Tuesday, 23 August 2011

How to comply with the EU Cookie Law in the UK

There is still much confusion and to be completely frank, some plain old nonsense being sprouted about the so called EU Cookie Law. So I thought it is high time to explain what it is all about, and specifically what UK businesses should be doing about complying with it. I am not a lawyer or an EU Law expert, therefore you should regard this blog entry as guidance and personal opinion. Having said that, it has not escaped my attention, there are some in the legal profession that are jumping on the EU Cookie Directive bandwagon in order to make a quick buck, and even providing very questionable technical advice to UK businesses.

If you are already in the know with this issue, you may just want to skip to the bottom paragraph, where I provide my advice – “How to comply with EU Cookie Law and avoid Fines.”

What is the EU Cookie Directive and its requirements?
All member countries (states) of the European Union are obligated to adopt EU Directives. One such EU Directive, known as the “Privacy and Electronic Communications Directive”, and also known as the “E-Privacy Directive”, was amended in 2009. The controversial addition involves requirements around the usage of website cookies, which applies to all websites servicing European Union citizens.


The updated Directive came into force on 26 May 2011, which means all EU countries should have brought the new requirements over cookie usage into law. There is some leeway and discretion on how Directives are interpreted by each individual EU member country.  However most EU countries haven’t done anything about meeting the new requirements at all, only Denmark and Estonia have attempted to comply by the deadline.

Meanwhile in the UK, the government has deferred the new directive requirements for a year while they try to work out a common sense way for UK businesses to comply with the updated Directive requirements, remember the government has some leeway on how meet the directive’s requirements. The Department of Culture, Media and Sports (DCMS), the Information Commissioners Office (ICO), and other commercial government departments are currently reviewing how the UK will comply. The ICO, who are responsible for enforcing data protection laws in the UK, has stated it expects UK businesses to be activity working towards compliance, even though no clear practical government requirements or advice has been set out. enforcement_cookies_rules_news_release

What is a Cookie anyway & is my business affected?
Nearly all websites and web applications use cookies, which are often stored locally on a website consumer’s PC, and are commonly required for functions such as tracking user login, remembering user personal preferences, tracking visitors and advertising. Therefore the implied change of law will affect all UK businesses which have websites. A full explanation of ‘cookies’ can be found at http://www.allaboutcookies.org/


What are the new EU Directive Cookie Requirements?
In simple terms, the change means all UK websites must provide information on their cookie usage. This is not a major business issue, just additional text to the website privacy statement, which explains how cookies are used on the website, and what information they hold. I have to say this requirement actually does make good sense.  However there is another new requirement in the Directive, which is causing all the controversy and confusion, namely that websites must obtain user consent before they use a cookie.

“Article 5(3) shall be replaced by the following:
‘3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’

Cookie Usage Consent
Cookie usage consent on a website is a pretty crazy idea, as the Directive implies every time you visit any website, a pop-box or an in screen warning box appears, which forces you to tick a box before allowing you to access the website. As I said the vast majority of websites on the internet need to use cookies, and they just can’t work without them.  I have previously blog ranted about this before -

Why has this change in law?
The intent of the EU Cookie Directive is to protect all individual European citizen’s privacy rights, as cookies can be used to track an individual’s interests, which can be exploited by third party advertisers. I guess the folks at Brussels think it is in our own best interest, for them to create laws to protect us from this practice, no matter how high a price the inconvenience trade off is, a trade off which affects millions of daily European web users, a trade off which would be totally unacceptable to the vast majority of web users.

There is little doubt the vast majority of the UK public just don’t care about this law or cookie usage. Privacy is the currency and price we knowingly pay for using ‘free’ online services. Web services as provided by the likes of Google, Facebook, YouTube, news websites, the whole of e-commerce, free information sharing like this blog, these are the foundation of the Internet’s success, and so are the essence of how the web revolution has changed and driven human kind, in a way like no other human invention.  The reason why these amazing web services we take for granted are free to use, is they are paid for by advertisers, advertisers who feed off our privacy. For instance as I compose a Gmail Email, if I write about mountain climbing, sure enough unobtrusive advertisements offering to sell me outdoor equipment will appear on the right side of the page.  Does this bother me? No, all it is targeted marketing, and is really no different than advertising a beer brand at a football match, it’s the same type of targeted advertising, made against people’s predicted “wants” based on their interests, this is just the capitalistic world we all live in. Marketers would argue this type of advertising benefits consumers, as it presents consumers with only products they have an actual interest in.

