Technical Leaders - Working with the Management Team
Cookies and the EU privacy directive: what it means for you
1. Introduction to the EU Cookies Law
And what it means for your organisation
Simon Lande, CEO, Magus
simon.lande@magus.co.uk
24th November 2011
2. A brief history of EU Cookies Law
• July 2002: EU passes a law (Directive 2002/58/EC) which states that
anyone who wants to insert cookies into the browsers of users has to
give notice of this and offer an opt-out
• December 2009: EU amends the Directive to state that users must
provide their consent before websites can download non-essential
cookies onto the user’s machine via the browser
• 25 May 2011: The date by which all EU countries are required to
implement this change into their national legislation (most have not yet
done so!)
• The amended Directive is likely to apply to all organisations who
download cookies onto the machines of users based in the EU,
whether those organisations are based in the EU or not
• In the UK, organisations could be subject to enforcement notices and
actions, and potentially a fine of up to £500K for failing to comply
3. What are cookies?
• A piece of text stored on a user’s computer by their web browser
• They have a range of uses, including:
o Authentication
o Storing site preferences
o Storing shopping basket contents
Cookies which are necessary to provide a service that the user has
asked for, for example to fill a shopping trolley, are exempt from this
legislation
However, cookies can also be used to track user activity, build up profiles
and carry out other non-essential activities – this is what the fuss is all
about
4. Types of cookies
Cookies are categorised according to:
• Their duration
Session
• Who sets them cookies
Persistent
/ Tracker
cookies
First party
cookies
Third
party
cookies
5. How’s the legislation being interpreted?
Sweden:
• Directive transposed into national law on 1 July 2011 requiring user consent for the use of
cookies. The relevant Swedish authority has provided little guidance on the crucial question
of how to obtain consent.
• In addition, the Swedish Internet Advertising Bureau has issued draft recommendations that:
(i) information on the use of cookies, and how consent may be denied and withdrawn, should
be provided to users; and
(ii) user consent must be obtained by means appropriate to the circumstances (e.g. use
through browser settings which allow cookies, following user’s receipt of sufficient
information).
Norway:
• National law to implement the Directive is currently under consideration. It is expected to
come into force in 2012.
Denmark:
• Draft executive order is under consultation and Denmark have asked the European
Commission to clarify certain aspects of the Directive.
• It is intended that the final version of the executive order will be agreed and come into effect
by the end of December this year.
6. How’s the legislation being interpreted?
UK:
• Directive became law on the 25th May 2011, and the ICO has given organisations 1 year to
comply, before enforcement action may be imposed
• But they must currently be able to show "they have a realistic plan to achieve
compliance"
France:
• Draft bill exists and is in the process of public consultation. If implemented, this would require
organisations to obtain user consent. Such consent need not necessarily be expressed, as it
may be implied from users’ browser settings.
Netherlands:
• Proposed national legislation is to be voted on by the Dutch Senate this year. If approved, it
will likely come into effect early next year, setting out the obligation that organisations must
obtain user consent before cookies can be installed or stored on users’ computers.
• They’ll also need to prove they have it! (This requirement goes beyond the provisions of
the Directive.)
7. What’s everyone doing about cookies?
Example 1: The Information Commissioner’s Office
10. What should you be doing about it?
• The perfect solution is not yet out there
• There’s no advantage to being an early adopter
o For example, some companies have already taken down their pop-up windows and
warning layers due to negative impacts on usability
• Cookies law is on the move
o Majority of European counties have yet to implement the Directive
o Some of the European countries which have implemented the Directive have not
provided clear guidance as to how organisations should comply
o There are different views on whether the UK has correctly implemented the Directive
(e.g. the EU committee of national data protection regulators has issued an opinion
that contradicts the UK’s implementation relating to the time at which user consent
must be obtained)
• Technical (e.g. browser-based) solutions, may be around the corner
So, best to sit back and “Do nothing?”
11. A realistic plan
You need to be able to demonstrate that you
have a “realistic plan to achieve
compliance”…
Current best practice is for all companies to take the following three
actions:
1. Check what type of cookies and similar technologies you use and how
you use them
2. Assess how intrusive your use of cookies is
3. Decide what solution to obtain consent will be best in your
circumstances
12. Compliance options
Option Regulatory Usability Business Comments
Compliance impact
Remove all Very High Low High Possible to remove all cookies from a website other than
non-essential those strictly necessary for the provision of services to the
cookies user. However, this is likely to require redesign work and
could significantly degrade website functionality. It is also
likely to impact the business model for the website e.g. by
removing the ability to collect important information.
