Abstract
The reviewed ePrivacy Directive aims at ensuring internet users’ online privacy by requiring users to give informed consent to the gathering, storing, and processing of their data by internet service providers, e.g., through the cookies’ use. However, it is hardly possible to talk about an “informed” consent if internet users are not aware of cookies or do not understand when and how they work. Currently, European rules require internet service providers to provide internet users with a “clear and comprehensive” information on the cookies’ use without further specifying what kind of disclosure would be seen as compliant therewith. This paper assesses the need for harmonized European guidelines on transparent and readable disclosure on the cookies’ use and suggests the way forward based on comparative legal research and findings from consumer behaviour research.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The link between consumer behaviour research and internet users’ behaviour that is made in this paper is based on the assumption that internet users are indeed often consumers and as such are likely to suffer from information asymmetry, as well as various behavioural biases.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive”) [2002] OJ L201/37. Article 5(3) was changed by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (“Citizens’ Rights Directive”) [2009] OJ L337/11.
See further on this in Chapter 2.
Telecommunicatiewet, 19.10.1998 with changes, http://wetten.overheid.nl/BWBR0009950/geldigheidsdatum_29-06-2012.
A few guidelines have been issued by the ICO, the most recent one (of May 2012) will be referred to here.
This paper focuses on the analysis of the requirements for an “informed” consent, leaving the methods of obtaining users’ consent outside its scope.
One of the surveyed consumers asked: “How about the ‘Privacy Notice for Dummies’ version?”
Similar data comes from the US research, see, e.g., Earp and Baumer 2003, pp. 81–83.
The following paragraphs discuss how to make the content of privacy notices more understandable to internet users.
This strategy tends to be successful in making consumers pay attention to advertisements (Pechmann and Stewart 1988, pp. 285–330; D’Souza and Rao 1995, pp. 32–42; Yaveroglu and Donthu 2008, pp. 31–43). Research shows also robustness of the repetition priming effect, proving that the repetition of identical signs results in faster and more accurate responses, e.g., with regards to traffic signs (Castro et al. 2007, p. 39–40). On the other hand, some researchers claimed that repeat exposure to the same information could desensitize consumers (Magat et al. 1988, pp. 201–232).
As a comparison, the ICO received 53 complaints in the period October–December 2013 (http://ico.org.uk/enforcement/action/cookies).
The results of this sweep are not yet announced.
As of 1 April 2013, the OPTA constitutes a part of the ACM (Autoriteit Consument en Markt)—the Authority for Consumers and Markets.
OPTA started its enforcement of the new cookies’ rules by sending a letter in September 2012 to over 100 governmental websites to urge them to comply therewith (http://optajaarverslag2012.acm.nl/jaarverslag/consumenten/internetveiligheid/handhaving-cookies/). There is no mention of any fine or non-compliance actions that it had to take against Dutch marketers since the adoption of the new rules.
This is true not only in Europe but also in the USA, see, e.g., Culnan 2000, p. 24.
Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights (“Consumer Rights Directive”) [2011] OJ L304/64.
The research on standardization in advertising sector mostly shows benefits thereof. See footnote 11.
References
BBC. (2012). Thousands of websites in breach of new cookie law. Available at http://www.bbc.com/news/technology-18206810.
Bond, R. (2012). The EU e-Privacy directive and consent to cookies. Business Lawyer, 68, 215.
Castro, C., Tornay, F. J., Horberry, T., Martínez, C., Gale, A., & Martos, F. J. (2007). Worded and symbolic traffic sign stimuli analysis using repetition priming and semantic priming effects. Advances in Psychology Research, 53, 17–46.
Caudill, E. M., & Murphy, P. E. (2000). Consumer online privacy: Legal and ethical issues. Journal of Public Policy & Marketing, 19, 7–19.
Charters, D. (2002). Electronic monitoring and privacy issues in business-marketing: The ethics of the doubleclick experience. Journal of Business Ethics, 35, 243–254.
