Jak se měnil pohled EU na cookies, od opt-out až po opt-in

EU - vlajka Cookies v EU od května? Jedině s výslovným souhlasem návštěvníka vyvolalo pozdvižení nejenom v Evropě, ale i v médiích v USA. Těžko se věří tomu, že by EU opravdu chtělo výslovný (dopředný) souhlas uživatele webu, ještě předtím, než se návštěvník na web dostane. Jak to tedy vlastně je?

Pokud si projdete následující revize předmětného nařízení, tak poměrně rychle pochopíte, jak se “Cookie Directive” dostala do současné podoby. Od “opt-out” podoby platné od roku 2002 se totiž “tak nějak” přešlo na opt-in podobu – konečná podoba skutečně podmiňuje používání cookies tím, že uživatel dá souhlas a to ještě poté co mu je vše vysvětleno.

Zajímavé je, že se z původní navrhované podoby podle všeho někam ztratilo i původní umožnění řešení problémů pomocí technických možností prohlížeče. Pro kompletní znění můžete zamířit sem (PDF)

Kam se nakonec “Cookies Directive” vydá a jakým způsobem vše dopadne je nejasné – ve Velké Británii (právě odtamtud začal nový zájem o problém cookies) se o tom budeme moci poučit právě už v květnu – tamní vláda právě v květnu přijme “Cookies Directive” do lokální zákonné podoby.

2009 – konečná podoba –  uživatel musí předem souhlasit (opt-in)

Article 5(3) v Privacy and Electronic Commications Directive je nahrazena následujícím: Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

2009 – původní návrh, uživatel může odmítnout (opt-out)

(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

2002 – tehdejší platný zákon,  uživatel může odmítnout (opt-out)

Article 5(3) : Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

2002 – původní návrh,  uživatel může odmítnout (opt-out)

However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user’s terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as userfriendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.