There is still much confusion and to be completely frank,
some plain old nonsense being sprouted about the so called EU Cookie Law. So I
thought it is high time to explain what it is all about, and specifically what UK
businesses should be doing about complying with it. I am not a lawyer or an EU
Law expert, therefore you should regard this blog entry as guidance and
personal opinion. Having said that, it has not escaped my attention, there are some
in the legal profession that are jumping on the EU Cookie Directive bandwagon
in order to make a quick buck, and even providing very questionable technical advice
to UK businesses.
If you are already in the know with this issue, you may
just want to skip to the bottom paragraph, where I provide my advice – “How to comply with EU Cookie Law and avoid Fines.”
What is the EU
Cookie Directive and its requirements?
All member countries (states) of the European Union are
obligated to adopt EU Directives. One such EU Directive,
known as the “Privacy and Electronic Communications Directive”, and also known
as the “E-Privacy Directive”, was amended in 2009. The controversial addition
involves requirements around the usage of website cookies, which applies to all
websites servicing European Union citizens.
The updated Directive came into force on 26 May 2011, which
means all EU countries should have brought the new requirements over cookie
usage into law. There is some leeway and discretion on how Directives are
interpreted by each individual EU member country. However most EU countries haven’t done
anything about meeting the new requirements at all, only Denmark and Estonia
have attempted to comply by the deadline.
Meanwhile in the UK, the government has deferred the new directive
requirements for a year while they try to work out a common sense way for UK
businesses to comply with the updated Directive requirements, remember the
government has some leeway on how meet the directive’s requirements. The Department
of Culture, Media and Sports (DCMS), the Information Commissioners Office
(ICO), and other commercial government departments are currently reviewing how
the UK will comply. The ICO, who are responsible for enforcing data protection
laws in the UK, has stated it expects UK businesses to be activity working
towards compliance, even though no clear practical government requirements or advice
has been set out. enforcement_cookies_rules_news_release
What is a Cookie
anyway & is my business affected?
which are often stored locally on a website consumer’s PC, and are commonly
required for functions such as tracking user login, remembering user personal preferences,
tracking visitors and advertising. Therefore the implied change of law will affect
all UK businesses which have websites. A full explanation of ‘cookies’ can be
found at http://www.allaboutcookies.org/
What are the new EU
Directive Cookie Requirements?
In simple terms, the change means all UK websites must
provide information on their cookie usage. This is not a major business issue, just
additional text to the website privacy statement, which explains how cookies
are used on the website, and what information they hold. I have to say this
requirement actually does make good sense.
However there is another new requirement in the Directive, which is
causing all the controversy and confusion, namely that websites must obtain user
consent before they use a cookie.
“Article 5(3) shall be replaced by the following:
‘3. Member States shall ensure that the storing of
information, or the gaining of access to information
already stored, in the terminal equipment of a subscriber or user is only
allowed on condition that the subscriber or user concerned has given his or her
consent, having been provided with clear and comprehensive information,
in accordance with Directive 95/46/EC, inter alia, about the purposes of the
processing. This shall not prevent any technical storage or access for the sole
purpose of carrying out the transmission of a communication over an electronic
communications network, or as strictly necessary in order for the provider of
an information society service explicitly requested by the subscriber or user
to provide the service.’
Cookie usage consent on a website is a pretty crazy idea,
as the Directive implies every time you visit any website, a pop-box or an in
screen warning box appears, which forces you to tick a box before allowing you
to access the website. As I said the vast majority of websites on the internet
Why has this
change in law?
