E: firstname.lastname@example.org T: 01392 690072
The Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, known more generally in this context as the new “EU Cookie Law” came into force in the UK on 26th May 2011. The Information Commissioner’s Office (“ICO”) allowed a one year grace period prior to enforcing the law. As of 26th May 2012, the law is to be enforced by the ICO.
This guide explains the consequences of the new law, its requirements and makes some practical suggestions to aid in compliance.
The Law’s Purpose
Simply put, the EU Cookie Law aims to protect the privacy of internet users. It seeks to ensure that website owners who operate websites within the EU (even if the owners themselves are based outside of the EU) do the following:
1) Inform users about the purpose of the cookies that their website places and stores on users’ computers or devices; and
2) Obtain users’ consent before placing and storing those cookies.
Why Have This Law?
A popular reaction to the new restrictions is to argue that users are free to block cookies using their internet browser settings. This is, of course, true; however research cited by the ICO seems to indicate that relatively few internet users have knowledge of cookies sufficient to support the assumption that users can effectively manage them alone. Of particular interest is the statistic that 37% of those surveyed did not know how to manage cookies on their computer. Similarly, 37% - whilst aware of the existence of cookies – did not know how they work.
If, therefore, your website does not place any cookies and you have no plans to change this then you need read no further.
Strictly Necessary or Merely Important?
If your website does place cookies on users’ devices, the next step is to determine the purpose of those cookies. The key determination to be made at this stage is whether or not those cookies are, within the meaning of the law, “strictly necessary”. If a cookie is strictly necessary, no prior consent is needed from users. The definition of “strictly necessary”, however, is a narrow one. A cookie will only be deemed to be “strictly necessary” if it is required to provide a requested service to a user. An example of a strictly necessary cookie, therefore, might be one which enables an online shopping basket to store items.
On the other hand, cookies which simply enhance the user experience of a website but do not form an essential part of the service it provides do not fall within the “strictly necessary” exception. Perhaps surprisingly, this is likely to include cookies which store user preferences and even those which “remember” a user, keeping them logged in to the site the next time they visit.
Yes, believe it or not, you now need to ask for permission before your website can say “welcome back”.
Beyond cookies which form part of the presentation of the website or service to users there are, of course, those which perform services for you – the website owner. Of particular relevance here are those used for analytical purposes. In other cases, advertising on your website may be used to provide a revenue stream. Many forms of internet advertising utilise cookies. Particularly with regard to analytical cookies, you may deem these to be important or even bordering on essential in your provision of services to users. Nevertheless, whilst these cookies may indeed enable you to enhance your business and provide improved offerings to users, they do not fall within the “strictly necessary” category. As is explained in more detail below, non-consensual analytical cookies may not be treated as severely as non-consensual advertising cookies. The fact remains, however, that under the strict letter of the law consent must be obtained.
Based upon guidance provided by the ICO, the following table provides examples of those cookies which are likely to fall within the “strictly necessary” exception and those which are not.
No Consent Required
A cookie which remembers the contents of an online shopping basket.
A cookie which performs analytical functions ranging from fully-fledged analytics services to simple visit counting.
A cookie which facilitates essential security functions relating to data protection (e.g. those used by online banking services).
Cookies which form part of advertising services (whether first or third party).
A cookie which improves website loading times by spreading the workload across multiple computers.
A cookie which remembers a user, keeping them logged in to a website.
A cookie which stores user preferences for a website.
First Party or Third Party?
Whether a cookie is classified as first party or third party depends upon the website or domain which places the cookie. If your website (and, thus, your domain) places the cookie it will be classed as a first party cookie. If another website (another domain) places the cookie it will be classed as a third party cookie. It is important to be aware that if your service operates across multiple domains and one domain needs to interact with another, the cookie(s) used – although they will still be placed by “you” – would strictly be classed as third party cookies.
The relevance of first vs. third party cookies boils down to responsibility for complying with the law. The party setting a cookie bears the primary responsibility for compliance. This is not to say that third parties must obtain consent for their cookies rather than the website owner; however that third party must still bear some responsibility for, at the very least, providing appropriate information about its cookies.
If, for example, your website places a first-party analytical cookie, a third-party advertising cookie and, sometime later, a first-party shopping basket cookie, it would make practical sense for you to obtain consent for the first two cookies at the same time. The third party advertiser should, arguably, provide some user-friendly information explaining the function of their cookie. This information should be communicated to your users along with information about your first-party cookies.
User consent must be acquired prior to placing all but “strictly necessary” cookies. That consent must be valid and well informed.
Interestingly, the law states that the way in which a user’s browser settings are set may be sufficient to indicate consent to the placing of cookies:
“consent may be signified by a [user] who amends or sets controls on the internet browser which the [user] uses or by using another application or programme to signify consent.”
