EU Cookie Directive Report On Compliance In The UK And Ireland


Published on

EU Cookie Directive - research into compliance in the UK and Ireland - original document at

Published in: Technology
1 Comment
  • This research was undertaken in June 2012, to asses compliance to the EU's Cookie Directive (2009/136/EC) across high-traffic websites in both Ireland and the UK.

    The study assessed cookie-related information provided to site users in relation to the legislation requirements, assessing factors such as information provision, location, accessibility, information comprehensiveness, and approaches to user consent.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

EU Cookie Directive Report On Compliance In The UK And Ireland

  1. 1. White Paper: EU Cookie Directive - A User-Driven Assessment of Online Compliance in the UK and Ireland UK and Ireland EU Cookie Directive: A User-Driven Assessment of Online Compliance in the
  2. 2. AbstractThis paper discusses research by Espion Group into the current state of EU Cookie Directive compliance amongprominent UK and Irish websites. The findings clearly indicate that there is still great variation in treatment of thedirective. While some sites have taken a proactive and responsive approach to the legislation, a larger majority ofthose assessed have yet to comply in a clear and explicit manner. Also, it is clearly evident that UK-based websitesare achieving higher standards of compliance to this directive than corresponding Irish websites at present.EU Cookie Directive - Background and ContextThe 2003 Privacy and Electronic Communications (EC Directive) Regulations (2002/58/EC) cover the use ofcookies and similar technologies for storing and accessing electronic information on computers, mobile devices andsimilar equipment. A follow-up 2009 Directive (2009/136/EC) amended this directive to require website owners toobtain consent when storing cookies on a user’s or subscriber’s device.Governments across Europe were originally given until 25th May 2011 to transpose these changes into their ownlaw. The Irish government introduced corresponding legislation alongside several other EU member states on 1stJuly 2011 - this is reflected in Section 6 of the Data Protection Commissioner’s guidance note here. The UKgovernment introduced similar amendments, but website owners were given an additional 12 month period to 25thMay 2012 to comply to guidelines issued by the UK Information Commissioner’s Office (ICO).Legislation OverviewKey phrasing from both the transposing UK and Irish legislation includes:“A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or userunless the requirements of paragraph (2) are met.....(2) The requirements are that the subscriber or user of that terminal equipment- (a) is provided with clear andcomprehensive information about the purposes of the storage of, or access to, that information; and... (b) has givenhis or her consent”The Irish Data Commissioner’s Guidance Notes adds that this “clear and comprehensive” information should be“prominently displayed”, “clearly accessible”, and “as user friendly as possible”. It also requires that there is “clearcommunication to the user as to what s/he was being asked to consent to and a means of giving or refusingconsent to any information being stored or retrieved”.While most of the discussion has focussed on the standard website context, the legislation also extends to cover“other situations where information is placed on, or retrieved from, terminal equipment” - mobile applications beinganother example.Stakeholder Reaction to LegislationReaction to the legislation among EU-based website owners and technology commentators has indicated muchuncertainty and confusion around handling it in practice. While the directive indicates desired objectives, it is feltamong many that little clarity or guidance is offered with respect to how to comply, particularly at a national level -as well as having a clear set of standards and metrics to determine when a site is compliant. EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 1
