Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cookies and the EU privacy directive: what it means for you


Published on

Simon Lande, CEO Magus Research

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Cookies and the EU privacy directive: what it means for you

  1. 1. Introduction to the EU Cookies LawAnd what it means for your organisationSimon Lande, CEO, November 2011
  2. 2. A brief history of EU Cookies Law • July 2002: EU passes a law (Directive 2002/58/EC) which states that anyone who wants to insert cookies into the browsers of users has to give notice of this and offer an opt-out • December 2009: EU amends the Directive to state that users must provide their consent before websites can download non-essential cookies onto the user’s machine via the browser • 25 May 2011: The date by which all EU countries are required to implement this change into their national legislation (most have not yet done so!) • The amended Directive is likely to apply to all organisations who download cookies onto the machines of users based in the EU, whether those organisations are based in the EU or not • In the UK, organisations could be subject to enforcement notices and actions, and potentially a fine of up to £500K for failing to comply
  3. 3. What are cookies? • A piece of text stored on a user’s computer by their web browser • They have a range of uses, including: o Authentication o Storing site preferences o Storing shopping basket contentsCookies which are necessary to provide a service that the user hasasked for, for example to fill a shopping trolley, are exempt from thislegislationHowever, cookies can also be used to track user activity, build up profilesand carry out other non-essential activities – this is what the fuss is allabout
  4. 4. Types of cookiesCookies are categorised according to:• Their duration Session• Who sets them cookies Persistent / Tracker cookies First party cookies Third party cookies
  5. 5. How’s the legislation being interpreted? Sweden: • Directive transposed into national law on 1 July 2011 requiring user consent for the use of cookies. The relevant Swedish authority has provided little guidance on the crucial question of how to obtain consent. • In addition, the Swedish Internet Advertising Bureau has issued draft recommendations that: (i) information on the use of cookies, and how consent may be denied and withdrawn, should be provided to users; and (ii) user consent must be obtained by means appropriate to the circumstances (e.g. use through browser settings which allow cookies, following user’s receipt of sufficient information). Norway: • National law to implement the Directive is currently under consideration. It is expected to come into force in 2012. Denmark: • Draft executive order is under consultation and Denmark have asked the European Commission to clarify certain aspects of the Directive. • It is intended that the final version of the executive order will be agreed and come into effect by the end of December this year.
  6. 6. How’s the legislation being interpreted? UK: • Directive became law on the 25th May 2011, and the ICO has given organisations 1 year to comply, before enforcement action may be imposed • But they must currently be able to show "they have a realistic plan to achieve compliance" France: • Draft bill exists and is in the process of public consultation. If implemented, this would require organisations to obtain user consent. Such consent need not necessarily be expressed, as it may be implied from users’ browser settings. Netherlands: • Proposed national legislation is to be voted on by the Dutch Senate this year. If approved, it will likely come into effect early next year, setting out the obligation that organisations must obtain user consent before cookies can be installed or stored on users’ computers. • They’ll also need to prove they have it! (This requirement goes beyond the provisions of the Directive.)
  7. 7. What’s everyone doing about cookies? Example 1: The Information Commissioner’s Office
  8. 8. What’s everyone doing about cookies? Example 2: British Airways
  9. 9. What’s everyone doing about cookies? Example 3: BBC
  10. 10. What should you be doing about it? • The perfect solution is not yet out there • There’s no advantage to being an early adopter o For example, some companies have already taken down their pop-up windows and warning layers due to negative impacts on usability • Cookies law is on the move o Majority of European counties have yet to implement the Directive o Some of the European countries which have implemented the Directive have not provided clear guidance as to how organisations should comply o There are different views on whether the UK has correctly implemented the Directive (e.g. the EU committee of national data protection regulators has issued an opinion that contradicts the UK’s implementation relating to the time at which user consent must be obtained) • Technical (e.g. browser-based) solutions, may be around the cornerSo, best to sit back and “Do nothing?”
  11. 11. A realistic plan You need to be able to demonstrate that you have a “realistic plan to achieve compliance”… Current best practice is for all companies to take the following three actions: 1. Check what type of cookies and similar technologies you use and how you use them 2. Assess how intrusive your use of cookies is 3. Decide what solution to obtain consent will be best in your circumstances
  12. 12. Compliance optionsOption Regulatory Usability Business Comments Compliance impactRemove all Very High Low High Possible to remove all cookies from a website other thannon-essential those strictly necessary for the provision of services to thecookies user. However, this is likely to require redesign work and could significantly degrade website functionality. It is also likely to impact the business model for the website e.g. by removing the ability to collect important information.Pop Up High Low Medium/High Non-essential cookies are only used if the user clicks “Accept”Windows on a pop-up window. This is an intrusive and annoying option (not least because those refusing cookies will get the pop-up again and again). Reduced usability/functionality will negatively affect traffic. Partial acceptance of cookies will make tracking information meaningless.Banner Tick High Medium Medium/High A banner is placed at the top of the page allowing users toBox click to accept cookies. This is the option selected by the UK Information Commissioner. In practice, very few people click to accept cookies. Partial acceptance of cookies will make tracking information meaningless.Acceptance Medium Medium Low Users give consent to cookies when they accept the terms ofof T&C’s use of a website. This only works if users are expressly required to agree to those terms of use in order to use the website.Website Low Low Low A prominent notice is provided indicating that cookies areNotes used, linking to details of each cookie. This is the option taken by the UK Department of Culture, Media and Sport who are responsible for implementing the new cookies laws in the UK.
  13. 13. How Magus can helpAudit in conjunction with Linklaters will enable you to address therecommendations and provides the basis for your implementation plan. Itincludes: Report and Cookies briefing Cookies audit recommendations• Overview of the relevant • Social media widgets • Key findings legislation and its known to set cookies • Advice (e.g. appropriate implications for your • Flash files which need to action could be website be checked for Flash considered on an cookies enforcement risk-based • Third party domains and approach, and scripts known to set potentially an EU wide cookies approach) and recommendations (see • JavaScript files likely to table above) contain cookies • What you need to do • Potential web beacons next known to set cookies • Pages not containing a link to a privacy / cookies policy
  14. 14. Thank you Questions?