Latest Legal Update Express | Internet of Things Series | Cookies & Law | Comparing Regulations Governing Cookies on the Internet across the Globe

The difference between technology and slavery is that slaves are fully aware that they are not free.”

- Nassim Nicholas Taleb

INTRODUCTION – WHAT ARE “COOKIES” ON THE INTERNET?

Tracking my cookies? They will never get my recipe!

- Grandma using the Internet

The word cookie carries different meaning to different people. In the bygone era, cookies refer to a delicious treat. In today’s digital age, however, most online netizens will understand cookies as being digital files that are generated whenever an end-user access a network. They are created in order to enable a website operator to track visitors activities. Historically, web services claim to retain cookies for the purpose of ‘improving user experience’ (also known as, direct marketing).

As cookies will inevitably retain user-specific data (aka personal data), many different jurisdictions has woken up to the fact that legislation and regulation on the use of cookies are necessary in order to prevent abuse.

Cookie Law is therefore commonly referred to legislation that requires websites/domain operations to obtain consent from visitors to store and/or retrieve any information on a computer, smartphone or tablet before such activities take place.

If you care about cookies and laws, then you must stay tune for our Legal Update Express series, bringing you the summary of the latest legal developments. To stay tune, don’t forget to catch us at the subscribe link.

GLOBAL OVERVIEW

Despite the fact that the dawn of the Internet has arrived for many decades by this point, regulation of the Internet and online personal data is still considered a relatively new norm. The following is a quick overview of Cookie Law/Regulations (and the strength of protection they provide) across the globe:

  1. Hong Kong SAR

Name of regulating bod(ies)/law(s):

Administrative Board Appeals (“AABs”) Personal Data (Privacy) Ordinance (“PDPO”)

Protection level:

Low

Highlights:

At present, there is no specific laws regulating cookies. Hong Kong’s existing data privacy legislation, the PDPO, was based on the 1980 OECD Guidelines. Critics have often cited that the PDPO is antiquated (especially where compared to newer data privacy legislations the likes of GDPR) and is in need of an overhaul.

Based on the decisions in AAB No. 16/2007 (regarding IP addresses) and No. 25/2012 (regarding email addresses), it can be inferred that cookies may simply be regarded as browsing histories of anonymous computer users and would not constitute personal data under the PDPO and be subject to regulation.

Despite the perceived shortcomings of the PDPO (leading many to criticize the legislation as being antiquated, it did provide the Data Protection Principles whereby websites are recommended to

  1. Inform website users about the kind of information being stored in the cookies, the purpose of collecting the information and how the information is collected;
  2. State whether the websites allow access by users who do not accept the use of cookies and whether there would be any loss of functionality resulting from not accepting cookies.
  3. Set out type of information being collected/transferred and purpose behind this

Regarding behavioural information, websites owners are recommended To:

  1. Set up an appropriate expiry date for the cookies;
  2. Encrypt the contents of the cookies whenever appropriate; and
  3. Not deploy techniques that disregard browser settings on cookies unless they can provide an alternative to website users to disable the cookies or decline the use of cookies

Again, the fact that the PDPO only enables the Privacy Commissioner to ‘recommend’ instead of mandate led many to criticize the legislation as lacking teeth. The PDPO is due to be revamped through legislative action in the Legislative Council in the coming days.

  1. People’s Republic of China (“PRC”)

Name of regulating bod(ies)/law(s):

General Chinese laws on data protection and Internet regulation and Personal Information Protection Law (“PIPL”) (Note: PIPL is not yet in force but expected to in the near future)

Protection level:

Low/Medium

Highlights:

At present, there are no specific requirements regarding cookies within existing laws or regulations. The PIPL (Based on drafting stage) does however provides that a data subject’s consent is necessary to process any personal data. However, it remains unclear how authorities will specifically deal with cookies.

On 6 May 2015, the Intermediate People’s Court of Nanjing City, Jiangsu Province, in a civil judgment held that Baidu’s use of cookies to personalize advertisements directed at consumers on partner third party websites does not infringe consumer rights of privacy. As such, it was deemed that information collected was not ‘personal information’ under Chinese law.

