“The difference between technology and slavery is that slaves are fully aware that they are not free.” - Nassim Nicholas Taleb
INTRODUCTION – WHAT ARE “COOKIES” ON THE INTERNET?
“Tracking my cookies? They will never get my recipe!” - Grandma using the Internet
The word cookie carries different meaning to different people. In the bygone era, cookies refer to a delicious treat. In today’s digital age, however, most online netizens will understand cookies as being digital files that are generated whenever an end-user access a network. They are created in order to enable a website operator to track visitors activities. Historically, web services claim to retain cookies for the purpose of ‘improving user experience’ (also known as, direct marketing).
As cookies will inevitably retain user-specific data (aka personal data), many different jurisdictions has woken up to the fact that legislation and regulation on the use of cookies are necessary in order to prevent abuse.
Cookie Law is therefore commonly referred to legislation that requires websites/domain operations to obtain consent from visitors to store and/or retrieve any information on a computer, smartphone or tablet before such activities take place.
If you care about cookies and laws, then you must stay tune for our Legal Update Express series, bringing you the summary of the latest legal developments. To stay tune, don’t forget to catch us at the subscribe link.
GLOBAL OVERVIEW
Despite the fact that the dawn of the Internet has arrived for many decades by this point, regulation of the Internet and online personal data is still considered a relatively new norm. The following is a quick overview of Cookie Law/Regulations (and the strength of protection they provide) across the globe:
Hong Kong SAR
Name of regulating bod(ies)/law(s):
Administrative Board Appeals (“AABs”) Personal Data (Privacy) Ordinance (“PDPO”)
Protection level:
Low
Highlights:
At present, there is no specific laws regulating cookies. Hong Kong’s existing data privacy legislation, the PDPO, was based on the 1980 OECD Guidelines. Critics have often cited that the PDPO is antiquated (especially where compared to newer data privacy legislations the likes of GDPR) and is in need of an overhaul.
Based on the decisions in AAB No. 16/2007 (regarding IP addresses) and No. 25/2012 (regarding email addresses), it can be inferred that cookies may simply be regarded as browsing histories of anonymous computer users and would not constitute personal data under the PDPO and be subject to regulation.
Despite the perceived shortcomings of the PDPO (leading many to criticize the legislation as being antiquated, it did provide the Data Protection Principles whereby websites are recommended to
Inform website users about the kind of information being stored in the cookies, the purpose of collecting the information and how the information is collected;
State whether the websites allow access by users who do not accept the use of cookies and whether there would be any loss of functionality resulting from not accepting cookies.
Set out type of information being collected/transferred and purpose behind this
Regarding behavioural information, websites owners are recommended to:
Set up an appropriate expiry date for the cookies;
Encrypt the contents of the cookies whenever appropriate; and
Not deploy techniques that disregard browser settings on cookies unless they can provide an alternative to website users to disable the cookies or decline the use of cookies
Again, the fact that the PDPO only enables the Privacy Commissioner to ‘recommend’ instead of mandate led many to criticize the legislation as lacking teeth. The PDPO is due to be revamped through legislative action in the Legislative Council in the coming days.
2. People’s Republic of China (“PRC”)
Name of regulating bod(ies)/law(s):
General Chinese laws on data protection and Internet regulation and Personal Information Protection Law (“PIPL”) (Note: PIPL is not yet in force but expected to in the near future)
Protection level:
Low/Medium
Highlights:
At present, there are no specific requirements regarding cookies within existing laws or regulations. The PIPL (Based on drafting stage) does however provides that a data subject’s consent is necessary to process any personal data. However, it remains unclear how authorities will specifically deal with cookies.
On 6 May 2015, the Intermediate People’s Court of Nanjing City, Jiangsu Province, in a civil judgment held that Baidu’s use of cookies to personalize advertisements directed at consumers on partner third party websites does not infringe consumer rights of privacy. As such, it was deemed that information collected was not ‘personal information’ under Chinese law.
Personal data is defined as any information recorded that can be used to independently identify or be combined with other information to identify a natural person’s information;
Sensitive personal data is defined as personal data which, if disclosed or abused, will lead to adverse impact to the data subject; and
To the extent here cookies constitute processing of personal information, website operators should notify data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use
The passage of PIPL (though not yet in force) is seen as a step forward in modernizing Cookies related laws and regulation in the age of rapid developments of Big Data, Machine Learning and Artificial Intelligence.
3. United States of America (“USA” or “US”)
Name of regulating bod(ies)/law(s):
Federal law: Children’s Online Privacy Protection Act (“COPPA”); State law: e.g., California Consumer Privacy Act (“CPPA”)
Protection level:
Low
Highlights:
COPPA currently regulates the activity of websites and online services aimed at children under 13 years old. Whilst there is no specific legislation specifically targeting the operations of cookies in the US on the Federal level, there are some states which has passed local laws that regulate cookie usage where it relates to their residents. To illustrate this, like the CPPA:
Grants consumers the right to request disclosure of the categories and specific pieces of personal information that a business has collected on them;
Grants consumers the right to request deletion, as well as the right to opt-out of having their data sold to third parties;
Users are informed of what cookies are in operation on a website, what kind of personal information they collect and for what purposes; and
Requires users of what third parties they share their personal information with
Similar to the situations in Hong Kong and PRC, the lack of an updated set of data privacy protection laws meant that the protection level, when compared with globally, is relatively on the lower end.
