As of May 26 2012, any website available to European visitors must comply with the EU E-Privacy Directive. New laws came into effect in 2011 which prevent identifying information being stored a user’s computer without their knowledge and consent.
If you’re using cookies or any other technologies for non-essential tracking, you must:
- Tell users that tracking technologies are used.
- Explain the reasons for using those technologies.
- Obtain the user’s consent prior to using that technology and allow them to withdraw permission at any time.
The specific technology is not important. While cookies are an obvious target, the law applies to client-side storage, Flash cookies, image trackers, browser fingerprinting or any technology used to identify an individual.
A user’s consent must involve communication where the individual knowingly indicates their acceptance, e.g. clicking an icon or checkbox. Wherever possible, setting cookies must be delayed until a user has the opportunity to understand what technologies are being used and make an informed choice.
The only exceptions are sites where tracking is strictly necessary for the provision of a service or communication requested by the user. Shopping baskets, some online applications and client-side caching to improve page speed would not require authorization. Sites using analytics, advertising or customized greetings must comply.
The website setting a cookie is primarily responsible for compliance. However, in the case of third-party cookies, both parties have a responsibility to ensure users are informed about cookies and consent is obtained.
The law applies to European companies even if their website is hosted overseas. Organizations outside Europe with websites designed for the European market should consider that those users will expect information and choices about cookies to be provided (although legal enforcement is unlikely).
In essence, if you’re using Google Analytics without the user’s consent, your website is operating illegally in Europe.
How Can You Comply?
The UK’s Information Commissioner’s Office (ICO) admits the new rules require considerable work and makes the following recommendations:
- Audit your site’s tracking technologies and usage. Take the opportunity to remove unnecessary cookies.
- Assess how intrusive that tracking is, i.e. is it an essential application session cookie or a one that has privacy implications.
- Decide on what solution is best to obtain the user’s consent.
British Telecom has one of the better examples. On accessing BT.com for the first time, the user is presented with a pop-up message:
The cookie option panel can be accessed from links in the pop-up or page footer:
Whether BT’s implementation abides with the law is another matter. The pop-up disappears after 12 seconds which won’t be enough for some users. In addition, full cookie approval is assumed if you don’t click the pop-up or footer link. The law clearly states that a user must knowingly indicate their acceptance; you cannot presume they understand or agree to your terms by their inaction.
The ICO’s Guidance on the rules on use of cookies and similar technologies offers pragmatic help. It’s a long read, but well-written in clear English.
The Penalties
In the UK, a fine of up to £500,000 can be levied against companies deemed to be operating illegally.
However, the ICO will initially issue information and enforcement notices. This is understandable when you consider that few Government websites have implemented cookie-acceptance systems! Formal action will only be considered when an organization refuses to take steps to comply or is actively using privacy-intrusive technologies.
The Practicalities
Laws can only succeed if they’re clear and enforceable.
The current EU directive is intentionally vague because it’s almost impossible to legislate computer code and functionality which can be developed in an infinite number of ways. The onus is on organizations to determine whether they are breaking the law and take steps to rectify the situation. Unfortunately:
- Few website owners understand the issues or know whether they comply.
- Web developers won’t necessarily know when and where cookies are used in a complex system.
- Assessing the legality of individual cookies will be impossible until precedents are set.
- The legislation has arrived very late and it’s impossible to police millions of websites.
There will not be crack Government teams dedicated to hunting illegal websites; the ICO and equivalent bodies throughout Europe will respond to individual complaints.
But who will complain? An independent survey commissioned for the UK Government concluded that only 13% of users stated they fully understood cookies. 41% were unaware of different types of local storage and 37% admitted they had no idea how to manage cookies within a browser. Even when you know a cookie has been used, it’s impossible to determine whether it’s breaking privacy laws without accessing the back-end source code.
The ICO accepts the legislation will be difficult to enforce, but will act against any company flouting the spirit of the law.
Open Season for Scammers
While this law is aimed at protecting users, it’s scammers who gain the biggest benefit. If you’ve not been contacted yet, expect to see emails such as this appear in your inbox:
Your website contravenes The European E-Privacy Directive 2009/136/EC. The legislation was passed in all European countries on May 25 2011 and your website fails to comply.
You must act immediately. To avoid a monetary penalty notice of up to £500,000, please forward payment of £10,000 to Korupt & Vyle, Internet Solicitors, so we can advise further. If we do not receive payment within seven days, your company will be reported to the UK Government Information Commissioner’s Office and all EU regulatory bodies.
Is this blackmail? Or is the scammer exercising their right to sell you compliance services before reporting you to the authorities for illegal activities? Put it this way, if you send enough emails, you’ll eventually find someone with enough naivety and cash.
What Should You Do?
If you’re using cookies or other tracking technologies for dubious purposes, you already know it and probably aren’t concerned about EU or any other laws. For everyone else, I suggest a simple approach:
- Ensure you have a privacy policy link in the footer of every page. You might want to change this to “Privacy Policy & Cookie Usage”.
- Explain your use of cookies and, where necessary, link to the privacy policies of third-party systems such as Google Analytics (google.com/analytics/learn/privacy.html).
- Rather than devise a complex opt-in system, link to cookie resource sites such as aboutcookies.org which explain how to block, control and delete cookies.
- Do not respond to unsolicited emails offering cookie legislation help.
- If you are contacted by a genuine regulatory body, work with them to identify any privacy breaches and devise solutions. They will not charge for that service.
While the EU cookie directive may be dumb and unenforceable, it’s still a law. Unfortunately, common sense is not a legal defense.
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