The intent of the EU Cookie Directive is to protect all individual
European citizen’s privacy rights, as cookies can be used to track an
individual’s interests, which can be exploited by third party advertisers. I
guess the folks at Brussels think it is in our own best interest, for them to
create laws to protect us from this practice, no matter how high a price the inconvenience
trade off is, a trade off which affects millions of daily European web users, a
trade off which would be totally unacceptable to the vast majority of web
There is little doubt the vast majority of the UK public
just don’t care about this law or cookie usage. Privacy is the currency and
price we knowingly pay for using ‘free’ online services. Web services as
provided by the likes of Google, Facebook, YouTube, news websites, the whole of
e-commerce, free information sharing like this blog, these are the foundation
of the Internet’s success, and so are the essence of how the web revolution has
changed and driven human kind, in a way like no other human invention. The reason why these amazing web services we
take for granted are free to use, is they are paid for by advertisers,
advertisers who feed off our privacy. For instance as I compose a Gmail Email, if
I write about mountain climbing, sure enough unobtrusive advertisements
offering to sell me outdoor equipment will appear on the right side of the
page. Does this bother me? No, all it is
targeted marketing, and is really no different than advertising a beer brand at
a football match, it’s the same type of targeted advertising, made against
people’s predicted “wants” based on their interests, this is just the
capitalistic world we all live in. Marketers would argue this type of advertising
benefits consumers, as it presents consumers with only products they have an
actual interest in.
There are more pressing privacy laws to which the EU
should be focusing. The public do care
about companies breaching and losing their personal information a lot more than
cookie exploitation. Yet private business still has no legal obligation to
publicly disclosure EU citizen personal data breaches in the UK. I have
previously blogged about this as well - http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html
Solution for those who do Care about Cookies
For the very few individuals who do care about cookie
usage, there is a simple solution they are probably doing already. Anyone can set
consent (prompt) for all cookie usage within their web browser configuration,
so a pop-up appears every time a cookie wants to be created or is changed. My
sources tell me this will be very likely be the UK government response to the EU
Directive, namely introduce a law which mandates the placing of instructions on
the website, explaining to users how to set their web browser to screen cookie
Although I still very much doubt if anyone would put up
with nagging Cookie pop-ups for too long.
At a talk on this, someone raise a point that in their business they
still operated an old browser, where cookie consent couldn’t be set. He said
their business used a web browser that was several years out of date as they
feared new browsers would break their internal web applications. My response, “running really old web browser versions,
and (due) to out of date business web applications, points to a security hole.
Specifically it shows there is a patch management problem to be addressed. Its
security 101 to ensure applications, especially web applications, are patched
and kept up-to-date, while out of date web browsers (which are also applications)
are at a much higher risk of being taken advantage of by malware. Nearly all
newer versions of web browsers, whether Internet Explorer, Chrome or Firefox, come
with many security and anti-malware features”, this response brought an applause
in the room, which suggests a general consensus.
How to comply with
EU Cookie Law and avoid Fines
The ICO will be currently satisfied if your business is
preparing for a change in law on website cookie usage, and if your business
makes an effort to inform consumers about your website’s cookie usage. Therefore,
at this time I advise the following approach in order to avoid fines and to prepare
an audit of ALL Cookie usage
This business wide audit must cover all
Internet facing websites and web applications. Record all cookie usage,
including similar technologies like flash cookies, ensure you detail how each
cookie is technically being used by the website/web application, and log the
type of information stored within the cookie file (on local consumer’s PC).
Ensure you note any cookie usage connected with third party advertisements, as
these will be the highest concern to the law makers.
it exists, take a copy of the current website privacy and/or cookie statement
(or) update the website privacy/cookie statement, to include details of cookie
usage. For example, review The Guardian’s Newspapers website cookie statement,
which makes an good example covering most types of Cookie usage - http://www.guardian.co.uk/help/privacy-policy#cookies
sure your privacy/cookie statement explains in plain English what a cookie
actually is. http://www.allaboutcookies.org/
instructions on how to switch on web browser cookie screening, including all
the major web browsers.
So get the audit done and update your website privacy statement
accordingly. After all it shouldn’t take too long, and this has a very low cost
to deliver. It is the right thing to provide this type of information to your customers,
plus it will protect your business from criticism
Finally the last step is to wait until there is a further
announcement by the UK government. I
suggest not wasting any of your time and money in trying to develop a cookie
acceptance box for your website. The ICO website has such an acceptance tick
, however it is
an epic fail, as you don’t need to tick the ICO acceptance in order to use the
How will the UK deal with "Consent"
This is speculation, but to my knowledge none of the UK government agencies and departments involved with addressing the EU Directive are even considering a solution which involves the website/web application code blocking a cookie prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions with ICO.
"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the directive"