At present, however, the ICO argues that most browser settings are not sufficiently sophisticated to justify a website owner implying consent from them. Guidance from the ICO assures us that:
“[the] Government is working with the major browser manufacturers to establish which browser level solutions will be available and when.”
The degree to which the government is, in fact, “working with browser manufacturers” has not been made clear and since all mainstream browsers already offer a reasonable degree of control over cookies we are moved to wonder whether this assurance is, in fact, little more than an attempt to pacify unhappy website owners.
Whether the government is working with browser manufacturers or not, browser settings will not, for the time being at least, be sufficient to infer consent.
Before looking at consent itself, it is important first to deal with informing users about cookies. Many websites already provide basic information about cookies in their privacy policies, but now that information must (in many cases) be improved both in terms of its content and its visibility.
The information provided to users should enable them to fully understand and appreciate the functions of the various cookies placed by a website and the consequences to the user of allowing the placing of those cookies. Particularly in the case of cookies such as those which provide useful information to website owners, such as web analytics cookies, it is also worth considering explaining the consequences of the user not allowing the placing of the cookies. Such an explanation should, of course, be reasonably neutral in nature and retain a positive stance rather than a negative one. It would therefore be preferable to say something like:
“By tracking your movement and activity around our website using analytics cookies we are able to better understand our customers and continually improve our services.”
as opposed to:
“If you do not accept our analytical cookies we will not be able to improve our services as we will not be able to track your movement and activity around our website and therefore will not be able to understand you.”
Put simply, explain that “by accepting our cookies you enable us to serve you better”, rather than explaining that “if you don’t accept our cookies our service will be poor and we won’t like you”.
In addition to explaining the functions and benefits of the specific cookies placed by your website it is advisable to include in your information a broader explanation of what cookies are and what they actually do. The sudden presence of a pop-up explaining to users that they must give consent for a website to place cookies for privacy reasons may unnerve those who do not understand what a cookie is. A clear, user-friendly explanation of cookies and their raison d’être will go some way toward reassuring users that your cookies are perfectly safe and that their presence will, in fact, benefit the user.
There are various methods which could be used for obtaining consent to place cookies and, possibly, also for providing information about them. Depending upon the function, purpose and design of a website, some methods will be more suitable than others. The key factor in any case is to strike a balance between minimising intrusion on the user experience on the one hand and providing sufficient information in order to obtain informed consent on the other.
Various suggestions for methods of providing information and obtaining consent are shown below.
Option 1: Splash Screen
Some websites use splash screens or “welcome pages” to provide for options such as language choices. Others, particularly with age sensitive content, use them for age verification. A splash screen could therefore be used to provide information about cookies and to obtain consent to place them.
The problem with splash screens, however, is that they are not in widespread use on modern websites and may make a site appear out of date. Moreover, splash screens can be bad both for the user experience and for SEO. At best, acceptance of the screen’s information and the granting of consent to place cookies should ensure that the screen (by way of a cookie!) does not appear to a particular user again unless they erase the relevant cookie.
Option 2: Pop Up
A simple pop-up message or window can be used in order to convey information to users and to request permission to place cookies.
Like the splash screen, a pop-up will effectively force users to pay attention to its content and requires some user interaction to dismiss it (whether by agreeing or disagreeing to the placement of cookies, for example). In extreme cases, the website behind a pop-up message may be effectively disabled until the user acknowledges the pop-up.
Some pop-ups, however, particularly those that utilise new browser windows, can be easily blocked by internet browsers and are also particularly intrusive and detrimental to the user experience. Pop-up messages should be used with caution and may not be suitable for many types of website. As with the splash screen, the granting of permission should also place a cookie ensuring that the pop-up does not bother users again unless they clear their cookies.
Option 3: Header or Footer Bar
Particularly if placed at the head of a website, this method will be almost as noticeable as a pop-up but much less intrusive. The header bar is seems to be the method preferred by the ICO and is, in fact, used on its own website.
Option 4: Settings or Feature-led Consent
A further option may be more attractive where a website does not require cookies from the outset but only where users wish to use certain features. Those features may include personalised greetings when logging in, the display of tailored information or visual customisation.
Consent could be obtained at the time that a user wishes to make such choices. Before checking a box or clicking a button to remember their settings or preferences, users could be presented with a message explaining that such features require the placing of cookies and a checkbox to indicate that they accept those cookies.
In many cases, sites with such features require users to create an account and to log in in order to obtain a tailored user experience. As such, this option could be used as an alternative to option 5 below (or indeed vice-versa) or in combination with it.