  3. 3. There is also conflict around the perspective of website users - while privacy legislators are intent on increasinguser awareness around use and storage of cookie-related information, site owners claim to have experienced littleor no complaints or issues from patrons, and hence are questioning the necessity of such legislation.There are also questions around jurisdiction - for example, do non-EU corporations need to comply for within-EUsite sub-domains? Or does consent have to be gained from site users based outside the EU? In particular, thetechnical implications around what can be regarded as user consent to cookie use and storage is still a gray area.For example, some argue that requiring upfront prior consent via pop-up dialogs would impact negatively on siteuptake and use, as well as being technically difficult due to the fact that some cookies (e.g. analytics cookies) havealready loaded prior to users accessing the home landing page and agreeing to, or rejecting the consent message.Despite these uncertainties among others, fines for non-compliance are severe - for example UK regulators canenforce fines of up to GBP£500,000 for failing to comply.Phased Enforcement and ImplementationWhile a stated legal yardstick exists, policy developers at EU and national levels have stressed that cookie-relatedcompliance is a moving process, and hence should also involve a continued, phased campaign of improvements incookie-related policy enforcement over time, driving corresponding refinements and improvements in websites andapplications by technology stakeholders.As mentioned, an important overarching objective of the legislation is to increase consumer understanding aboutcookies and online privacy in general. More specifically, this includes alerting users to cookie use, explaining tothem how they work, and ensuring that even the most non-technical users can access clear information on howthey are applied on an individual case basis for the websites and applications that they use. Issues around cookieuse (and similar technologies) are viewed by policy developers as a core element in allowing users to feel in controland comfortable about their overall privacy online.In response, website and application guardians will need to provide ever-increasing transparency over their datacollection and usage in relation to cookies and similar technology use going forward. While the present compliancebar is levelled at providing consumer access to clear information, future pipelined legislation amendments couldattempt to address more challenging aspects of cookie compliance such as:  Greater emphasis around issues such as how individual cookie types will be audited.  Ensuring that cookies are used appropriately in applications in a way that is minimally invasive and respects user rights and online privacy.  Achieving more explicit and effective approaches to user consent.  Leveraging more enhanced support for cookie compliance at the browser-level. For example, despite industry resistance, Microsoft has shown increased desire to disable user tracking features, the recent Internet Explorer 10 launch being one example.Assessing Existing Website Treatment of Cookie ComplianceFollowing the recent completion of the 12-month grace period for cookie compliance in the UK, Espion carried out ahigh-level analysis of the current state of compliance among influential, high-traffic websites, both in the UK, andalso across a similar sample of key Irish-based websites for comparative purposes. In tandem with the core policythrust of increased consumer privacy awareness and understanding, this analysis focussed on assessing cookie- EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 2
  4. 4. related content and its availability to site patrons, both technical and non-technical users. Hence, while Espion hascarried out detailed cookie audits on a per-site basis for individual clients, such analysis represents otheradvanced, “back-end” compliance considerations that was not the core focus for this analysis.Key assessment goals included:  To understand the current overall status of cookie compliance among influential websites.  To assess the accessibility of cookie-related info, i.e. is it “readily available”, “prominently displayed”, and “easily accessible” in line with legislation wording.  To understand and rate the quality of the cookie-related information provided - i.e. is it “clear and comprehensive”, and “as user friendly as possible”. Also, understanding if it is clearly categorised for technical and non-technical user audiences.  To understand if and how websites are achieving user consent - either via prior (explicit) consent or implied consent methods.  To get an overall understanding of cookie types and categorisations being reported in cookie statements.Other key study methodology details include:  100 websites assessed as part of study o 50 of these were domestic UK-based sites, 50 were domestic Irish-based. o By “domestic” this means that the study excluded UK or Irish domain subsidiaries of foreign sites (e.g., or Similarly, it excluded Irish subsidiaries of UK parents and vice versa (e.g. whose parent is UK-based RBS). o All the 100 sites were chosen on the basis of having to comply with the directive. While almost all prominent commercial sites use cookies to the extent that they would need to comply, a small number of exception sites claimed to not use cookies, or at least “strictly necessary” cookie types only, hence they were excluded. o Websites were chosen using the UK and Irish “Top Sites” rankings provided by Alexa ( o Assessment was carried out on 28th/29th May 2012 using Google Chrome web browser (Version 19).  