Tuesday, May 31, 2011

EU Cookie Directive Advice

Advice about the EU Cookie Directive

Did you know that new EU legislation was brought in to effect from 26th May 2011 which will force online businesses to request “explicit consent” from their website visitors, to be able to store cookies on their PC?

A cookie is a common technique used by website owners to store information in a small file which is placed on a visitor’s computer, so that it can remember something about you for a later date.

The majority of our clients use cookies on their website to help analyse site visitor behaviours and remember a users preferences on a site; like the ability to log them in automatically.

Background to the law

The law has been brought in to give consumers more choice about what companies know about them. It also seeks to ensure that website owners be more responsible with the data they obtain on site visitors.

There is much confusion about the term ‘explicit consent’ also termed as ‘informed consent’ and how we can make sure that we provide sufficient information to consumers about how their data is being captured.

Important to note

It must be noted that the new law requires websites to ask for user consent when dropping cookies onto their computers, except when the cookie is required directly for the service being used; such as online shopping baskets. So in summary, cookies and any other data stored on "terminal equipment" must have a "legitimate purpose".

Mixed messages on consent

There are still mixed messages, even from Ed Vaizey, Culture Minister, Department for Culture, Media and Sport (DCMS) who just last night issued an open letter on the 'UK’s implementation of the new e-privacy regulations'.

The Ed Vaizey letter implies that the changes are much more business friendly that the ICO point out and that the EU rules do not necessarily require "prior consent".
However, the letter also said: "Crucially, there is no definition as to when that consent may be given, and so it is possible that consent may be given after or during processing," The DCMS admitted that "in its natural usage 'consent' rarely refers to a permission given after the action," but said that it recognises that it may be "impracticable to obtain consent prior to processing"

View the open letter here: http://www.dcms.gov.uk/images/publications/cookies_open_letter.pdf

Our Technical Director summed up the changes as:
  • Tracking cookies need permission before they can be used.
  • Session cookies and “remember my login” cookies are ok.
  • So basically, consent is required when the cookie is not required for a service.

More information below on the above cookies, courtesy of All About Cookies.

Where to obtain advice

The Information Commissioner's Office (ICO) advise website owners to check what type of cookies are used on their website. They state that website owners need to decide the best way to gain consent on using (nonintrusive) cookies on their site and to give consideration on the best way to gain consent from their users.

A non intrusive cookie could be a cookie used to ensure when a website visitors adds a product to a basket (session cookie), and then continues to search the site for products or goes to checkout, that, the product remains in the basket.
The ICO say that the cookie needs to be “strictly necessary”, so we believe those with sites that say “Hello Sarah, did you want to look at the car mats again” then this wouldn’t be strictly necessary.

Firstly don’t panic!

Organisations and businesses that run websites aimed at UK consumers have been given 12 months to get their house in order, before the enforcement begins. We will be inviting our clients to consider the options available to them, inviting them to consider their use of cookies and find a solution that works best for them and their customers. View the latest release (25th May 2011) from the ICO here with regards to the penalties:

ICO gives website owners one year to comply with cookie law

What notice did the ICO place on their website?

When we heard about the EU Cookie Directive, we discussed internally that probably one of the best places to find out what to include on your site re: cookie notice was to review the ICO website (who use Google Analytics). The ICO has placed a (very unattractive and out of keeping to their design) header bar on their website, giving users information about the cookies they use and the choices about how to manage them.

The statement says:
“On the 26th May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from the site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.
[Tick box] I accept cookies from this site [Continue]"

View the ICO privacy notice here which outlines the type of cookie, name of cookie, cookie purpose and more information links.

Browser settings and consent

We wondered whether the browser setting could be a way to get consent. Having looked into this, as many people don’t use a browser (many people access via a mobile phone), then the ICO advice that it would be better to make sure a website has a “consent system” set up rather than rely on other people to know how to block cookies in their browser.

In the future, many websites may well be able to rely on the site visitor’s browser settings to demonstrate consent, but not at the moment. The government is currently working with the major browser manufacturers on this very topic. As soon as we know more, we will of course share the outcome.

Gaining consent

The ICO recognise that in many cases, implementation of the rule requiring consent for cookies will be a challenge. They have since issued separate advice on how these requirements can be met in practice:

A few examples from the ICO on ways you can gain consent include:

1. Agreement to new Terms and Conditions / Privacy settings
2. Pop Ups
3. Feature Led Consent (click a button and agree functionality to be turned on)
4. Functional uses (consent is needed for web analytics, see how ICO have dealt with this above)

Further advice on ways to gain consent are outlined on this document from the ICO – Practical application advice on the new cookie regulations.

Summary of steps to take

1. Check what types of cookies and similar technologies you use and how you use them
2. Assess how intrusive your use of cookies are
3. Decide what solution to obtain consent will be best in your circumstances
(Consider the header bar that the ICO have implemented as a first step).

Should you have any comments or thoughts on this new directive, please let us know in the comments.

Author: Andy Clarke, Technical Manager

Credit for the above image goes to Kat Holgate and her blog here.


Post a Comment