Tuesday 23 August 2011

How to comply with the EU Cookie Law in the UK

There is still much confusion and to be completely frank, some plain old nonsense being sprouted about the so called EU Cookie Law. So I thought it is high time to explain what it is all about, and specifically what UK businesses should be doing about complying with it. I am not a lawyer or an EU Law expert, therefore you should regard this blog entry as guidance and personal opinion. Having said that, it has not escaped my attention, there are some in the legal profession that are jumping on the EU Cookie Directive bandwagon in order to make a quick buck, and even providing very questionable technical advice to UK businesses.

If you are already in the know with this issue, you may just want to skip to the bottom paragraph, where I provide my advice – “How to comply with EU Cookie Law and avoid Fines.”

What is the EU Cookie Directive and its requirements?
All member countries (states) of the European Union are obligated to adopt EU Directives. One such EU Directive, known as the “Privacy and Electronic Communications Directive”, and also known as the “E-Privacy Directive”, was amended in 2009. The controversial addition involves requirements around the usage of website cookies, which applies to all websites servicing European Union citizens.


The updated Directive came into force on 26 May 2011, which means all EU countries should have brought the new requirements over cookie usage into law. There is some leeway and discretion on how Directives are interpreted by each individual EU member country.  However most EU countries haven’t done anything about meeting the new requirements at all, only Denmark and Estonia have attempted to comply by the deadline.

Meanwhile in the UK, the government has deferred the new directive requirements for a year while they try to work out a common sense way for UK businesses to comply with the updated Directive requirements, remember the government has some leeway on how meet the directive’s requirements. The Department of Culture, Media and Sports (DCMS), the Information Commissioners Office (ICO), and other commercial government departments are currently reviewing how the UK will comply. The ICO, who are responsible for enforcing data protection laws in the UK, has stated it expects UK businesses to be activity working towards compliance, even though no clear practical government requirements or advice has been set out. enforcement_cookies_rules_news_release

What is a Cookie anyway & is my business affected?
Nearly all websites and web applications use cookies, which are often stored locally on a website consumer’s PC, and are commonly required for functions such as tracking user login, remembering user personal preferences, tracking visitors and advertising. Therefore the implied change of law will affect all UK businesses which have websites. A full explanation of ‘cookies’ can be found at http://www.allaboutcookies.org/


What are the new EU Directive Cookie Requirements?
In simple terms, the change means all UK websites must provide information on their cookie usage. This is not a major business issue, just additional text to the website privacy statement, which explains how cookies are used on the website, and what information they hold. I have to say this requirement actually does make good sense.  However there is another new requirement in the Directive, which is causing all the controversy and confusion, namely that websites must obtain user consent before they use a cookie.

“Article 5(3) shall be replaced by the following:
‘3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’

Cookie Usage Consent
Cookie usage consent on a website is a pretty crazy idea, as the Directive implies every time you visit any website, a pop-box or an in screen warning box appears, which forces you to tick a box before allowing you to access the website. As I said the vast majority of websites on the internet need to use cookies, and they just can’t work without them.  I have previously blog ranted about this before -

Why has this change in law?
The intent of the EU Cookie Directive is to protect all individual European citizen’s privacy rights, as cookies can be used to track an individual’s interests, which can be exploited by third party advertisers. I guess the folks at Brussels think it is in our own best interest, for them to create laws to protect us from this practice, no matter how high a price the inconvenience trade off is, a trade off which affects millions of daily European web users, a trade off which would be totally unacceptable to the vast majority of web users.

There is little doubt the vast majority of the UK public just don’t care about this law or cookie usage. Privacy is the currency and price we knowingly pay for using ‘free’ online services. Web services as provided by the likes of Google, Facebook, YouTube, news websites, the whole of e-commerce, free information sharing like this blog, these are the foundation of the Internet’s success, and so are the essence of how the web revolution has changed and driven human kind, in a way like no other human invention.  The reason why these amazing web services we take for granted are free to use, is they are paid for by advertisers, advertisers who feed off our privacy. For instance as I compose a Gmail Email, if I write about mountain climbing, sure enough unobtrusive advertisements offering to sell me outdoor equipment will appear on the right side of the page.  Does this bother me? No, all it is targeted marketing, and is really no different than advertising a beer brand at a football match, it’s the same type of targeted advertising, made against people’s predicted “wants” based on their interests, this is just the capitalistic world we all live in. Marketers would argue this type of advertising benefits consumers, as it presents consumers with only products they have an actual interest in.