Option 5: Terms and Conditions
This approach, of course, can be easily applied to new users of a website but existing users will have already accepted the terms and conditions. Prior acceptance of newly altered terms and conditions will not be sufficient. Existing users must therefore be informed of the change and required to once again accept the terms and conditions. Perhaps the simplest way to achieve this is to require acceptance of the new terms and conditions at the time of logging in – thus requiring acceptance prior to using the website.
As it will generally not be possible to use a website without accepting terms and conditions (or at least not one which requires users to have an account and to log in), this option could, if not used with care, effectively force users to accept cookies. The information contained within the terms and conditions should, therefore, provide details of how to opt out. Opting out could be achieved through multiple “accept” checkboxes (e.g. “I accept these terms and conditions and allow www.yourwebsite.co.uk to place cookies” or “I accept these terms and conditions but do not allow www.yourwebsite.co.uk to place cookies”). Alternatively, users could be given information on how to block cookies at the internet browser level; however as different browsers’ settings work in different ways, this may not be the most efficient method in this case as considerable detail would be required which could overwhelm users and the remainder of the terms and conditions.
Certain methods which may be chosen for the obtaining of consent may not require user interaction in order to allow users to continue using the website. Option 3, for example, could go untouched and users could simply proceed to use and explore the site. Whilst methods of this kind are among the least intrusive and will not unduly hinder the user experience, they may result in many users simply ignoring the request for consent. In such cases, it may be permissible to infer consent and to begin placing cookies as soon as a user navigates onward to another page. In such circumstances, however, it is advisable to remind users that, although you are now setting cookies, they were asked for permission and may still opt out. ICO guidance suggests using a similar header or footer bar to this effect.
Cookies of this kind may be first party or third party. Regardless of the domain from which the cookie is issued, however, it may not always be practical to obtain users’ consent to the placing of such cookies before they are set. Every effort should be made to obtain prior consent; however if this does not prove to be possible, users should be fully informed of the cookies and their functions at the earliest possible opportunity.
You may, for example, wish to use a header bar similar to the one illustrated above which is triggered by the arrival of a user from a sponsored search result. Rather than requesting permission to set the necessary cookies (as it may already be too late), the bar should inform the user of the setting of those cookies and provide information (or a link thereto) on how to remove them and block them in the future should they so wish. As noted above, cookies of this type will most likely be of considerable value to your business. Whilst you must inform users of their right to remove and block them, your explanation of their purpose and function should also make it clear to users that they will do no harm and will, in fact, assist you in improving your business which will ultimately benefit your customers.
Not all advertising and analytics cookies will function in this way and in many cases you may still be able to obtain prior consent to place them. Wherever this is possible, this is the method that should be used.
It is interesting to observe that the ICO’s guidance, whilst emphasising that analytics cookies do not qualify as “strictly necessary”, does note that “it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals”. This is clearly a reference to analytics cookies. Notwithstanding this reassurance, however, it is strongly advisable to provide your users with detailed information about all cookies placed by your website – analytics included – and, where practical and possible, to seek consent or at least provide the option to opt-out.
Third Parties and Data Protection
Whether data is shared with third parties or not, however, the principles and provisions of the Data Protection Act 1998 should be kept in mind. Where any personal data is gathered by cookies it must be processed and held in accordance with the Data Protection Act.
Enforcement and Penalties
Enforcement of the EU Cookie Law is the responsibility of the ICO. There are a number of formal actions which may be pursued against website owners that fail or refuse to comply with the new rules:
1) Information Notice: A notice requiring organisations to provide certain specified information to the Information Commissioner within a specified period.
2) Undertaking: A requirement that an organisation take certain specified actions to improve its compliance.
3) Enforcement Notice: A notice compelling an organisation to take specified actions to improve its compliance.
4) Monetary Penalty Notice: A fine for non-compliance determined by the ICO which may reach a maximum level of £500,000. This measure is used in more serious cases.
It is important to note that the ICO will have a degree of discretion as to how these enforcement measures and penalties are applied and, in the words of the ICO, the approach taken will be “practical and proportionate”. A first-party analytics cookie placed without users’ knowledge or consent would, therefore, not be treated with the same severity as a third-party advertising cookie that harvested personal data.
Many website owners are unhappy about the new EU Cookie Law and argue that nobody particularly complains about cookies. In part, the lack of complaint may result from the low levels of awareness of cookies and their functions amongst users.
There can be no denying that a certain level of work is now required of website owners in order to comply with the new rules and that in some cases this work will represent an unwelcome burden.
Nevertheless, the new rules have honourable roots in seeking to increase and protect individuals’ rights to privacy and in seeking to improve the education and understanding of internet users as a whole.
Moreover, perhaps by increasing levels of awareness, understanding and acceptance among users today, we will be able to place sufficient faith in the knowledge held by tomorrow’s users to ensure that pop-ups, headers, footers and splash screens need only be a temporary intrusion into the carefully constructed user experiences of our websites.