Welcome
Bloomberg Law Analysis

ANALYSIS: Cookie Notices Du Jour Served by Am Law 200

June 5, 2019, 11:55 AM

C is for “cookie,” but that’s not good enough for many law firms these days. C is more importantly for “consent,” which is where the action is for nearly half of all Am Law 200 websites.

Although U.S. companies have long disclosed cookie practices in their online privacy policies, the growing presence of “pop-up” cookie consent notices may leave some users scratching their heads. Is the GDPR to blame? The CCPA? Is solicitation of cookie consent currently a best practice, and will it be in the future?

Bloomberg Law’s analysis of the home pages of the 200 highest-revenue U.S. law firms reveals quite a lot about how lawyers view existing standards.

Baked in Brussels

The prevalence of cookie consent notices is commonly attributed to the European Union’s General Data Protection Regulation (GDPR), but an older European Union measure—the ePrivacy Directive 2002/58/EC (as amended by 2009/136/EC)—also plays a significant role.

ePrivacy Cookie Dough.
The ePrivacy Directive addresses the processing of personal data in the electronic communications sector. Recital 25 indicates that the use of cookies is allowed “on condition that users are provided with clear and precise information ... about the purposes of cookies ....” Recital 25 goes on to explain that users “should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment” and further that “the methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.”

Moreover, Art. 5(3) of ePrivacy Directive, as amended, requires Member States to ensure “that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the 1995 Data Privacy] Directive 95/46/EC ….”

GDPR Topping.
Although the ePrivacy Directive predates the GDPR by a number of years, the provisions of the GDPR have been incorporated into the ePrivacy Directive by virtue of GDPR Art. 94, which clarifies that any references to the now-repealed 1995 Directive are to be construed as references to the GDPR.

Thus, Art. 5(3) of ePrivacy Directive quoted above is to be read as saying “in accordance with [the GDPR] ….” Similarly, Art. 2(f) of the ePrivacy Directive should be read as saying that “’consent’ by a user or subscriber corresponds to the data subject’s consent in the [GDPR] ….” And the GDPR requires consent to be “freely given, specific, informed and unambiguous.” GDPR Art. 4(11).

Just in case there’s any doubt about the relevance of the GDPR, Recital 30 of the GDPR specifically references “cookie identifiers” as information that can identify “natural persons,” thereby confirming that cookies fall within the definition of “personal data” covered by the GDPR.

Indeed, the European Data Protection Board (EDPB) recently clarified that the use of cookies triggers the material scope of both the ePrivacy Directive and the GDPR. See Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, p. 11.

Still in the Kitchen.
Although a new ePrivacy Regulation—meant to update and replace the current ePrivacy Directive—is on the horizon, it is on a very distant horizon indeed. The European Commission adopted a draft proposal of the Regulation in January 2017, and revised text published by the Council of the European Union in October 2018 proposes that the Regulation will enter into effect 24 months after its adoption. Given that negotiations on the final wording of the Regulation are expected to continue for quite some time, it’s unlikely that the ePrivacy Regulation will enter into force before 2022.

Thus, for the time being, cookie consent will be governed by the ePrivacy Directive and the GDPR.

But there’s yet another force in play, which may provide more clarity long before the ePrivacy Regulation is finalized.

In March of this year, EU Advocate General Szpunar issued an opinion (Case C‑673/17) addressing cookie consent. The case concerns the practices of Planet49 GmbH, which organized a promotional lottery that presented internet users with two checkboxes: one requiring them to accept being contacted for promotional offers; another requiring them to consent to cookies. The first box did not contain a pre-selected tick, but the second one did.

Advocate General Szpunar concluded that the collection of information by way of a pre-selected tick box does not constitute valid consent: "[R]equiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable.” (Emphasis in original.)

While not binding, the advocate general’s opinion is usually a good indicator of the final judgment to be issued by the Court of Justice of the European Union.

Sacramento Sugar

Still, it’s quite possible that the California Consumer Privacy Act (CCPA) is having its own impact on cookie consent practices. While the CCPA does not enter into force until 2020, its 12-month “look-back” provision may be prompting firms to start documenting consent now.

Among other conduct, the CCPA covers the “sale” of “personal information.” As defined, “personal information” specifically includes “information regarding a consumer’s interaction with an Internet Web site, application, or advertisement,” Cal. Civ. Code § 1798.140(o)(1)(F), as well as a “unique identifier,” which includes “cookies, beacons, pixel tags, mobile ad identifiers, or similar technology.” Cal. Civ. Code § 1798.140(x).

The term “sale” broadly includes the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration,” Cal. Civ. Code § 1798.140(t)(1), but significantly, a sale does not occur when a consumer “directs the business to intentionally disclose personal information” Cal. Civ. Code § 1798.140(t)(2).

Thus, an opt-in cookie consent notice may provide cover for website operators looking to fall outside the definition of a “sale.”

Recipe of Current Practices

Regardless of the motivation, here’s how U.S. law firms are addressing cookie consent on their websites. But first, a few caveats. We conducted our research in the U.S., so our findings do not include results based on accessing these websites from other parts of the world. And we accessed each site via Chrome’s “incognito mode” in order to get a “fresh look” at each site regardless of any cookies that may be lingering on our own devices.