General regulation of cookies based on definitions extracted from the data protection framework includes:

  1. Personal data is defined as any information recorded that can be used to independently identify or be combined with other information to identify a natural person’s information;
  2. Sensitive personal data is defined as personal data which, if disclosed or abused, will lead to adverse impact to the data subject; and
  3. To the extent here cookies constitute processing of personal information, website operators should notify data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use

The passage of PIPL (though not yet in force) is seen as a step forward in modernizing Cookies related laws and regulation in the age of rapid developments of Big Data, Machine Learning and Artificial Intelligence.

  1. United States of America (“USA” or “US”)

Name of regulating bod(ies)/law(s):

Federal law: Children’s Online Privacy Protection Act (“COPPA”); State law: e.g., California Consumer Privacy Act (“CPPA”)

Protection level:

Low

Highlights:

COPPA currently regulates the activity of websites and online services aimed at children under 13 years old. Whilst there is no specific legislation specifically targeting the operations of cookies in the US on the Federal level, there are some states which has passed local laws that regulate cookie usage where it relates to their residents. To illustrate this, like the CPPA:

  1. Grants consumers the right to request disclosure of the categories and specific pieces of personal information that a business has collected on them;
  2. Grants consumers the right to request deletion, as well as the right to opt-out of having their data sold to third parties;
  3. Users are informed of what cookies are in operation on a website, what kind of personal information they collect and for what purposes; and
  4. Requires users of what third parties they share their personal information with

Similar to the situations in Hong Kong and PRC, the lack of an updated set of data privacy protection laws meant that the protection level, when compared with globally, is relatively on the lower end.

  1. United Kingdom (“UK”)

Name of regulating bod(ies)/law(s):

Data Protection Act 2018; UK-General Data Protection Regulation (“UK-GDPR”)

Protection level:

High

Highlights:

Data Protection Act 2018 was amended in order for the data protection legislation to be compatible and be able to be read in conjunction with UK-GDPR (with the UK-GDPR being cited as one of the most advanced data protection legislation globally capable of responding to the realities of the present day).

UK-GDPR: Almost word for word identical to the EU’s GDPR and main features includes mandatory requirements for websites to obtain explicit consent from users before processing their personal data via cookies and third-party trackers.

As a result of such mandatory requirements, websites have to enable users to change their consent just as easily as they gave it; and it gives a set of rights to UK users, chief among them the right to delete and the right to have corrected already collected personal data.

  1. European Union (“EU”)

Name of regulating bod(ies)/law(s):

General Data Protection Regulation (“GDPR”); Guidelines by the European Data Protection Board (“EDPB”)

Protection level:

High

Highlights:

According to the GDPR (circa May 2018), online identifiers such as cookie identifiers may be used to create profiles of those individuals and identify them. Such data are defined and qualify as personal data (See Recital 30). Under this set of legislation:

    1. Websites need to obtain user consent before activating cookies that process personal data
    2. Users must be able to consent to some cookies rather than others
    3. Website must document all obtained consents
    4. Consent must be renewed annually

Under the EDPB:

    1. Consent must be a freely given, specific, informed and unambiguous indication of users’ wishes
    2. Pre-ticked checkboxes on cookie banners are not allowed, i.e. cookies must be deselected by default when users land on your website.
    3. Scrolling and continued browsing on your website (implied consent) does not constitute valid consent
    4. Cookie walls (i.e. making user consent conditional for access to your domain) does not constitute valid consent

The GDPR has often been cited by regulators (not industry operators) as the shining example of modern data protection laws. With a significant number of mandatory requirements as well as the power to take enforcement action, it is seen as one of the most comprehensive regulation sets in the data privacy protection space.

