Ray Marshall

C is for Cookie

Ray Marshall

30 September 2014

Confidentiality and Privacy IT

Following our previous post on the “right to be forgotten” on the internet, the issue of internet cookies is worthy of consideration.

An internet cookie, sadly, is not a new method of morning tea delivery. Cookies are small files stored on a computer or other internet-enabled device which enable websites and other services to store information on that device. This is often used for beneficial purposes, e.g. it means that Facebook can detect that you’re already logged in on that computer and you don’t need to sign in every time you re-open your browser.


However, cookies are often used, and have gained a poor reputation as a result, for tracking user activities for the purposes of marketing and monitoring user behaviour. This is often combined with other methods of user tracking and website analytics to enable targeted marketing across websites. If you have ever gone internet shopping for a product or service and then seen ads for that product on another website, odds are that cookies are involved in tracking your browsing history somewhere along the line.


Australian privacy law is silent on the matter of cookies, but there has been an explosion of activity in Europe in recent years. Savvy internet readers may have noticed statements to the effect of “This website uses cookies” or a popup allowing a user to accept or decline to use cookies on European and international websites. This is due to a directive of the European Union that website operators must notify users that the website uses cookies and the purposes for which cookies are used.


The implementation of the Directive has not been consistent. Not all cookies are required to be disclosed if the cookie is “strictly necessary for the delivery of a service requested by the user” (e.g. shopping cart functionality). Nor is the method of notice strictly defined – many assume it to require an explicit “opt-in” to the use of cookies, while other implementations (including the UK Information Commissioner’s Office website) take an opt-out approach, or simply provide a small notice somewhere on the page that the website uses cookies and leaving it to the user to decide whether or not to continue using the website.


Enforcement may be sporadic. The UK Information Commissioner’s Office has indicated that it will not be heavily pursuing breaches of the cookie Directive. On the other hand, earlier this year the Spanish Agencia Española de Protección de Datos became the first agency in the European Union to enforce the Directive, fining two companies for not sufficiently notifying users of the purpose of cookies and obtaining consent. A case by the French Commission nationale de l’informatique et des libertés also fined Google for breaching French privacy laws in part due to Google’s use of cookies without sufficient disclosure and consent as part of its Google Analytics software (which is connected to the Google advertising program).  


Of course, these decisions are not directly relevant to companies based primarily or solely in Australia. However, with the new Australian Privacy Principles introduced this year and a reinvigorated Office of the Australian Information Commissioner with significantly increased powers to enforce penalties for breaches, and a general public push for greater privacy and right to control of personal information, seeing similar actions in Australia under the Privacy Act remains a definite possibility for the future. Discretion, in this case, likely remains the better part of valour.