Gauging the Appetite.
Slightly less than half of all Am Law 200 firms are actively soliciting cookie consent from website visitors via a pop-up notice. The percentage increases to nearly 60% for the Am Law 100. Unsurprisingly, nearly 80% of those 100 firms have at least one European office, so the need to comply with EU law may account for the higher percentage.

Instead of opting for a pop-up notice, a fraction of the Am Law 200 (just 5%) embed a cookie-specific link at the bottom of the homepage. That leaves about 47% of the Am Law 200 without any reference to cookie practices on their home pages.

Presentation Matters.
Of the firms that employ pop-ups, a large majority (78%) place them at the bottom of the screen. A smaller, but significant percentage (14%) place the notice at the top.

Surprisingly, however, one firm—Blank Rome—places its notice “below the fold”; users do not see the notice until after scrolling down on the webpage a bit—but not too far. It’s not placed at the bottom of the webpage, but somewhere in the middle. One wonders if any visitors would even notice it (and whether it’s therefore serving its purpose).

By way of contrast, another firm—Dykema Gossett—places its notice at the top of the screen, completely obstructing the view of its header and menu options. Visitors can’t help but see the notice.

Consent Baked In.
When it comes to the content of the notice itself, things really get interesting. Nearly three-quarters of the law firms present website visitors with notices that imply consent. These notices use language such as “By continuing to browse this site, you are consenting to the use of cookies on this website.” It’s hard to fathom how that sort of language would satisfy the requirement that consent be “freely given, specific, informed and unambiguous,” GDPR Art. 4 (11), and whether it would pass muster in light of Advocate General Szpunar’s Planet49 opinion.

Snacking, Fasting or Just Not Sure.
Of the law firms that display cookie notices, the overwhelming majority—more than 75%—provide visitors with either a mandatory “accept” button or a more ambiguous “close” or “X” option. Perhaps unsurprisingly, “X” is the most popular closure option offered, appearing on 27% of all notices. “Accept” ranks second, surfacing 21% of the time. When combined with similar terms—such as “agree,” “OK,” or “allow cookies”—it’s evident that most notices are designed to prompt assent, as those terms appear on 67% of the notices.

Only 14% of the notices offer website visitors the option to reject cookies, which raises an important question: Can consent can be “freely given” when there’s no option to reject?

The answer, of course, depends on the type of cookies at issue. For strictly necessary cookies—i.e., those that enable core functionality—opt-in consent is not necessary, so arguably a reject option would not be needed.

Regardless of the options presented, how do firms handle visitors who choose to ignore the notice, i.e., visitors who fail to click “accept” or “X”? A clear majority (68% of websites) continue to display the notice as users navigate to other pages on the site, which raises another question of whether a notice ignored constitutes a refusal to accept. Perhaps that’s why so many firms have populated their notices with language implying consent: “By continuing to browse this site, you are consenting to the use of cookies ….”

Only three firms—WilmerHale, Squire Patton Boggs, and Loeb & Loeb—require website visitors to take action when presented with a pop-up notice. Those firms prevent further access to their sites unless and until visitors interact with the notice.

Of those three, WilmerHale has adopted an interface that undoubtedly would satisfy the GDPR’s “informed” criterion: The notice takes up the left side of the screen, clearly describing the types of cookies it may collect and providing users with “on/off” buttons for each, with the default setting already turned to “off.” While Squire Patton Boggs and Loeb & Loeb offer a similar interface, users do not see it unless they click on the “Cookie Settings” link.

WilmerHale presents website visitors with a distinctive cookie notice that requires user interaction.

Extracting Best Practices.
WilmerHale and 20 other firms from the Am Law 200 are ranked by Chambers as being among the best firms in the area of privacy and data security or having a recognized practitioner in the field. So one may conclude that if there is indeed a best practice for law firm websites, those firms would exemplify what that best practice is.

Drumroll, please.

71% of the “Chambers elite” (15 firms) display a pop-up cookie notice.

Okay, so a clear majority solicit cookie consent via a pop-up notice, but how is that presented by the Chambers-ranked firms?

- Of those 15 firms, 80% display the pop-up at the bottom of the screen.

- A slight majority (53%) do NOT imply consent.

- Slightly less than half (46%) prompt visitors to accept or allow cookies.

- Only one firm (Hunton Andrews Kurth) offers a rejection option.

- Only one firm (WilmerHale) requires visitors to take action.

Feeling Full?

As cookie notices proliferate, so-called “cookie fatigue” sets in. The proposed ePrivacy Regulation was introduced in part to address that problem, but, as mentioned earlier, the prospects of its imminent passage look rather dim. And while companies like Google are preparing to launch tools that limit cookies, Bloomberg Law will continue to explore law firm cookie practices.

Have you noticed an effective method for presenting cookie notices that has yet to catch on with Am Law 200 firms? Do you have other thoughts about cookies, consents, and prompts? Email me at mark.smith@bloomberglaw.com or connect with me on Twitter at @smith_cyberlaw.