If you are already in the know with this issue, you may
just want to skip to the bottom paragraph, where I provide my advice – “How to comply with EU Cookie Law and avoid Fines.”
What is the EU
Cookie Directive and its requirements?
All member countries (states) of the European Union are
obligated to adopt EU Directives. One such EU Directive,
known as the “Privacy and Electronic Communications Directive”, and also known
as the “E-Privacy Directive”, was amended in 2009. The controversial addition
involves requirements around the usage of website cookies, which applies to all
websites servicing European Union citizens.
The updated Directive came into force on 26 May 2011, which means all EU countries should have brought the new requirements over cookie usage into law. There is some leeway and discretion on how Directives are interpreted by each individual EU member country. However most EU countries haven’t done anything about meeting the new requirements at all, only Denmark and Estonia have attempted to comply by the deadline.
Meanwhile in the UK, the government has deferred the new directive
requirements for a year while they try to work out a common sense way for UK
businesses to comply with the updated Directive requirements, remember the
government has some leeway on how meet the directive’s requirements. The Department
of Culture, Media and Sports (DCMS), the Information Commissioners Office
(ICO), and other commercial government departments are currently reviewing how
the UK will comply. The ICO, who are responsible for enforcing data protection
laws in the UK, has stated it expects UK businesses to be activity working
towards compliance, even though no clear practical government requirements or advice
has been set out. enforcement_cookies_rules_news_release
What is a Cookie
anyway & is my business affected?
Nearly all websites and web applications use cookies,
which are often stored locally on a website consumer’s PC, and are commonly
required for functions such as tracking user login, remembering user personal preferences,
tracking visitors and advertising. Therefore the implied change of law will affect
all UK businesses which have websites. A full explanation of ‘cookies’ can be
found at http://www.allaboutcookies.org/
In simple terms, the change means all UK websites must
provide information on their cookie usage. This is not a major business issue, just
additional text to the website privacy statement, which explains how cookies
are used on the website, and what information they hold. I have to say this
requirement actually does make good sense.
However there is another new requirement in the Directive, which is
causing all the controversy and confusion, namely that websites must obtain user
consent before they use a cookie.
“Article 5(3) shall be replaced by the following:
‘3. Member States shall ensure that the storing of
information, or the gaining of access to information
already stored, in the terminal equipment of a subscriber or user is only
allowed on condition that the subscriber or user concerned has given his or her
consent, having been provided with clear and comprehensive information,
in accordance with Directive 95/46/EC, inter alia, about the purposes of the
processing. This shall not prevent any technical storage or access for the sole
purpose of carrying out the transmission of a communication over an electronic
communications network, or as strictly necessary in order for the provider of
an information society service explicitly requested by the subscriber or user
to provide the service.’
Cookie Usage
Consent
Cookie usage consent on a website is a pretty crazy idea,
as the Directive implies every time you visit any website, a pop-box or an in
screen warning box appears, which forces you to tick a box before allowing you
to access the website. As I said the vast majority of websites on the internet
need to use cookies, and they just can’t work without them. I have previously blog ranted about this
before -
Why has this
change in law?
The intent of the EU Cookie Directive is to protect all individual
European citizen’s privacy rights, as cookies can be used to track an
individual’s interests, which can be exploited by third party advertisers. I
guess the folks at Brussels think it is in our own best interest, for them to
create laws to protect us from this practice, no matter how high a price the inconvenience
trade off is, a trade off which affects millions of daily European web users, a
trade off which would be totally unacceptable to the vast majority of web
users.
There is little doubt the vast majority of the UK public
just don’t care about this law or cookie usage. Privacy is the currency and
price we knowingly pay for using ‘free’ online services. Web services as
provided by the likes of Google, Facebook, YouTube, news websites, the whole of
e-commerce, free information sharing like this blog, these are the foundation
of the Internet’s success, and so are the essence of how the web revolution has
changed and driven human kind, in a way like no other human invention. The reason why these amazing web services we
take for granted are free to use, is they are paid for by advertisers,
advertisers who feed off our privacy. For instance as I compose a Gmail Email, if
I write about mountain climbing, sure enough unobtrusive advertisements
offering to sell me outdoor equipment will appear on the right side of the
page. Does this bother me? No, all it is
targeted marketing, and is really no different than advertising a beer brand at
a football match, it’s the same type of targeted advertising, made against
people’s predicted “wants” based on their interests, this is just the
capitalistic world we all live in. Marketers would argue this type of advertising
benefits consumers, as it presents consumers with only products they have an
actual interest in.
