EU Cookie Law: Are You In Compliance?

in Technical by | April 2nd, 2012 | 2 Comments »

Note:  There have been people purporting that compliance with the EU Cookie Law for organizations outside the US cannot be enforced.  However, the law states that any organization whose site stores cookies on an EU users browser must comply with the law – regardless of location.  We are going to err on the side of caution.  Should you chose to be cautious as well, here are some steps to take for EU Cookie Law compliance.

What is the EU Cookie Law?

Recently, the web has been buzzing about the controversial “EU Cookie Law.”  This new law has many site owners concerned with compliance and worrying that they may be in trouble when the law comes into effect.  One way to dispel some of these concerns and worries is to learn what the EU Cookie Law is and how it may affect you.

History and Origin of the Name “Cookie Law”

For starters, the European Union didn’t technically make a law regarding cookies.  What they did do was issue a directive.  A directive is not law per-se, it’s simply a set of guidelines issued to member states for them to create their own laws based upon it.  The directive, issued in 2003, was called The Privacy and Electronic Communication Regulations.  The initial directive was focused on improving and protecting privacy for citizens.

In 2009 the directive was amended to require informed consent for storage or access to information.  Since browser cookies store and access information the directive meant that users needed to consent to sites using cookies before they could be issued.

On May 26 2011, the EU’s directive came into law with a grand total of three nations with complying laws in place.  One of those countries was the UK, who immediately deferred enforcement of the law for one year to give businesses time to comply with the new regulations.

With the UK enforcement date of May 25 quickly approaching, it’s import to start paying attention to what the EU Cookie Law means for businesses in and outside of Europe.

Who Does the Law Concern?

Any organization whose site downloads cookies to users in the EU is responsible for complying with the regulations on their European sites, regardless if the organization is physically or otherwise in the EU.   An organization is not exempt simply for being located outside of the EU.  Operating in an age of worldwide interconnectedness means that we sometimes have to abide by international laws.

However, since this is a directive from the EU, each member state is responsible for their own implementation of the law – and that doesn’t necessarily mean that each nation has the same laws (though they are bound by the same guidelines).  For example, Ireland has implemented the law in a manner that requires sites to obtain permission only to download cookies that are not deleted when the user leaves the site.

The UK’s Law: A Guideline for Compliance

While the EU Cookie Law covers every country in the Union, the UK has been the focus of much attention since they’re the largest of the complying nations and are likely to be the blueprint many other countries will follow.  The Information Commissioner’s Office (ICO), the body responsible for governing the law in the UK, has laid out its requirements for compliance with the law.

  • Organizations must conduct a cookie audit of cookies currently in use on their site.
  • Organizations must create a way to inform users about nonessential cookies which will be used during the course of the site visit, and provide a way to consent to these cookies.
  • Organizations must create a way to stop cookies from being set on the site before the user has provided their consent.

Cookies that are “strictly necessary” for the provision services requested by the user are exempt from the law.  For example, the cookies that are used for an e-commerce shopping cart are exempt because they are “strictly necessary” for the site’s operation.

For the technical crowd – session cookies in general would tend to fall under this exemption since they are generally mandatory for the functionality of a Web site.  However, even if we thought this would force the removal of session cookies we could resort to using dirty URLs or hidden form fields.  In theory, if you have smartly  designed sessionization – even if cookies were completely eliminated without prior consent – the site would still function.  With this we can see that smartly architected sites do have an advantage if there is huge overreach from the law here.  Our read is that such functionality will not fall under the law though.

The Audit

The first step to compliance is auditing the cookies on your site so you know how and why your site uses them.  A cookie audit must be performed to find:

  • How many cookies your site sets on user’s browsers
  • What the cookie does and what parts of your site use them
  • The type of cookie (first party/third party, session/persistent)
  • The domain the cookie is associated with

Equimedia has some tips for performing a cookie audit, CookieLaw.org offers tips and audit services, and Attacat has a free cookie audit tool you can download to get you started.

After your audit, you will know what kind of cookies your site uses and how they are used.  If any of your site’s cookies aren’t strictly necessary (e.g. for adding items to a shopping cart, logging you into online banking or other private accounts) then you will need to get consent from site visitors.

Getting Consent

This requirement is meant to protect users from having their privacy compromised by cookies tracking them online without their knowledge.  One would think that this makes complete sense; after all, we would probably want to deny if someone tracking our day-to-day movements in the real world.  When we give consent in the real world it’s typically done with a legal form, which can tend to be lengthy.   So how can this be done online where moving quickly from page to page is essential?

How Do You Give Consent Online?

This has been a big question and hurdle for sites so far.  A few options for consent forms include:

  • A popup window
  • An accordion pop-down at the top
  • A micro site consent page
  • A static bar at the top
  • A an onsite banner or box

An on site banner or box (similar to what Google has been using to promote its new privacy policy) is probably the best option, as pop ups, microsites, and accordions are intrusive.  Cookielaw.org employs a static bar at the top of the browser, which is another viable option.