Cookie Information Quality Grading: To assess the quality of the cookie-related information provided, each website was given an arbitrary A, B or C-Grade rating based on inclusion of the following details in their cookie-related information o Explicit mention that the site uses cookies. o Clear, non-technical explanation of what cookies are. o Clear and categorised explanation of cookies types used on site, including:  High-level, non-technical categorisations such as those suggested in ICO guidance documentation (e.g. “strictly necessary”, “functionality”, “performance”, “browser experience”- related, “analytics”, “advertising/targeting”, “session vs. persistent” and so on).  Detailed categorisations focussing on individual cookie identifiers and related explanatory info. o Clear instructions on how to opt-in or opt-out of cookie tracking EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 3
  5. 5. FindingsOverall, the results clearly indicate that prominent UK-based websites are achieving higher standards ofcompliance to the Cookie Directive than corresponding Irish websites at present, with much diversity inimplementation of the directive.Provision of Cookie informationAs mentioned, all the chosen sites to be tested were required to comply with the directive. While all UK-based sitestested provided at least some form of cookie information, there were four Irish sites that failed to provide anycookie-related information at any level (Figure 1). Irish Sites UK Sites Ireland (%) UK (%) Overall (%) Required to comply? 50 50 100% 100% 100% Cookie information provided? 46 50 92% 100% 96% Figure 1 - Provision of Cookie Info (Irish and UK Sites), SummaryCookie information “clearly accessible, prominently displayed”?In line with key legislation wording and guidance, Figures 2 and 3 summarise the degree to which provided cookieinformation was “clearly accessible” and “prominently displayed” throughout the sites tested. Figure 2 summarisesthe site location of such information, with only one-third of websites providing an explicit Cookie Policy Statement.Another 58% provided cookie information nested as part of the site’s Privacy Statement. A small minority (4%)included cookie info as part of the Terms and Conditions section. However there was a significant difference on aregional basis - only two of the Irish sites (4%) provided explicit cookie statements, compared to 31 of the UK sites(62%). Irish Sites UK Sites Ireland (%) UK (%) Overall (%) Explicit Cookie Statement 2 31 4% 62% 33% Nested in Privacy Policy 40 18 80% 36% 58% Nested in Terms & Conditions 3 1 6% 2% 4% None Provided/Not Applicable 5 0 10% 0% 5% Totals 50 50 100% 100% 100% Figure 2 - Location of Cookie Info, SummaryThe findings in Figure 3 involved examining the number of user actions necessary to find cookie information fromeach site’s landing page (with necessary clicks or scrolling actions counting as individual user actions). Only aquarter of sites overall provided access within one action (Figure 3), with the majority requiring either two or threeuser actions. Most Irish sites (78%) provided access via privacy statements located at the bottom of landing pages,requiring three separate scroll-click-scroll actions to locate cookie information. UK sites fared better, with 46% (23sites tested) providing the most direct accessibility to the information. EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 4
  6. 6. Irish Sites UK Sites Ireland (%) UK (%) Overall (%) Accessible within one user action 2 23 4% 46% 25% Accessible within two user actions 5 16 10% 32% 21% Accessible within three user actions 34 8 68% 16% 42% Four or more user actions 4 3 8% 6% 7% Not Applicable 5 0 10% 0% 5% Totals 50 50 100% 100% 100% Figure 3 - Accessibility of Cookie Information from Landing Page, SummaryQuality of information provided - “user friendly, clear and comprehensive”?This assessment involved grading the clarity and comprehensiveness of cookie-related information provided basedon the information categories mentioned earlier (Figure 4). Sites achieving a Grade A rating provided all of thefollowing information below (based on subjective Espion criteria aligned to the legislation wording):  Explicit mention that site uses cookies.  A non-technical explanation of what they are.  Clear non-technical categorisations of cookie types used.  Detailed itemised technical explanation of individual cookie IDs provided.  