Culnan, M. J. (2000). Protecting privacy online: Is self-regulation working? Journal of Public Policy & Marketing, 19, 20–26.
D’souza, G., & Rao, R. C. (1995). Can repeating an advertisement more frequently than the competition affect brand preference in a mature market. Journal of Marketing, 59, 32–42.
Department for Culture, Media and Sport (the “DCMS”) (2011). Research into consumer understanding and management of internet cookies and the potential impact of the EU Electronic Communications Framework. Available at http://www.culture.gov.uk/images/consultations/PwC_Internet_Cookies_final.pdf (p. 1–91).
Dinev, T., & Hart, P. (2006). An extended privacy calculus model for E-commerce transactions. Information Systems Research, 17, 61–80.
Earp, J. B., & Baumer, D. (2003). Innovative web use to learn about consumer behavior and online privacy. Communications of the ACM, 46, 81–83.
Evans, D. (2012). ICO blog: Education key to cookie law progress. Available at http://ico.org.uk/news/blog/2012/education-key-to-cookie-law-progress.
Friedmann, K. (1988). The effect of adding symbols to written warning labels on user behavior and recall. Human Factors, 30, 507–515.
Furnell, S., & Phippen, A. (2012). Online privacy: a matter of policy? Computer Fraud & Society 12–18.
Gozzo, P. (2005). The strategy and the harmonization process within the European legal system: Party autonomy and information requirements. In G. Howells, A. Janssen, & R. Schulze (Eds.), Information rights and obligations (pp. 22–30). Aldershot: Ashgate.
Harridge-March, S. (2006). Can the building of trust overcome consumer perceived risk online? Marketing Intelligence & Planning, 24, 746–761.
Helberger, N., Guibault, L., Loos, M., Mak, C., Pessers, L., & Van Der Slot, B. (2013). Digital consumers and the law. Alphen aan den Rijn: Kluwer Law International.
Hoffman, D. L., Novak, T. P., & Peralta, M. (1999). Building consumer trust online. Communications of the ACM, 42, 80–85.
IMCO (Committee on the Internal Market and Consumer Protection of the European Parliament) (2011). Consumer behaviour in a digital environment. Study. Available at http://www.europarl.europa.eu/committees/en/studiesdownload.html?languageDocument=EN&file=42591.
Information Commissioner’s Office (2012). Guidance on the rules on use of cookies and similar technologies. v. 3. Available at http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx (p. 1–30).
International Chamber of Commerce (2012). ICC UK cookie guide. Available at http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf (p. 1–15).
Jennings, M. (2012). To track or not to track: recent legislative proposals to protect consumer privacy. Harvard Journal on Legislation, 49, 193–206.
Jones, R., & Tahri, D. (2010). EU law requirements to provide information to website visitors. Computer Law and Security Report, 26, 613–620.
Kierkegaard, S. M. (2005). How the cookies (almost) crumbled: Privacy & lobbyism. Computer Law and Security Report, 21, 310–322.
Lee, D. (2012). Cookies: Majority of government sites to miss deadline. BBC. Available at http://www.bbc.com/news/technology-18090118.
Liao, C., Liu, C., & Chen, K. (2011). Examining the impact of privacy, trust and risk perceptions beyond monetary transactions: An integrated model. Electronic Commerce Research and Applications, 10, 702–715.
Luzak, J. (2013). Much ado about cookies: The European debate on the new provisions of the ePrivacy directive regarding cookies. European Review of Private Law, 1, 221–246.
Magat, W., Viscusi, W. K., & Huber, J. (1988). Consumer processing of hazard warning information. Joural of Risk and Uncertainty, 1, 201–232.
McDougall, S. (2011). Cookie crumbles: confusion over data regulation. Guardian 11. Available at http://www.guardian.co.uk/local-government-network/2011/aug/11/privacy-law-online-data-regulation.
