The Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, known more generally in this context as the new “EU Cookie Law” came into force in the UK on 26th May 2011. The Information Commissioner’s Office (“ICO”) allowed a one-year grace period prior to enforcing the law. As of 26th May 2012, the law is to be enforced by the ICO.
This guide explains the consequences of the new law, its requirements and makes some practical suggestions to aid in compliance.
The Law’s Purpose
Simply put, the EU Cookie Law aims to protect the privacy of internet users. It seeks to ensure that website owners who operate websites within the EU (even if the owners themselves are based outside of the EU) do the following:
1) Inform users about the purpose of the cookies that their website places and stores on users’ computers or devices; and
2) Obtain users’ consent before placing and storing those cookies.
Why Have This Law?
A popular reaction to the new restrictions is to argue that users are free to block cookies using their internet browser settings. This is, of course, true; however, research cited by the ICO seems to indicate that relatively few internet users have knowledge of cookies sufficient to support the assumption that users can effectively manage them alone. Of particular interest is the statistic that 37% of those surveyed did not know how to manage cookies on their computer. Similarly, 37% - whilst aware of the existence of cookies – did not know how they work.
If therefore, your website does not place any cookies and you have no plans to change this then you need read no further.
Strictly Necessary or Merely Important?
If your website does place cookies on users’ devices, the next step is to determine the purpose of those cookies. The key determination to be made at this stage is whether or not those cookies are, within the meaning of the law, “strictly necessary”. If a cookie is strictly necessary, no prior consent is needed from users. The definition of “strictly necessary”, however, is a narrow one. A cookie will only be deemed to be “strictly necessary” if it is required to provide a requested service to a user. An example of a strictly necessary cookie, therefore, might be one which enables an online shopping basket to store items.
On the other hand, cookies which simply enhance the user experience of a website but do not form an essential part of the service it provides do not fall within the “strictly necessary” exception. Perhaps surprisingly, this is likely to include cookies which store user preferences and even those which “remember” a user, keeping them logged in to the site the next time they visit.
Yes, believe it or not, you now need to ask for permission before your website can say “welcome back”.
Beyond cookies which form part of the presentation of the website or service to users there are, of course, those which perform services for you – the website owner. Of particular relevance here are those used for analytical purposes. In other cases, advertising on your website may be used to provide a revenue stream. Many forms of internet advertising utilise cookies. Particularly with regard to analytical cookies, you may deem these to be important or even bordering on essential in your provision of services to users. Nevertheless, whilst these cookies may indeed enable you to enhance your business and provide improved offerings to users, they do not fall within the “strictly necessary” category. As is explained in more detail below, non-consensual analytical cookies may not be treated as severely as non-consensual advertising cookies. The fact remains, however, that under the strict letter of the law consent must be obtained.
Based upon guidance provided by the ICO, the following table provides examples of those cookies which are likely to fall within the “strictly necessary” exception and those which are not.
No Consent Required
A cookie which remembers the contents of an online shopping basket. A cookie which performs analytical functions ranging from fully-fledged analytics services to simple visit counting.
A cookie which facilitates essential security functions relating to data protection (e.g. those used by online banking services). Cookies which form part of advertising services (whether first or third party).
A cookie which improves website loading times by spreading the workload across multiple computers. A cookie which remembers a user, keeping them logged in to a website.
A cookie which stores user preferences for a website.
First Party or Third Party?
Whether a cookie is classified as first party or third party depends upon the website or domain which places the cookie. If your website (and, thus, your domain) places the cookie it will be classed as a first party cookie. If another website (another domain) places the cookie it will be classed as a third party cookie. It is important to be aware that if your service operates across multiple domains and one domain needs to interact with another, the cookie(s) used – although they will still be placed by “you” – would strictly be classed as third party cookies.
The relevance of first vs. third party cookies boils down to responsibility for complying with the law. The party setting a cookie bears the primary responsibility for compliance. This is not to say that third parties must obtain consent for their cookies rather than the website owner; however, that third party must still bear some responsibility for, at the very least, providing appropriate information about its cookies.
If, for example, your website places a first-party analytical cookie, a third-party advertising cookie and, some time later, a first-party shopping basket cookie, it would make practical sense for you to obtain consent for the first two cookies at the same time. The third party advertiser should, arguably, provide some user-friendly information explaining the function of their cookie. This information should be communicated to your users along with information about your first-party cookies.
User consent must be acquired prior to placing all but “strictly necessary” cookies. That consent must be valid and well-informed.
Interestingly, the law states that the way in which a user’s browser settings are set may be sufficient to indicate consent to the placing of cookies:
“consent may be signified by a [user] who amends or sets controls on the internet browser which the [user] uses or by using another application or program to signify consent.”
At present, however, the ICO argues that most browser settings are not sufficiently sophisticated to justify a website owner implying consent from them. Guidance from the ICO assures us that:
“[the] Government is working with the major browser manufacturers to establish which browser level solutions will be available and when.”
The degree to which the government is, in fact, “working with browser manufacturers” has not been made clear and since all mainstream browsers already offer a reasonable degree of control over cookies we are moved to wonder whether this assurance is, in fact, little more than an attempt to pacify unhappy website owners.
Whether the government is working with browser manufacturers or not, browser settings will not, for the time being at least, be sufficient to infer consent.
Before looking at consent itself, it is important first to deal with informing users about cookies. Many websites already provide basic information about cookies in their privacy policies, but now that information must (in many cases) be improved both in terms of its content and its visibility.
The information provided to users should enable them to fully understand and appreciate the functions of the various cookies placed by a website and the consequences to the user of allowing the placing of those cookies. Particularly in the case of cookies such as those which provide useful information to website owners, such as web analytics cookies, it is also worth considering explaining the consequences of the user not allowing the placing of the cookies. Such an explanation should, of course, be reasonably neutral in nature and retain a positive stance rather than a negative one. It would, therefore, be preferable to say something like:
“By tracking your movement and activity around our website using analytics cookies we are able to better understand our customers and continually improve our services.” as opposed to:
*“If you do not accept our analytical cookies we will not be able to improve our services as we will not be able to track your movement and activity.