There are more pressing privacy laws to which the EU should be focusing.  The public do care about companies breaching and losing their personal information a lot more than cookie exploitation. Yet private business still has no legal obligation to publicly disclosure EU citizen personal data breaches in the UK. I have previously blogged about this as well - http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html

Common Sense Solution for those who do Care about Cookies
For the very few individuals who do care about cookie usage, there is a simple solution they are probably doing already. Anyone can set consent (prompt) for all cookie usage within their web browser configuration, so a pop-up appears every time a cookie wants to be created or is changed. My sources tell me this will be very likely be the UK government response to the EU Directive, namely introduce a law which mandates the placing of instructions on the website, explaining to users how to set their web browser to screen cookie usage.
Although I still very much doubt if anyone would put up with nagging Cookie pop-ups for too long.  At a talk on this, someone raise a point that in their business they still operated an old browser, where cookie consent couldn’t be set. He said their business used a web browser that was several years out of date as they feared new browsers would break their internal web applications.  My response, “running really old web browser versions, and (due) to out of date business web applications, points to a security hole. Specifically it shows there is a patch management problem to be addressed. Its security 101 to ensure applications, especially web applications, are patched and kept up-to-date, while out of date web browsers (which are also applications) are at a much higher risk of being taken advantage of by malware. Nearly all newer versions of web browsers, whether Internet Explorer, Chrome or Firefox, come with many security and anti-malware features”, this response brought an applause in the room, which suggests a general consensus.

How to comply with EU Cookie Law and avoid Fines
The ICO will be currently satisfied if your business is preparing for a change in law on website cookie usage, and if your business makes an effort to inform consumers about your website’s cookie usage. Therefore, at this time I advise the following approach in order to avoid fines and to prepare for compliance.

1. Conduct an audit of ALL Cookie usage
This business wide audit must cover all Internet facing websites and web applications. Record all cookie usage, including similar technologies like flash cookies, ensure you detail how each cookie is technically being used by the website/web application, and log the type of information stored within the cookie file (on local consumer’s PC). Ensure you note any cookie usage connected with third party advertisements, as these will be the highest concern to the law makers.

2.  If it exists, take a copy of the current website privacy and/or cookie statement

3. Create (or) update the website privacy/cookie statement, to include details of cookie usage. For example, review The Guardian’s Newspapers website cookie statement, which makes an good example covering most types of Cookie usage - http://www.guardian.co.uk/help/privacy-policy#cookies

4. Make sure your privacy/cookie statement explains in plain English what a cookie actually is. http://www.allaboutcookies.org/

5; Provide instructions on how to switch on web browser cookie screening, including all the major web browsers.

So get the audit done and update your website privacy statement accordingly. After all it shouldn’t take too long, and this has a very low cost to deliver. It is the right thing to provide this type of information to your customers, plus it will  protect your business from criticism and fines.

Finally the last step is to wait until there is a further announcement by the UK government.  I suggest not wasting any of your time and money in trying to develop a cookie acceptance box for your website. The ICO website has such an acceptance tick box http://www.ico.gov.uk/, however it is an epic fail, as you don’t need to tick the ICO acceptance in order to use the website!

How will the UK deal with "Consent"
This is speculation, but to my knowledge none of the UK government agencies and departments involved with addressing the EU Directive are even considering a solution which involves the website/web application code blocking a cookie prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions with ICO.

http://www.international-chamber.co.uk/press/19-icc-uks-response-to-the-new-eu-e-privacy-directive 

http://www.international-chamber.co.uk/blog/2011/07/22/compliance-with-eprivacy-directive/

http://www.culture.gov.uk/news/news_stories/8052.aspx

"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the directive"

15 comments:

richard said...

Unfortunately the advice here is flawed.

The ICO's own guidance states that current browser controls are not good enough to rely on for compliance with the law.

They may be in the future - but that will take years to roll out.

In the meantime, website owners are responsible for ensuring they are compliant.