Clear opt-in/out information provided. Irish Sites UK Sites Ireland (%) UK (%) Overall (%) Grade A 1 14 2% 28% 15% Grade B 6 28 12% 56% 34% Grade C 38 8 76% 16% 46% Not 5 0 10% 0% 5% Applicable Totals 50 50 100% 100% Figure 4 - Cookie Information Quality Ratings, SummaryMost of the sites with Grade B ratings were rated lower on the basis of providing less clear categorisations - eitherproviding high-level categories without detailed information of individual IDs, or vice versa where detailed ID-leveltechnical information was provided without more intuitive, non-technical, categorisations. Most Grade C sites failedto provide any attempt at comprehensively detailing the cookies used and providing any form of clearcategorisation.Overall, 25% of the sample provided at least some information of individual cookie IDs (Figure 5). 15% achievedGrade A ratings (Figure 4) – this included 14 UK sites and just one Irish site from the sample. A further one-third ofthe sample were Grade B, with over half achieving Grade C or lower. EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 5
  7. 7. Irish Sites UK Sites Ireland (%) UK (%) Overall (%) Yes 4 21 8% 42% 25% No 46 29 92% 58% 75% Totals 50 50 100% 100% 100% Figure 5 - Provision of Info at Cookie ID Level, SummaryApproaches to Acquiring ConsentThe majority of sites assessed resorted to achieving implied consent via URL links (with the words “consent” usedliberally in such cases) (Figure 6). 12 UK-based sites were more explicit, providing clearly visible banner or pop-upnotifications of cookie usage to users - typically on the first site visit and removing the notification on later visits.None of the assessed sites adopted a prior consent notification. Irish Sites UK Sites Ireland (%) UK (%) Overall (%) Implied consent via banner or pop-up 0 12 0% 24% 12% Implied consent via URL link 42 38 84% 76% 80% Prior consent (pop-up) 0 0 0% 0% 0% None/Not Applicable 8 0 16% 0% 8% Totals 50 50 100% 100% 100% Figure 6 - Approaches to Achieving Consent, SummaryCompliant or Not?While definitively determining some aspects of compliance to the directive is still a grey area to an extent, Espioncombined some of the discussed metrics to define a simple arbitrary metric to determine levels of complianceamong the sample, at least from the user perspective. In order to be rated as compliant, sites had to meet both ofthe criteria below:  Provided cookie information (either via Privacy Policy or explicit Cookie Policy statement) is accessible within two user actions or better from site landing page  Quality and comprehensiveness of cookie-related information is rated to be of Grade A or Grade B standard Irish Sites UK Sites Ireland (%) UK (%) Overall (%) Compliant* 1 33 2% 66% 34% Not Compliant 49 17 98% 34% 66% Figure 7 - Rate of Compliance to Directive** Based on subjective Espion metric calculation. Also assumes that Cookie statement information provided on each site has been audited andcorresponds accurately with underlying web applicationIt is clearly evident that compliance rates among UK sites is much higher based on this calculation (figure 7) two-thirds of this set achieve compliance based on this criteria, whereas only a single Irish site (2% of sample) iscompliant - equating to 34% compliance across the entire sample. EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 6
  8. 8. ConclusionClear distinctions exist at present between prominent UK and Irish websites in relation to compliance to the CookieDirective. Despite Irish legislation wording, and its intent that it is not sufficient to solely provide the requiredinformation in a statement of terms and conditions or a privacy policy, the overwhelming majority of Irish-basedsites assessed have yet to go beyond this. On the other hand, corresponding UK-based sites have paid greaterattention to legislation wording and requirements and many have reflected these more clearly in theirimplementation of the directive. Greater attention to the directive across UK media sources, the allowance of amore explicit grace period, and the availability of assistive compliance guidelines appear to have contributed tocompliance efforts there.More InfoFor more information on this research, contact Seamus Galvin, Espion Research at +353 (1) 210 1711, orseamus.galvin@espiongroup.comFor more information on Espion’s cookie compliance and Information Security services, contact us at +353 (1) 2101711, or EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 7
  9. 9. About EspionEspion are Corporate Informationspecialists. We work withorganisations across all industriesand business functions to provideadvice and assistance relating tothe holistic compliance, protectionand management requirements oftheir most valuable asset –information. This allows our clientsto focus on their core business andultimately achieve greater success. Espion Headquaters The Penthouse, Block 2 Deansgrange Business Park Deansgrange, Co. Dublin Ireland +353 (01) 2101711