Informing the User of Non-essential Cookies

Your privacy policy should contain information explaining how cookies are used on your site and how you manage personal data.  This is essentially a cookie-by-cookie breakdown that lays out the details of your cookie audit.  Letting users know what cookies your site uses and how they are used is required for compliance.  An example of a well executed breakdown of cookies can be seen on the ICO’s  Privacy Notice section.

What if They Don’t Give Consent?

One site that has complied with the ICO’s law implementation is the ICO site (at least someone complied).  The ICO’s site has a box at the top of their page to consent to non-essential cookies being used.  The box briefly explains what the user is opting in for and what accepting the cookie will do.  A link in the consent box leads to a page detailing the cookies the ICO site uses.  While this is technically in compliance with the law their short consent form doesn’t actually tell users what cookies are, what they do (track you), or seem to look out for their privacy (isn’t that what the directive was issued for?).

In June 2011, it was reported that consent was not given on ICO’s page 90% of the time.  When a Freedom of Information request was made on the ICO’s sites analytics, it appeared as if there was a 90% drop in site traffic.  Why is this, you ask?  Because the cookies being declined were for Google Analytics.  The drop in traffic wasn’t real, it simply a negative affect of a cookie not being accepted.

What is the Penalty for Not Complying?

There are four penalty options for non-compliance in the UK, which can be issued at the Commissioner’s discretion:

From the ICO’s “Guidance on the New Cookies Regulations” (note: opens PDF)

Information notice: this requires organizations to provide the Information Commissioner with specified information within a certain time period.

Undertaking: this commits an organization to a particular course of action in order to improve its compliance.

Enforcement notice: this compels an organization to take the action specified in the notice to bring about compliance with the Regulations. For example, a notice may be served to compel an organization to start gaining consent for cookies. Failure to comply with an enforcement notice can be a criminal offence.

Monetary penalty notice: a monetary penalty notice requires an organization to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met, if any person has seriously contravened the Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

Recommendations

There are some additional steps you can take to ensure you don’t end up facing a hefty penalty.

Analytics

If you haven’t already, consider evaluating a cookie-less analytics solutions.  This will prevent the need for cookie permission to gain analytical insights to your site, as with Google Analytics.  Do not misinterpret this as suggesting using Flash Local Storage or other schemes for revisit preservation; that will certainly re-afoul this law.  Sadly, what this is suggesting is that the trusty log file approach will likely be back in vogue at least until analytic vendors learn about JavaScript fingerprinting or other “store less” mechanisms for revist identification.

Privacy Policy

Create a privacy policy that explains what cookies are, what kinds of cookies your site uses, and how your site uses them.  Link your privacy policy on every-single-page of your site, this way your site shows initiative to comply with the law.  This will benefit your company in the event that your site should accidentally slip out of compliance.  Making an effort such as this will most-likely prevent your company from being fined for the accidental offense, where as sites that do not look as if they have made the effort to comply may be hit harder.

Third-Party Cookies

Since the basis for the Cookie Law is to ensure user privacy and third-party cookies typically track users for advertising or analytical purposes, it is important to make sure your site is specific about use of these cookies – if it stores them – and blocks them before consent is given.  Using these cookies without user permission or explanation will likely look worse to regulators than storing non-essential first-party cookies without consent (we don’t recommend doing either).

Stay Tuned

Follow @EUCookieBoy, and @ICOnews and @tagmanprivacy on Twitter and subscribe to Google Reader feeds for “EU Cookie Law.”  This will keep you up-to-date on all the latest developments and ways to comply with the law.

Tools

Iubenda provides a privacy policy generator that automatically composes a detailed and user friendly report on the way your site collects data.

Freenetlaw.com, a site that provides free web-related legal templates, has a cookie policy template that anyone is free to copy, edit, or add to for their own site.

Consider a tool like Cookie Control, which provides a mechanism for obtaining a user’s consent for the use of cookies.  Their site can help with configuration and deployment of the consent-asking tool.

We tested the tool ourselves and would like to note that the tool does not block cookies out of the box (or on deployment).  Adjustments need to made to the scripts within the code the tool provides in order for it to work properly.  Instructions for this can be found in the “Deployment” section of the site.  Below are screenshots of cookies from before and after of the implementation of the cookie tool.  (Note: the lone cookie running after is a load-balancer cookie which is strictly necessary for the site to load properly in some instances and therefore compliant with the UK law.)

Before cookie tool deployment
Before cookie tool deployment.
After cookie tool deployment.
After cookie tool deployment.

 

May 25 is fast approaching, so make sure you understand the implications of the EU’s new law and get into compliance.

Next Steps:  Talk to your legal and web teams (or us if you are customer or potential customer) to assess what your organization needs to do to address this issue properly.