Michelfelder, D. P. (2001). The moral value of informational privacy in cyberspace. Ethics and Information Technology, 3, 129–135.
Milne, G. R., & Culnan, M. J. (2004). Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices’. Journal of Interactive Marketing, 18, 15–29.
Miyazaki, A. D. (2008). Online privacy and the disclosure of cookie use: Effects on consumer trust and anticipated patronage. Journal of Public Policy & Marketing, 27, 19–33.
Morris, L. A., Mazis, M. B., & Brinberg, D. (1989). Risk disclosures in televised prescription drug advertising to consumers. Journal of Public Policy & Marketing, 8, 64–80.
Nowak, G. J., & Phelps, J. (1995). Direct marketing and the use of individual-level consumer information: Determining how and when “Privacy” matters. Journal of Direct Marketing, 9, 46–60.
Opinion 15/2011 on the definition of consent issued by Article 29 Data Protection Working Party, 13.07.2011, 01197/11/EN WP187. Available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf. (p. 9)
Opinion 2/2010 on online behavioural advertising issued by Article 29 Data Protection Working Party, 22.10.2010, 00909/10/EN WP171. Available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf At 12.
OPTA (2012). Veelgestelde vragen over de nieuwe cookieregels. (pp. 1–5). Available at http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3595.
Papakonstantinou, V., & De Hert, P. (2011). The amended EU Law on ePrivacy and Electronic Communications after its 2011 implementation; new rules on data protection, spam, data breaches and protection of intellectual property rights. John Marshall Journal of Computer & Information Law, 29, 29.
Park, Y. J., Campbell, S. W., & Kwak, N. (2012). Affect, cognition, and reward: Predictors of privacy protection online. Computer in Human Behavior, 28, 1019–1027.
Pechmann, C., & Stewart, D. W. (1988). Advertising repetition: A critical review of wearing and wearout. Current Issues and Research in Advertising, 11, 285. at 285–330.
Pollach, I. (2005). A typology of communicative strategies in online privacy policies: Ethics, power and informed consent. Journal of Business Ethics, 62, 221–235.
Schoenbachler, D. D., & Gordon, G. L. (2002). Trust and customer willingness to provide information in database-driven relationship marketing. Journal of Interactive Marketing, 16, 2–16.
Schwaig, K. S., Segars, A. H., Grover, V., & Fiedler, K. D. (2013). A model of consumers’ perceptions of the invasion of information privacy. Information & Management, 50, 1–12.
Sefton-Green, R. (2005). Duties to inform versus party autonomy: Reversing the paradigm (from free consent to informed consent)?—A comparative account of French and English Law. In G. Howells, A. Janssen, & R. Schulze (Eds.), Information rights and obligations (pp. 171–173). Aldershot: Ashgate.
Turow, J., Hennessy, M., & Bleakley, A. (2008). Consumers’ understanding of privacy rules in the marketplace. The Journal of Consumer Affairs, 42, 411–424.
Van Wel, L., & Royakkers, L. (2004). Ethical issues in web data mining. Ethics and Information Technology, 6, 129–140.
Williams, I. (2013). Blog: ICO joins global sweep to improve website privacy policies. http://ico.org.uk/news/blog/2013/ico-joins-global-sweep-to-improve-website-privacy-policies.
Wirtz, J., Lwin, M. O., & Williams, J. D. (2007). Causes and consequences of consumer online privacy concern. International Journal of Service Industry Management, 18, 326–341.
Yaveroglu, I., & Donthu, N. (2008). Advertising repetition and placement issues in on-line environments. Journal of Advertising, 37, 31–43.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Luzak, J.A. Privacy Notice for Dummies? Towards European Guidelines on How to Give “Clear and Comprehensive Information” on the Cookies’ Use in Order to Protect the Internet Users’ Right to Online Privacy. J Consum Policy 37, 547–559 (2014). https://doi.org/10.1007/s10603-014-9263-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10603-014-9263-3