I’ve written here recently about the importance of definitions and the worrying inability of people in the Data Management community to understand what a definition actually is. Definitions, when understood (by which I mean “when we understand what it means to define something”) can be incredibly powerful. That is why there are whole disciplines devoted to definitions in fields such as Law and Literature.

By defining a thing in the context of its attributes we essentially say that the term we are defining is the label that we are putting on a bundle of attributes and characteristics (I refer you back to the definition of a car from the Oxford English Dictionary I used as an example). If we cannot get the definition right, and define it in the right way, the implications for data modelling, business process re-engineering, regulation, Data Governance, and Information Quality are significant.

A good example is the development of “new” ‘silver bullet’ technologies in the on-line advertising world that purport to allow marketers to stalk their prey track their users across the internet, bypassing browser controls on the use of cookies. This is interesting news, given that the EU has a somewhat cumbersome ePrivacy Directive that requires consent for the use of certain kinds of tracking cookie, and only bypasses the consent requirement where the cookie is essential to the delivery of the Information Age Service. That Directive does not contain a definition of what it labels a “cookie”, despite it being referred to as “the cookies directive” in some quarters. What it does do is set out a definition of actions and activities that are to be unlawful (see Article5(3) of the Directive).

What it requires is that

“Member States shall ensure that the storing of information, or the gaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the processing.”

The Article goes on to set out some specific exceptions which basically boil down to consent not being required where there is a technical necessity. “Terminal equipment” is defined elsewhere in the Directive as meaning any device that is connected to a public telecommunications network.

Looking at the description of how these “cookie rule busting” technologies work, the one that is covered in most detail in the Information Week article uses the HTML 5 Canvas API to draw an invisible picture in a browser window and then converts that image into alphanumeric code which constitutes a “fingerprint” for that particular subscriber or user.

So, it uses HTML5 to create a piece of information that is stored, albeit just briefly, on a person’s computer and which is then accessed. Given that the definition in this legislation of what we commonly refer to as a cookie makes no reference to storing on a hard drive storing in memory would still be caught by the definition. Which leads to the conclusion that, on the basis of its attributes, this technology falls within the category of things that require prior notice and consent under EU law.

To that end, I would strongly suggest that anyone using this kind of technology in the EU would need to take the same steps around informing, seeking consent, and enabling opt-out as is the case with the more ‘traditional’ cookie-type technologies like text files and Flash Local Objects. Considering cookies in the context of file-based data stores is the technological benchmark, but the DEFINITION encompasses so much more.

I spoke at length about this potential at a number of events in 2011 and 2012 and tried to get audiences of lawyers, developers, and Regulators to reframe their understanding of what a “cookie” was to match how it had been defined in the legislation. One of those presentations should be/is embedded below.

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.