As part of ensuring confidentiality of communications, the original wording of Article 5(3) of Directive 2002/58 on privacy and electronic communications required that (i) the user was given clear and comprehensive information prior to the placing of or access to any spyware, certain cookies and other devices on her or his terminal, (ii) the user was given the option to ‘refuse’ the storage or access. The law made storage or access dependent on the user’s choice. The recently amended version of Article 5(3) refers to a need for the user to give ‘consent, having been provided with clear and comprehensive information’. The prevailing practice of silent placing or access does not comply with either the original or the amended text of Article 5(3). The placing of devices that allow tracking of user behaviour across websites may also raise issues relating to confidentiality of communications under Article 5(1) of the Directive. Both the original and amended version of Article 5(3) facilitate the use of first-party cookies strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service by excluding them from the requirement of informed user choice.
Business Law Review