4. United Kingdom (“UK”)
Name of regulating bod(ies)/law(s):
Data Protection Act 2018; UK-General Data Protection Regulation (“UK-GDPR”)
Protection level:
High
Highlights:
Data Protection Act 2018 was amended in order for the data protection legislation to be compatible and be able to be read in conjunction with UK-GDPR (with the UK-GDPR being cited as one of the most advanced data protection legislation globally capable of responding to the realities of the present day).
UK-GDPR: Almost word for word identical to the EU’s GDPR and main features includes mandatory requirements for websites to obtain explicit consent from users before processing their personal data via cookies and third-party trackers.
As a result of such mandatory requirements, websites have to enable users to change their consent just as easily as they gave it; and it gives a set of rights to UK users, chief among them the right to delete and the right to have corrected already collected personal data.
5. European Union (“EU”)
Name of regulating bod(ies)/law(s):
General Data Protection Regulation (“GDPR”); Guidelines by the European Data Protection Board (“EDPB”)
Protection level:
High
Highlights:
According to the GDPR (circa May 2018), online identifiers such as cookie identifiers may be used to create profiles of those individuals and identify them. Such data are defined and qualify as personal data (See Recital 30). Under this set of legislation:
Websites need to obtain user consent before activating cookies that process personal data
Users must be able to consent to some cookies rather than others
Website must document all obtained consents
Consent must be renewed annually
Under the EDPB:
Consent must be a freely given, specific, informed and unambiguous indication of users’ wishes
Pre-ticked checkboxes on cookie banners are not allowed, i.e. cookies must be deselected by default when users land on your website.
Scrolling and continued browsing on your website (implied consent) does not constitute valid consent
Cookie walls (i.e. making user consent conditional for access to your domain) does not constitute valid consent
The GDPR has often been cited by regulators (not industry operators) as the shining example of modern data protection laws. With a significant number of mandatory requirements as well as the power to take enforcement action, it is seen as one of the most comprehensive regulation sets in the data privacy protection space.
6. South Korea
Name of regulating bod(ies)/law(s):
Personal Information Protection Act (“PIPA”)
Protection level:
Medium
Highlights:
Under South Korean laws, cookies are regulated by the PIPA as personal information, which if combined with other information may enable the identification of a specific individual person. Websites using cookies (or web beacons) must allow for the opt-out consent of the user and the privacy policy must publicize the matters concerning installation, operation and opt-out process for automated means of collecting personal information.
The PIPA is seen as a more moderate approach at regulating data privacy, attempting to strike a balance between operation efficacy and sufficient protection for the general public.
7. Japan
Name of regulating bod(ies)/law(s):
Personal Information Protection Act (Note: Amendment is expected to be enacted in the near future)
Protection level:
High
Highlights:
Japan is unique in that whilst the existing law will not require consent for the use of cookies in all instances, however, their regulation is primarily focused on where the receiving company identifies individuals. Where personal data is collected, it will bring them under the arms of regulation.
Companies will be required to obtain users’ consent when "cookies" are used, and when these cookies are given to third parties to create individual profiles. Companies are also required to provide explanations as to how such profiles are created.
The Personal Information Protection Commission plans to introduce legal provisions giving web users the right to ask companies not to use their personal information for unwanted purposes.
Cookies will be handled in the same way as other personal information when it is turned over to a third party for the purpose of identifying an individual. The company will be required to inform the person that their information is being gathered and obtain the person's permission.
In this regards, the 2020 Amendment proposes to introduce notion of Related Personal Information or information which is related to a living individual but cannot, by that information alone, identify the individual. Cookies will therefore be deemed Related Personal Information and cannot be provided to a third party if that third party may be able to use the cookies to identify an individual, except where the provider has the individual’s consent.
8. Australia
Name of regulating bod(ies)/law(s):
Privacy Act of 1988 (“PA 1988”); Australian Privacy Principles (“APPs”)
Protection level:
Medium
Highlights:
Similar to Hong Kong, the Australian data protection law came into existence before the widespread proliferation of cookies across the Internet. As such, there are no specific laws targeting cookies.
Under the PA 1988 and APPs, the law requires websites to have a privacy policy that informs users of all cookies/trackers that collect, process, or share personal information.
The Australian legislation distinguishes between personal information (basic identity info) and sensitive information (racial origin, political opinions, religion, sexual orientation, etc.), with personal information resulting in APPs state that website is only allowed to collect and process info if necessary or directly related to website’s functions and activities (does not require cookies banner). Sensitive information on the other hand will mean that websites must ask users for express consent before collection (thus requires cookies banner).
Where an Australian website collects personal info on users for one purpose, it cannot use/disclose such information for other purposes unless users consent to such disclosure. Consent is therefore the key.
CONCLUSION
Essentially, when it comes to cookies regulations/laws, there is no benefit for website users under existing Hong Kong law, especially when compared to the data protection frameworks of EU, UK, and Japan.
Most notably, website operators are only ‘recommended’ to pursue certain courses of conduct as opposed to strict regulations. As a result, website users’ data can be used for advertising purposes without the user’s consent (which is effectively prohibited in newer personal data protection laws (e.g. GDPR) with various forms of personal information and sensitive information collected and transferred in the process.
It is therefore reasonable why AAB decisions are considered largely outdated and may result in insufficient protection for website users, though it is predicted that decisions are likely to change if a case regarding cookies is heard before the Board. Many within the academic circle, therefore, take the views towards Hong Kong cookie law being largely critical to continued internet safety and urge reform of current laws.
We hope you enjoyed the latest of our Legal Update Express series. To stay tuned for more content hit the subscribe link provided. Until next time.
This article is co-authored by Joshua Chu from ONC Lawyers
Comentarios