What’s the Browser got to do with EU e-Privacy Directive?

Alex Fowler

I’ve been in London this week to participate in a forum hosted by the ISBA on “Cookies, Privacy and Consumers: What Every Business Needs to Know,” as well as to meet with several people from consumer advocacy groups, leading technology companies and representatives of the UK government. The EU Privacy and Electronic Communications Directive goes into effect today in the UK and much discussion is underway about the role of browsers in the coming year here.

In the context of Mozilla’s ongoing support for people to better understand and control their Web experience and based on the meetings I’ve had here in London, my thoughts center on three major points:

  1. It’s important to focus on the intent of the e-Privacy Directive to empower Internet users with greater choice and control over online tracking. Inherently, this is not about cookies, nor is the Directive solely a technology challenge.
  2. I believe browser-based controls for cookies and tracking need to be simplified and harmonized to improve user experience and meet user expectations. We’re exploring ways the browser can help users convey intent regarding tracking in ways that enhance user experience and don’t break the web.
  3. However, the Directive is not about Firefox nor any other browser on the market today, nor does it require browsers to be configured or perform in any particular way. Compliance is solely the responsibility of any and all entities on the web that set cookies covered by the Directive on users’ computers and web-enabled devices.

A number of international law firms have published analyses of the e-Privacy Directive and the current implementations in the UK, France, Germany and other countries (e.g., Hunton & Williams, MoFo), so I won’t spend much time here on the specifics of the Directive. The UK Department of Media, Culture and Sport has published an open letter to the Internet on the the Directive, too, that provides additional guidance on how to interpret the Directive in the UK.

It’s fair to say browsers today have not harmonized the range of cookie controls in such a way as to send one clear, standardized signal to businesses that can be used as a proxy to meet compliance and respect consumer demands. Browser companies are just kicking off standards processes with the W3C and IETF that might be helpful in the future, but realistically it’s going to be months, if not longer, to achieve clarity at a technical level. Then there’s the question of getting users to adopt new versions of browsers with enhanced controls to further support user requirements and ease compliance efforts in this area.

It’s my view that site owners and third parties need to focus on improving privacy notices and statements that inform consumers of their cookie and tracking practices. In addition, any parties engaged in tracking consumers in the EU need to address compliance as if no new browser controls emerge. These are their consumers to loose and its their brand reputations on the line. Is it really our job as browser manufacturers to ensure consumer confidence and trust for their data practices?

Over the past few months, Mozilla has been supporting a new mechanism aimed at empowering users to control tracking online. Firefox 4, Firefox 4 Mobile and Firefox 5 Beta support a Do Not Track (DNT) feature, which when enabled, sends a HTTP header, DNT:1, telling publishers, advertisers and all third parties with which a user interacts online, that the user wishes to not be tracked. Based on browser upgrading trends for Firefox 4 and IE9, we anticipate that upwards of 25% of Internet users worldwide will have access to DNT by the middle of this summer. Apple’s announcement to include the same feature in the next version of Safari will only further accelerate DNT in the market.

Much has been written about DNT over the past few months, but it isn’t clear what the relationship is between DNT and the e-Privacy Directive.

Both DNT and the Directive are intended to provide more transparency, choice and control to users. The e-Privacy Directive requires “prior consent,” for cookie-based tracking, while the DNT feature is an opt-out for all types of online tracking, including cookies. While DNT and the Directive are different in purpose, there is an intersection.

The power of DNT comes from the user turning it on, thereby giving sites and third parties full confidence that the presence of the DNT:1 header is the individual user’s preference to not be tracked online. This is similar to what business and government representatives in the UK are saying right now. By the same token, sites and third parties in Europe engaging in cookie-based tracking will need to solicit permission from users regarding persistent cookies and other tracking techniques at some point in their interaction with these users.

Publishers, advertisers and third parties interacting with users online should consider how to respect users who’ve enabled DNT via the browser. Some data protection authorities may interpret the presence of the DNT setting as an indication that “here’s an informed user” who has opted out of the setting of persistent cookies covered by the Directive. This is one approach and others will need to be considered. Ignoring users with DNT enabled, however, which might be discovered by auditing server logs, could also impact user trust, brand reputation, and perhaps raise questions about compliance with the Directive. So both are going to be important factors worthy of consideration.

Users should be in control of their browsing experience. Cookies influence users’ browsing experience in many important and positive ways. They can also be used in ways that are surprising for users.

I’m supportive of efforts that increase transparency and enable users to manage their personal information online, whether created solely through technology or regulatory/self-regulatory measures or some combination of technology, industry standards and government regulations.

Along these lines, I believe the e-Privacy Directive can further enhance consumer protections for privacy and empower users with greater choice and control, depending on how sites and browsers support the Directive. At the same time, there are other forms of online tracking outside of cookies (e.g., device tracking, browser fingerprints) that need to be addressed, and any browser-based controls focused on compliance with the Directive will only address a portion of the many new ways users access the Internet (e.g., mobile devices and apps).

I’ll continue to work with my colleagues and the Mozilla community to innovate in this area and work with key stakeholders such as industry and standards groups, publishers, advertisers and policy makers. We’re at the beginning stages of evaluating how we can improve tracking protections online that bridge DNT and cookie-based controls with other privacy-enhancing technologies. I think one of our first efforts will need to be to further inform Firefox users about how cookies work and take steps to enhance cookie controls in the browser. One of the advantages Mozilla has as an open source software project is its very active community of users, developers and partners in Europe. I’ll make every effort to engage with that community as we explore browser-based options and tracking protections.

Alex Fowler
[Reposted]