it (a point made eloquently by Jeff Atwood in this post).

This highlights a wider problem as we move into an era of mobile technology and cloud computing: who’s in control? As computers move into our pockets and our software and data move out into the cloud, we gain a great deal in convenience, but we may be losing out on control. At the very least, we need to make sure we understand the trade-offs we’re making, whether as individuals or businesses.

Filed under Mobile Computing, Technology Tagged with , , ,

Older posts

Newer posts

Follow

Get every new post delivered to your Inbox.

Join 381 other followers