Of Dice and Definitions
I’ve written here recently about the importance of definitions and the worrying inability of people in the Data Management community to understand what a definition actually is. Definitions, when understood (by which I mean “when we understand what it means to define something”) can be incredibly powerful. That is why there are whole disciplines devoted to definitions in fields such as Law and Literature.
By defining a thing in the context of its attributes we essentially say that the term we are defining is the label that we are putting on a bundle of attributes and characteristics (I refer you back to the definition of a car from the Oxford English Dictionary I used as an example). If we cannot get the definition right, and define it in the right way, the implications for data modelling, business process re-engineering, regulation, Data Governance, and Information Quality are significant.
What it requires is that
“Member States shall ensure that the storing of information, or the gaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the processing.”
The Article goes on to set out some specific exceptions which basically boil down to consent not being required where there is a technical necessity. “Terminal equipment” is defined elsewhere in the Directive as meaning any device that is connected to a public telecommunications network.
Looking at the description of how these “cookie rule busting” technologies work, the one that is covered in most detail in the Information Week article uses the HTML 5 Canvas API to draw an invisible picture in a browser window and then converts that image into alphanumeric code which constitutes a “fingerprint” for that particular subscriber or user.
So, it uses HTML5 to create a piece of information that is stored, albeit just briefly, on a person’s computer and which is then accessed. Given that the definition in this legislation of what we commonly refer to as a cookie makes no reference to storing on a hard drive storing in memory would still be caught by the definition. Which leads to the conclusion that, on the basis of its attributes, this technology falls within the category of things that require prior notice and consent under EU law.
To that end, I would strongly suggest that anyone using this kind of technology in the EU would need to take the same steps around informing, seeking consent, and enabling opt-out as is the case with the more ‘traditional’ cookie-type technologies like text files and Flash Local Objects. Considering cookies in the context of file-based data stores is the technological benchmark, but the DEFINITION encompasses so much more.
I spoke at length about this potential at a number of events in 2011 and 2012 and tried to get audiences of lawyers, developers, and Regulators to reframe their understanding of what a “cookie” was to match how it had been defined in the legislation. One of those presentations should be/is embedded below.