By Clint Fillipou, Managing Solicitor Melbourne |
October 2013 |
Everyone is starting to get used to the idea of the forthcoming Australian Privacy Principles (APPs) and how they will impact business. But as the March 2014 implementation draws closer, there is sure to be panic and confusion about exactly how the privacy landscape will look moving forward. One potential area for confusion relates to how internet cookies are to be handled under the APPs – what will change?
A quick refresher – what is changing in March 2014, and what is an internet “cookie”?
As Leanne Montibeler explained in her Privacy Update in May 2013 (available at http://anisimoff.com.au/publication/lmm1/), the National Privacy Principles (NPPs) that we have all known and operated under for over 10 years are being replaced with the APPs, and we will see a variety of changes regarding how personally identifiable information must be collected and handled.
An internet or website “cookie” is small piece of data sent between a user’s computer and a website that communicates details of the user’s previous and current activity, enabling the website to tailor the experience and assist in maintaining records of the site’s use. Depending on how the cookies are used and what information is gathered, a cookie may technically collect personally identifiable information from users.
The Australian position on cookies now, and under the APPs
At this stage the implementation of the APPs will have no impact on how cookies are handled and dealt with in Australia, unless the cookies obtained from users contain personally identifiable information. Whether this is the case or not changes from website to website and all website owners should check their own setup, but it is generally not the case that cookies contain such information. Cookies generally contain non-identifiable usage data. However, if the cookie data is combined together with other information that could collectively identify an individual, such as IP addresses and / or other contact details provided by the user, then this data could be ‘personal information’ and caught by privacy laws. For the sake of argument, if a website’s cookie processes did take personally identifiable information from users then various privacy-related communications would need to take place at the time of collection. However, it is important to note that this is no different to the state of play under the current NPPs. Of course, as outlined above, cookie management changes from website to website so it will pay website operators to examine their own situation carefully, and the forthcoming implementation of the APPs is as good a time as any to straighten these matters out.
If that is the case, why do so many sites now have a cookie pop-up message when I visit them?
This is a very good question, and a timely one given where the Australian privacy landscape is at right now. The simple answer is that in May 2011 the “EU Cookie Law” came into force, which brought with it certain obligations on website operators in the European Union (“EU”) and those who service or target users in the EU. These websites must now obtain consent from users for the collection of certain cookie data and other digital data before collection. Because collection of this data can be automatic upon visiting a website, many impacted website operators now utilise an immediate and prominent pop-up that must be clicked on or dismissed as a means of gaining consent. Importantly once again, these laws apply to websites operating in the EU or servicing users in the EU. The same laws do not apply to Australia, and will only be relevant to Australian businesses that service or target individuals in the EU. If you are concerned that this may be you and you are not complying, you should obtain legal advice . Finally, it is important to note that both the NPPs and the APPs contain sections relating to treatment of personal information that may be relevant to cookies, but as outlined above it will depend entirely on the nature of the cookies in each case, and nothing is changing when the APPs are introduced. While some commentators have indicated that the definition of ‘personal information’ is broader on this issue, in our view in real practical terms the overall position on this is unchanged.
The coincidental timing of the implementation of the EU Cookie Law and the transition to the APPs regime in Australia has confused many, but the fact remains that they are distinct and separate matters and unrelated for the majority of businesses. However, like most things in the digital space these developments with the APPs, the EU Cookie Law and other digital and online privacy issues have all combined to make the current world of privacy even more complex than usual. Recognising this, the Office of the Australian Information Commissioner has distributed draft guidelines to the APPs for consultation and these will be finalised and released to industry in due course. We can only hope the guidelines will assist rather than make things worse, but in any event Anisimoff Legal will publish an update on the guidelines when they are finalised.
If you would like further information on any of the above issues, or to be kept abreast of the forthcoming draft guidelines from the Office of the Australian Information Commissioner, visit our website, or follow us on Twitter, Facebook or LinkedIn with the below links. Alternatively, if you would like to speak to us directly please contact one of our experts below.