There are more pressing privacy laws to which the EU
should be focusing. The public do care
about companies breaching and losing their personal information a lot more than
cookie exploitation. Yet private business still has no legal obligation to
publicly disclosure EU citizen personal data breaches in the UK. I have
previously blogged about this as well - http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html
Common Sense
Solution for those who do Care about Cookies
For the very few individuals who do care about cookie
usage, there is a simple solution they are probably doing already. Anyone can set
consent (prompt) for all cookie usage within their web browser configuration,
so a pop-up appears every time a cookie wants to be created or is changed. My
sources tell me this will be very likely be the UK government response to the EU
Directive, namely introduce a law which mandates the placing of instructions on
the website, explaining to users how to set their web browser to screen cookie
usage.
Although I still very much doubt if anyone would put up with nagging Cookie pop-ups for too long. At a talk on this, someone raise a point that in their business they still operated an old browser, where cookie consent couldn’t be set. He said their business used a web browser that was several years out of date as they feared new browsers would break their internal web applications. My response, “running really old web browser versions, and (due) to out of date business web applications, points to a security hole. Specifically it shows there is a patch management problem to be addressed. Its security 101 to ensure applications, especially web applications, are patched and kept up-to-date, while out of date web browsers (which are also applications) are at a much higher risk of being taken advantage of by malware. Nearly all newer versions of web browsers, whether Internet Explorer, Chrome or Firefox, come with many security and anti-malware features”, this response brought an applause in the room, which suggests a general consensus.
Although I still very much doubt if anyone would put up with nagging Cookie pop-ups for too long. At a talk on this, someone raise a point that in their business they still operated an old browser, where cookie consent couldn’t be set. He said their business used a web browser that was several years out of date as they feared new browsers would break their internal web applications. My response, “running really old web browser versions, and (due) to out of date business web applications, points to a security hole. Specifically it shows there is a patch management problem to be addressed. Its security 101 to ensure applications, especially web applications, are patched and kept up-to-date, while out of date web browsers (which are also applications) are at a much higher risk of being taken advantage of by malware. Nearly all newer versions of web browsers, whether Internet Explorer, Chrome or Firefox, come with many security and anti-malware features”, this response brought an applause in the room, which suggests a general consensus.
How to comply with
EU Cookie Law and avoid Fines
The ICO will be currently satisfied if your business is preparing for a change in law on website cookie usage, and if your business makes an effort to inform consumers about your website’s cookie usage. Therefore, at this time I advise the following approach in order to avoid fines and to prepare for compliance.
The ICO will be currently satisfied if your business is preparing for a change in law on website cookie usage, and if your business makes an effort to inform consumers about your website’s cookie usage. Therefore, at this time I advise the following approach in order to avoid fines and to prepare for compliance.
1. Conduct an audit of ALL Cookie usage
This business wide audit must cover all Internet facing websites and web applications. Record all cookie usage, including similar technologies like flash cookies, ensure you detail how each cookie is technically being used by the website/web application, and log the type of information stored within the cookie file (on local consumer’s PC). Ensure you note any cookie usage connected with third party advertisements, as these will be the highest concern to the law makers.
2. If it exists, take a copy of the current website privacy and/or cookie statement
3. Create (or) update the website privacy/cookie statement, to include details of cookie usage. For example, review The Guardian’s Newspapers website cookie statement, which makes an good example covering most types of Cookie usage - http://www.guardian.co.uk/help/privacy-policy#cookies
4. Make sure your privacy/cookie statement explains in plain English what a cookie actually is. http://www.allaboutcookies.org/
5; Provide instructions on how to switch on web browser cookie screening, including all the major web browsers.
So get the audit done and update your website privacy statement accordingly. After all it shouldn’t take too long, and this has a very low cost to deliver. It is the right thing to provide this type of information to your customers, plus it will protect your business from criticism and fines.
Finally the last step is to wait until there is a further announcement by the UK government. I suggest not wasting any of your time and money in trying to develop a cookie acceptance box for your website. The ICO website has such an acceptance tick box http://www.ico.gov.uk/, however it is an epic fail, as you don’t need to tick the ICO acceptance in order to use the website!
How will the UK deal with "Consent"
This is speculation, but to my knowledge none of the UK government agencies and departments involved with addressing the EU Directive are even considering a solution which involves the website/web application code blocking a cookie prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions with ICO.
http://www.international-chamber.co.uk/press/19-icc-uks-response-to-the-new-eu-e-privacy-directive
http://www.international-chamber.co.uk/blog/2011/07/22/compliance-with-eprivacy-directive/
http://www.culture.gov.uk/news/news_stories/8052.aspx
"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the directive"
15 comments:
Unfortunately the advice here is flawed.