  1. South Korea

Name of regulating bod(ies)/law(s):

Personal Information Protection Act (“PIPA”)

Protection level:

Medium

Highlights:

Under South Korean laws, cookies are regulated by the PIPA as personal information, which if combined with other information may enable the identification of a specific individual person. Websites using cookies (or web beacons) must allow for the opt-out consent of the user and the privacy policy must publicize the matters concerning installation, operation and opt-out process for automated means of collecting personal information.

The PIPA is seen as a more moderate approach at regulating data privacy, attempting to strike a balance between operation efficacy and sufficient protection for the general public.

  1. Japan

Name of regulating bod(ies)/law(s):

Personal Information Protection Act (Note: Amendment is expected to be enacted in the near future)

Protection level:

High

Highlights:

Japan is unique in that whilst the existing law will not require consent for the use of cookies in all instances, however, their regulation is primarily focused on where the receiving company identifies individuals. Where personal data is collected, it will bring them under the arms of regulation.

Companies will be required to obtain users consent when "cookies" are used, and when these cookies are given to third parties to create individual profiles. Companies are also required to provide explanations as to how such profiles are created.

The Personal Information Protection Commission plans to introduce legal provisions giving web users the right to ask companies not to use their personal information for unwanted purposes.

Cookies will be handled in the same way as other personal information when it is turned over to a third party for the purpose of identifying an individual. The company will be required to inform the person that their information is being gathered and obtain the person's permission.

In this regards, the 2020 Amendment proposes to introduce notion of Related Personal Information or information which is related to a living individual but cannot, by that information alone, identify the individual. Cookies will therefore be deemed Related Personal Information and cannot be provided to a third party if that third party may be able to use the cookies to identify an individual, except where the provider has the individual’s consent.

  1. Australia

Name of regulating bod(ies)/law(s):

Privacy Act of 1988 (“PA 1988”); Australian Privacy Principles (“APPs”)

Protection level:

Medium

Highlights:

Similar to Hong Kong, the Australian data protection law came into existence before the widespread proliferation of cookies across the Internet. As such, there are no specific laws targeting cookies.

Under the PA 1988 and APPs, the law requires websites to have a privacy policy that informs users of all cookies/trackers that collect, process, or share personal information.

The Australian legislation distinguishes between personal information (basic identity info) and sensitive information (racial origin, political opinions, religion, sexual orientation, etc.), with personal information resulting in APPs state that website is only allowed to collect and process info if necessary or directly related to website’s functions and activities (does not require cookies banner). Sensitive information on the other hand will mean that websites must ask users for express consent before collection (thus requires cookies banner).

Where an Australian website collects personal info on users for one purpose, it cannot use/disclose such information for other purposes unless users consent to such disclosure. Consent is therefore the key.

CONCLUSION

Essentially, when it comes to cookies regulations/laws, there is no benefit for website users under existing Hong Kong law, especially when compared to the data protection frameworks of EU, UK, and Japan.

Most notably, website operators are only ‘recommended’ to pursue certain courses of conduct as opposed to strict regulations. As a result, website users’ data can be used for advertising purposes without the user’s consent (which is effectively prohibited in newer personal data protection laws (e.g. GDPR) with various forms of personal information and sensitive information collected and transferred in the process.

It is therefore reasonable why AAB decisions are considered largely outdated and may result in insufficient protection for website users, though it is predicted that decisions are likely to change if a case regarding cookies is heard before the Board. Many within the academic circle, therefore, take the views towards Hong Kong cookie law being largely critical to continued internet safety and urge reform of current laws.

We hope you enjoyed the latest of our Legal Update Express series. To stay tuned for more content hit the subscribe link provided. Until next time.

Jurisdictions

香港事務律師

朱喬華是一個香港事務律師,專注於訴訟和另類排解糾紛程序。

他的經驗包括在香港首宗涉及加密貨幣的訴訟中代表成功的一方,以及在世界貿易組織政府採購協議下代表醫療保健行業在審查機構面前挑戰政府的招標結果。

在成為律師之前,朱律師曾在醫療行業工作,擔任私立醫院的資訊科技部門主管並監督採購業務。

Ravenscroft & Schmierer 合夥人