Advice about the EU Cookie Directive
Did you know that new EU legislation was brought in to effect from 26th May 2011 which will force online businesses to request “explicit consent” from their website visitors, to be able to store cookies on their PC?
A cookie is a common technique used by website owners to store information in a small file which is placed on a visitor’s computer, so that it can remember something about you for a later date.
Background to the law
The law has been brought in to give consumers more choice about what companies know about them. It also seeks to ensure that website owners be more responsible with the data they obtain on site visitors.
There is much confusion about the term ‘explicit consent’ also termed as ‘informed consent’ and how we can make sure that we provide sufficient information to consumers about how their data is being captured.
Important to note
It must be noted that the new law requires websites to ask for user consent when dropping cookies onto their computers, except when the cookie is required directly for the service being used; such as online shopping baskets. So in summary, cookies and any other data stored on "terminal equipment" must have a "legitimate purpose".
Mixed messages on consent
There are still mixed messages, even from Ed Vaizey, Culture Minister, Department for Culture, Media and Sport (DCMS) who just last night issued an open letter on the 'UK’s implementation of the new e-privacy regulations'.
The Ed Vaizey letter implies that the changes are much more business friendly that the ICO point out and that the EU rules do not necessarily require "prior consent".
However, the letter also said: "Crucially, there is no definition as to when that consent may be given, and so it is possible that consent may be given after or during processing," The DCMS admitted that "in its natural usage 'consent' rarely refers to a permission given after the action," but said that it recognises that it may be "impracticable to obtain consent prior to processing"
View the open letter here: http://www.dcms.gov.uk/images/publications/cookies_open_letter.pdf
Our Technical Director summed up the changes as:
- Tracking cookies need permission before they can be used.
- Session cookies and “remember my login” cookies are ok.
- So basically, consent is required when the cookie is not required for a service.
More information below on the above cookies, courtesy of All About Cookies.
Where to obtain advice
The Information Commissioner's Office (ICO) advise website owners to check what type of cookies are used on their website. They state that website owners need to decide the best way to gain consent on using (nonintrusive) cookies on their site and to give consideration on the best way to gain consent from their users.
A non intrusive cookie could be a cookie used to ensure when a website visitors adds a product to a basket (session cookie), and then continues to search the site for products or goes to checkout, that, the product remains in the basket.
The ICO say that the cookie needs to be “strictly necessary”, so we believe those with sites that say “Hello Sarah, did you want to look at the car mats again” then this wouldn’t be strictly necessary.
Firstly don’t panic!
ICO gives website owners one year to comply with cookie law
What notice did the ICO place on their website?
When we heard about the EU Cookie Directive, we discussed internally that probably one of the best places to find out what to include on your site re: cookie notice was to review the ICO website (who use Google Analytics). The ICO has placed a (very unattractive and out of keeping to their design) header bar on their website, giving users information about the cookies they use and the choices about how to manage them.
The statement says:
[Tick box] I accept cookies from this site [Continue]"
View the ICO privacy notice here which outlines the type of cookie, name of cookie, cookie purpose and more information links.
Browser settings and consent
We wondered whether the browser setting could be a way to get consent. Having looked into this, as many people don’t use a browser (many people access via a mobile phone), then the ICO advice that it would be better to make sure a website has a “consent system” set up rather than rely on other people to know how to block cookies in their browser.
In the future, many websites may well be able to rely on the site visitor’s browser settings to demonstrate consent, but not at the moment. The government is currently working with the major browser manufacturers on this very topic. As soon as we know more, we will of course share the outcome.
The ICO recognise that in many cases, implementation of the rule requiring consent for cookies will be a challenge. They have since issued separate advice on how these requirements can be met in practice:
A few examples from the ICO on ways you can gain consent include:
1. Agreement to new Terms and Conditions / Privacy settings
2. Pop Ups
3. Feature Led Consent (click a button and agree functionality to be turned on)
4. Functional uses (consent is needed for web analytics, see how ICO have dealt with this above)
Further advice on ways to gain consent are outlined on this document from the ICO – Practical application advice on the new cookie regulations.
Summary of steps to take
1. Check what types of cookies and similar technologies you use and how you use them
3. Decide what solution to obtain consent will be best in your circumstances
(Consider the header bar that the ICO have implemented as a first step).
Should you have any comments or thoughts on this new directive, please let us know in the comments.
Author: Andy Clarke, Technical Manager
Credit for the above image goes to Kat Holgate and her blog here.