There are more pressing privacy laws to which the EU should be focusing.  The public do care about companies breaching and losing their personal information a lot more than cookie exploitation. Yet private business still has no legal obligation to publicly disclosure EU citizen personal data breaches in the UK. I have previously blogged about this as well - http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html

Common Sense Solution for those who do Care about Cookies
For the very few individuals who do care about cookie usage, there is a simple solution they are probably doing already. Anyone can set consent (prompt) for all cookie usage within their web browser configuration, so a pop-up appears every time a cookie wants to be created or is changed. My sources tell me this will be very likely be the UK government response to the EU Directive, namely introduce a law which mandates the placing of instructions on the website, explaining to users how to set their web browser to screen cookie usage.
Although I still very much doubt if anyone would put up with nagging Cookie pop-ups for too long.  At a talk on this, someone raise a point that in their business they still operated an old browser, where cookie consent couldn’t be set. He said their business used a web browser that was several years out of date as they feared new browsers would break their internal web applications.  My response, “running really old web browser versions, and (due) to out of date business web applications, points to a security hole. Specifically it shows there is a patch management problem to be addressed. Its security 101 to ensure applications, especially web applications, are patched and kept up-to-date, while out of date web browsers (which are also applications) are at a much higher risk of being taken advantage of by malware. Nearly all newer versions of web browsers, whether Internet Explorer, Chrome or Firefox, come with many security and anti-malware features”, this response brought an applause in the room, which suggests a general consensus.

How to comply with EU Cookie Law and avoid Fines
The ICO will be currently satisfied if your business is preparing for a change in law on website cookie usage, and if your business makes an effort to inform consumers about your website’s cookie usage. Therefore, at this time I advise the following approach in order to avoid fines and to prepare for compliance.

1. Conduct an audit of ALL Cookie usage
This business wide audit must cover all Internet facing websites and web applications. Record all cookie usage, including similar technologies like flash cookies, ensure you detail how each cookie is technically being used by the website/web application, and log the type of information stored within the cookie file (on local consumer’s PC). Ensure you note any cookie usage connected with third party advertisements, as these will be the highest concern to the law makers.

2.  If it exists, take a copy of the current website privacy and/or cookie statement

3. Create (or) update the website privacy/cookie statement, to include details of cookie usage. For example, review The Guardian’s Newspapers website cookie statement, which makes an good example covering most types of Cookie usage - http://www.guardian.co.uk/help/privacy-policy#cookies

4. Make sure your privacy/cookie statement explains in plain English what a cookie actually is. http://www.allaboutcookies.org/

5; Provide instructions on how to switch on web browser cookie screening, including all the major web browsers.

So get the audit done and update your website privacy statement accordingly. After all it shouldn’t take too long, and this has a very low cost to deliver. It is the right thing to provide this type of information to your customers, plus it will  protect your business from criticism and fines.

Finally the last step is to wait until there is a further announcement by the UK government.  I suggest not wasting any of your time and money in trying to develop a cookie acceptance box for your website. The ICO website has such an acceptance tick box http://www.ico.gov.uk/, however it is an epic fail, as you don’t need to tick the ICO acceptance in order to use the website!

How will the UK deal with "Consent"
This is speculation, but to my knowledge none of the UK government agencies and departments involved with addressing the EU Directive are even considering a solution which involves the website/web application code blocking a cookie prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions with ICO.

http://www.international-chamber.co.uk/press/19-icc-uks-response-to-the-new-eu-e-privacy-directive 

http://www.international-chamber.co.uk/blog/2011/07/22/compliance-with-eprivacy-directive/

http://www.culture.gov.uk/news/news_stories/8052.aspx

"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the directive"