The ICO's own guidance states that current browser controls are not good enough to rely on for compliance with the law.
They may be in the future - but that will take years to roll out.
In the meantime, website owners are responsible for ensuring they are compliant.
This does mean employing a solution such as the one found here: www.cookielaw.org - which blocks most cookies, especially tracking cookies, until consent has been obtained.
The law is clear that consent must be obtained first.
A far better solution is to put a http://cookieq.com configurable button on your web pages. There is no need for annoying popups, the default opted-out indication banner is optional, visitors can manage all their cookie agreements on one page and 3rd party cookies can be subject to consent on supported browsers. Consent for cookies, including analytics ones, will be remembered and can be idependently proven.
Obviously I will disagree with that, as the advice in the post is right in line with what the ICO are advising UK businesses at the moment.
Remember there is leeway on how a member state can interpret a Directive. The Directive does not what clarify how user consent must be obtained.
Given that, I none of the UK government agencies/departments involved are even considering a solution which involves the website code blocking cookies prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions.
Even if you choose to doubt all this, until the UK officially release clear law/technically guidance, following the advise in this post will protect the business from ICO fines for the time being.
http://www.international-chamber.co.uk/press/19-icc-uks-response-to-the-new-eu-e-privacy-directive
http://www.international-chamber.co.uk/blog/2011/07/22/compliance-with-eprivacy-directive/
http://www.culture.gov.uk/news/news_stories/8052.aspx
"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the"
Thanks for your post. Unfortunately, it looks like even the EU cannot agree on how this directive should be implemented. Recently the EU's data protection supervisor laid into the EU commissioner behind the directive, accusing her of, basically, being too soft. If his line is indicative of where this directive is taking us, then cookie use could get tricky - it won't just be enough to inform. Check out my blog post on this at: http://universityusability.wordpress.com/2011/08/19/cookie-killer-law-eu-commissioner-smack-down-things-just-got-more-confusing/
The fact that the ICO website operates a cookie blocking mechanism, clearly indicates that they think this is a requirement for compliance.
Their guidance also states:
At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.
Which seem pretty clear to me. They also suggest pop-ups as a solution, and on the issue of changing terms and conditions state:
You then need to gain a positive indication that users understand and agree to the changes.
I realise that pop-ups are not the only solution - but in many cases they are the most viable one.
I also note that the ICC article you link to states that the requirement is to seek positive consent from visitors to websites before allowing cookies to tag a visitor.
As the vast majority of sites will set cookies like Google Analytics before the home page has finished loading, then blocking by default until consent is gained is the only option.
The real challenge is then to find ways to engage and incentivise website visitors to accept your use of cookies - and this could well become the competitive advantage of those sites that take the lead on this issue.
I am lawyer specialising in data protection, the advice in this blog post is all good actions to take. The cookie consent aspect of the law is just unenforceable at present, as echoed by the ICO. There is a lack of clear technical instruction on how to comply with the requirement, however any attempt to prepare to comply, by conducting a cookie audit and informing website consumers of cookie usage, is clearly a move in correct direction, a best practice to take. Other than that my recommendation is to just wait until the DMCS releases further information on the specific requirements against UK businesses.
We have already released a jQuery plugin to resolve this issue for Google Analytics
http://cookies.dev.wolf-software.com
We have put together a small site for people to be able to see how long they have left before the new law will start to be enforced.
http://countdown.wolf-software.com
We are also working a new plugin which will handle cookies of any kind
Blogs are so interactive where we get lots of informative on any topics...... nice job keep it up !!
Amazing post! Thanks.
This is a superb post Dave. It's great to read a balanced view from someone with common sense who has taken the time to digest all the waffle from our Guardian angels in Brussels!
Awesome post! Thanks a lot for sharing.
I found an excellent product that helped me instantly comply with the EU Cookie Law.
There called OKcookie and thier Cookie Compliance Solutions was up and running in minutes.
I found an excellent product that helped me instantly comply with the EU Cookie Law.
There called OKcookie and thier Cookie Compliance Solutions was up and running in minutes.
Nice indeed and developing my interest though.
business voip systems
It is really difficult to get this kind of useful information. Thank you so much for constantly posting interesting and informative article. Thanks a lot for all the info.
Post a Comment