This does mean employing a solution such as the one found here: www.cookielaw.org - which blocks most cookies, especially tracking cookies, until consent has been obtained.

The law is clear that consent must be obtained first.

@minabird said...

A far better solution is to put a http://cookieq.com configurable button on your web pages. There is no need for annoying popups, the default opted-out indication banner is optional, visitors can manage all their cookie agreements on one page and 3rd party cookies can be subject to consent on supported browsers. Consent for cookies, including analytics ones, will be remembered and can be idependently proven.

Dave Whitelegg said...

Obviously I will disagree with that, as the advice in the post is right in line with what the ICO are advising UK businesses at the moment.

Remember there is leeway on how a member state can interpret a Directive. The Directive does not what clarify how user consent must be obtained.

Given that, I none of the UK government agencies/departments involved are even considering a solution which involves the website code blocking cookies prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions.

Even if you choose to doubt all this, until the UK officially release clear law/technically guidance, following the advise in this post will protect the business from ICO fines for the time being.

http://www.international-chamber.co.uk/press/19-icc-uks-response-to-the-new-eu-e-privacy-directive

http://www.international-chamber.co.uk/blog/2011/07/22/compliance-with-eprivacy-directive/

http://www.culture.gov.uk/news/news_stories/8052.aspx

"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the"

John said...

Thanks for your post. Unfortunately, it looks like even the EU cannot agree on how this directive should be implemented. Recently the EU's data protection supervisor laid into the EU commissioner behind the directive, accusing her of, basically, being too soft. If his line is indicative of where this directive is taking us, then cookie use could get tricky - it won't just be enough to inform. Check out my blog post on this at: http://universityusability.wordpress.com/2011/08/19/cookie-killer-law-eu-commissioner-smack-down-things-just-got-more-confusing/

richard said...

The fact that the ICO website operates a cookie blocking mechanism, clearly indicates that they think this is a requirement for compliance.

Their guidance also states:

At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.

Which seem pretty clear to me. They also suggest pop-ups as a solution, and on the issue of changing terms and conditions state:

You then need to gain a positive indication that users understand and agree to the changes.

I realise that pop-ups are not the only solution - but in many cases they are the most viable one.

I also note that the ICC article you link to states that the requirement is to seek positive consent from visitors to websites before allowing cookies to tag a visitor.

As the vast majority of sites will set cookies like Google Analytics before the home page has finished loading, then blocking by default until consent is gained is the only option.

The real challenge is then to find ways to engage and incentivise website visitors to accept your use of cookies - and this could well become the competitive advantage of those sites that take the lead on this issue.

Anonymous said...

I am lawyer specialising in data protection, the advice in this blog post is all good actions to take. The cookie consent aspect of the law is just unenforceable at present, as echoed by the ICO. There is a lack of clear technical instruction on how to comply with the requirement, however any attempt to prepare to comply, by conducting a cookie audit and informing website consumers of cookie usage, is clearly a move in correct direction, a best practice to take. Other than that my recommendation is to just wait until the DMCS releases further information on the specific requirements against UK businesses.

Wolf Software said...

We have already released a jQuery plugin to resolve this issue for Google Analytics

http://cookies.dev.wolf-software.com

We have put together a small site for people to be able to see how long they have left before the new law will start to be enforced.

http://countdown.wolf-software.com

We are also working a new plugin which will handle cookies of any kind

masterpapers said...

Blogs are so interactive where we get lots of informative on any topics...... nice job keep it up !!

essay writing service said...

Amazing post! Thanks.

web design dan said...

This is a superb post Dave. It's great to read a balanced view from someone with common sense who has taken the time to digest all the waffle from our Guardian angels in Brussels!

academia research said...

Awesome post! Thanks a lot for sharing.

Anonymous said...

I found an excellent product that helped me instantly comply with the EU Cookie Law.

There called OKcookie and thier Cookie Compliance Solutions was up and running in minutes.

st_jimi said...

I found an excellent product that helped me instantly comply with the EU Cookie Law.

There called OKcookie and thier Cookie Compliance Solutions was up and running in minutes.

Business VoIP Systems said...

Nice indeed and developing my interest though.
business voip systems

julia maxwell said...

I like your post ,now I must complete my research for my paper.

Finance Dissertation Service