Pop Up High Low Medium/High Non-essential cookies are only used if the user clicks “Accept”
Windows on a pop-up window. This is an intrusive and annoying option
(not least because those refusing cookies will get the pop-up
again and again). Reduced usability/functionality will
negatively affect traffic. Partial acceptance of cookies will
make tracking information meaningless.
Banner Tick High Medium Medium/High A banner is placed at the top of the page allowing users to
Box click to accept cookies. This is the option selected by the UK
Information Commissioner. In practice, very few people click
to accept cookies. Partial acceptance of cookies will make
tracking information meaningless.
Acceptance Medium Medium Low Users give consent to cookies when they accept the terms of
of T&C’s use of a website. This only works if users are expressly
required to agree to those terms of use in order to use the
website.
Website Low Low Low A prominent notice is provided indicating that cookies are
Notes used, linking to details of each cookie. This is the option taken
by the UK Department of Culture, Media and Sport who are
responsible for implementing the new cookies laws in the UK.
13. How Magus can help
Audit in conjunction with Linklaters will enable you to address the
recommendations and provides the basis for your implementation plan. It
includes:
Report and
Cookies briefing Cookies audit
recommendations
• Overview of the relevant • Social media widgets • Key findings
legislation and its known to set cookies • Advice (e.g. appropriate
implications for your • Flash files which need to action could be
website be checked for Flash considered on an
cookies enforcement risk-based
• Third party domains and approach, and
scripts known to set potentially an EU wide
cookies approach) and
recommendations (see
• JavaScript files likely to table above)
contain cookies
• What you need to do
• Potential web beacons next
known to set cookies
• Pages not containing a
link to a privacy /
cookies policy
Session cookies: These are temporary and last only for the duration of the user’s active visitPersistent or tracker cookies: These are stored on the user’s computer and can be accessed again by the domain that set it whenever browser contact is madeFirst party cookies: These are set by the website itself (the same domain as in the browser’s address bar)Third party cookies: These are set by different domains from the one shown on the browser address bar
In most other European states, however, no national law transposing the Directive has yet been passed, so it’s a “wait and see” situation.
In most other European states, however, no national law transposing the Directive has yet been passed, so it’s a “wait and see” situation.
The Information Commissioner’s Office (ICO)The ICO is the government body responsible for enforcing the new legislation in the UKThey’ve opted for a white box at the top of every page, and it never goes away unless you check the box and click the button to consent to cookies.Virtues of the solution:It’s accessible (unlike pop up windows), and prominentProblems with this solution:The text assumes you know what cookies are – if you don’t it’s meaningless. They also don’t tell users what their cookies do – which is to track visitors using google analytics.The ICO says on their own website “Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.”It’s ugly and off puttingGoogle analytics tracking tags are excluded until users tick to give their consent. The result – a 90% drop in recorded visits. Could you live without analytics?
BAIncludeda link to their cookies policy on the landing page.Virtues of the solutionUnobtrusive, and integrated within the existing website navigation. They’ve simply added a link to their cookies policy to a pre-existing site-selection landing page - all users are presented with this page on their first visit to the BA websiteProblems with this solutionIf you don’t have JavaScript enabled you won’t be able to view itIt doesn’t specifically request consentA closer look at the BA cookies policy reveals that it tells visitors rather bluntly that if they don’t accept all their cookies, they can’t use the site – not quite what the legislation is aiming at. Though of course many of their cookies will be “strictly necessary” to the core purpose of the site, and therefore exempt from this legislation. BA clearly don’t want to be doing this and they are making it known!
BBCOpted to include a “Privacy and cookies” link in its footer navigation. It provides detailed information about the cookies they use, and how to remove them if you want to.Virtues:Clear, accessible and non-technicalProblems:It doesn’t address consent
Info on challenge to UK position on cookie consent:http://www.i-policy.org/2011/07/eu-privacy-watchdogs-contradict-uk-position-on-cookie-consent.html