Cookies and European Union Law

1,669 views

Published on

Reactive's whitepaper on Cookies and European Law

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,669
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cookies and European Union Law

  1. 1. ReactiveCookies & EU Law Cookies & EU LawP1
  2. 2. ReactiveCookies & EU LawCookies & EU Law:IntroductionThe European Union’s E-Privacy Directive is concerned withprivacy and the confidentiality of information. One of themain targets of the legislation has been website cookies. Thisdocument examines what the new law says, its implicationsand possible solutions. The purpose of this document is toprovide an introduction to the general issues surrounding thisarea of law rather than to form the basis of legal advice for aspecific company or website.P2
  3. 3. ReactiveCookies & EU Law1 What are cookies? Cookies are small files which sit on a user’s computer. There are different types of cookies and they are used for a wide range of purposes; storing login information so the user can enter and leave a site without having to re-enter the same authentication over and over, saving information about a user’s activities so users can pick up where they left off, store ordering information for shopping carts, analytics that can improve website usability, saving user preferences and lots of other stuff that users find useful. Cookies can, however, be used for malicious purposes. Since they store information about a user’s browsing preferences and history — cookies can be used to act as a form of spyware.2 What is the EU law on cookies? Before we can explain what the law is we need to understand what an EU Directive is. An EU Directive is a legislative Act which requires Member States to achieve a particular result without dictating the means of achieving that result. This means that the individual governments of the 27 Member States have the freedom to interpret and implement the Directive differently. So, the rules in different countries can be stricter than required or phrased differently; they must simply achieve the result that the Directive seeks to dictate. (For example the Dutch Government has made it so that websites must be able to prove that users have given consent whereas the British Government has no such condition). What does the EU Directive on E-Privacy say? “Member States shall ensure that the storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information... about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. Directive 2002/58, Article 5 (3). What does that mean for cookies? Essentially it means that cookies can only be placed on machines where the user has given their consent. The only exception to this rule is if the cookie is “strictly necessary” for a service “explicitly requested” by the user. This exception is narrow but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks “add to the basket” that your site remembers what they chose once they get to the checkout. You would not need to get consent for this type of activity.P3
  4. 4. ReactiveCookies & EU Law3 What does the new EU law mean for websites? Which websites are affected? The new law affects any website which has users in the EU. It does not matter where the website is hosted. What will websites have to do in order to be compliant? That is the big question the answer to which is not entirely clear yet. There is a whole section dedicated to possible solutions. One bit of good news is that once consent has been given it does not have to be obtained on subsequent visits. How will the law be enforced? There are two ways that a user’s rights may be enforced: 1. Firstly, action can be taken by the information commissioner in a particular country. In this instance the aggrieved individual makes a complaint to the information commissioner. The information commissioner is obliged to first of all seek an amicable resolution between the parties. If this is not possible then the commissioner can make a decision on the case and impose a fine. The maximum fine varies between countries. 2. Secondly, in most countries an individual who has suffered damages as a result of a breach can bring a claim for damages against the person who committed the breach. There is a defence of reasonable care against such a claim. So, for example, if where the use of cookies results in someone’s bank details being obtained by a third party there may be a financial loss and a right of action.4 One of the most complicating factors of this law is that it is not clear what is expected of website owners. As of December 2011 the vast majority of websites have not implemented the changes that the legislation appears to require. Below are some of the solutions proposed: a. Screen prompts: Of the few websites that have tried to lead on compliance, screen prompts have been the most popular route. These amount to pop ups or banners that explain broadly what the cookies are used for and why. Example: The Information Commissioners Office, UK “On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.” I accept cookies from this site There is a fear that such measures will mean websites could become more static, less personal and ultimately less user-friendly if they go down a similar route. If users are presented with permission pop-ups for every site they visit, the user experience could become very frustrating!P5
  5. 5. ReactiveCookies & EU Law4… b. Obtaining consent through explicit acceptance of terms and conditions: Where users open an account or sign in to use services, additional terms about cookie usage could be included. The user must be given specific information about what they are agreeing to and be provided with a way to show their acceptance. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms. c. Settings-led consent: Some cookies are deployed when a user makes a choice about how the site works for them. In these cases, consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work. d. Feature-led consent: Some objects are stored when a user chooses to use a particular feature of the site such as watching a video clip or when the site remembers what they have done on previous visits in order to personalise the content the user served. e. Browsers: The big hope is that browsers can make changes to allow greater control over cookies and in effect do the consenting for all the websites they visit through them. This is certainly the easiest solution for website owners. But, don’t hold your breath! The mostly US based browser companies make a huge amount of money from behavioural advertising. Mozilla gets almost all its income from advertisers, with nearly 90% from Google alone. At the moment most browsers will, by default, accept cookies so it is not, at present, realistic to rely on a user’s browser settings to gain the necessary consent. Browser companies will come under increased pressure to make this a tenable option. f. Opportunities for start-ups: Necessity is the mother of invention and some companies have already spotted the cookie laws as an opportunity to make money. CookieQ are one such company. Their solution involves websites signing up and using a button provided by them. Users can manage their cookie permissions in one trusted place.5 What should websites do? There is a lot of confusion as to what is expected of websites. Companies are understandably reluctant to invest money in making changes when there is the hope that such changes will be unnecessary. Governments understand this situation too and are taking a phased approach. For example, in the UK the provisions were meant to come into force in May 2011 but at the last minute companies were given another year to get their houses in order. To date there has not been much progress despite the delay. Even though the cookie laws are in a state of drift and confusion there are certain things that all website owners can (and probably should) start doing now. Information Commissioners have made it clear that they will treat companies who have considered the issues and have a policy on cookies more leniently than those who avoid making any changes to current practice. It is therefore recommended that websites as a minimum take the following steps: Check what type of cookies and similar technologies they use and how they use them. Assess how intrusive their use of cookies is. Consider what solutions might be best in their particular circumstances. Seek to inform and educate their users about what cookies they use and why they use them.P6
  6. 6. ReactiveCookies & EU Law Further Reading http://www.malcolmcoles.co.uk/blog/eu-cookie-law-examples-of-sites-already-implementing-it/ http://blogs.computerworlduk.com/management-briefing/2011/09/businesses-risk-crumbling- without-better-eu-cookie-law-guidance/index.htm http://blog.baycloudsystems.com/journal/2011/9/13/an-opt-in-cookie-policy-is-good-for- consumers-and-brands.html http://www.francisdavey.co.uk/2011/05/restraining-cookies-new-privacy-rules.html About Reactive Reactive is an award-winning digital agency specialising in strategy, creative, technology and marketing with over 90 staff across our five offices in Melbourne, Sydney, New York, London and Auckland. Please contact us to discuss your online communication requirements. Melbourne Ph +61 (0)3 9415 2333 Fax +61 (0)3 9415 2399 Email melbourne.enquiries@reactive.com Sydney Ph +61 (0)2 9339 1001 Fax +61 (0)2 9380 4787 Email sydney.enquiries@reactive.com New York Ph +1 (917) 655 8790 Email us.enquiries@reactive.com London Ph +44 (0)20 7550 8200 Fax +44 (0)20 7550 8254 Email uk.enquiries@reactive.com Auckland Ph +64 (0)9 309 5696 Email: nz.enquiries@reactive.comP7

×