EU Cookie Directive

5 December 2011

EU Cookie Directive

Introduction

This article is a reflection of the various blog posts made regarding EU Directive 2009/136/EC of the European Parliament and the Council issued on 25th November 2009. If you want to read the full text of the directive you can download it here  (1.2mb PDF Format).

The directive itself concerns the 'regulatory framework for electronic communications networks' and the part concerning the use of cookies is just a small part of the whole directive. Other articles of the directive include accessibility for disabled users, provision of public telephones, and the universality of affordable internet connections at a reasonable connection speed.

Article 66 of the Directive

Of the 26 pages of text the only part about cookies appears in article 66 of the directive and says:

" Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities ."

There is one very important sentences in this paragraph:

" It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access "

- this means that if you are going to be using any information on the user's computer, whether that be by cookies, local storage, flash based storage, or any method of writing data to the users internet device - then the user should be made aware of this. This is a potentially contentious issue in itself. You dont want to have to put a splash page on the front of every website that uses session variables with a long diatribe about what cookies are, what session variables are and how session cookies are used to track user persistance states across a website which is normally a stateless transaction between the browser and the server.

Legal defences for using cookies

Now, there is is a defence for not using this explicit consent. In the directive it says:

"Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user"

If you can argue that using cookies (for example on your ecommerce website) is essential to the operation of the website, and that the cookie data is relevent only for the essential operation of this website, then you do not need to gain explicit consent for this, or have a landing page showing the full ramifications of using cookie data.

Problem Solved! .... or is it? There are two tests that need to be passed when considering whether you are eligable for the exception:

1. Is the storage of data essential to the operation of the service

In some cases, like shopping baskets stored in cookies, or persisting login state for a social network, cookies are an essential tool. But in other cases, it may be less clear. Ostensibly, having google analytics cookies may not be essential for the operation of the service, but when websites use analytics data to refine the user experience and assist in making decisions about goal funnels, website navigation or the efficacy of marketing, they could be seen by the website owner as an essential tool for the evolution of making the website more user friendly.

Similarly, the use of Affiliate cookie tracking may not be seen as essential for the operation of the website, but if the service you are talking about is the service which is offering people cheaper goods via discount codes, which many affiliate websites offer, then this cookie would be essential to the service of offering people such online discounts. Most of the major discount code websites use affialite marketing. Similarly, most of the online competition websites that collect information about competitions on different websites use affiliate cookies. That's how those sites make a return on their investment, and it's also how the merchants benefit from offering people discount codes and competitions. If affiliate marketing were to be curtailed by cookie blocking, then the main losers would be the affiliates, merchants and the people who check the discount code websites before buying anything.

2. Is the service explicitly requested

This is a tricky issue too. If a user visits a website with a view to buying something, then you can argue that the service is explicitly requested. Similarly, if you log into facebook, then the cookie that stores the login state is explicitly requested (even if the user has no technical knowledge about how session states are maintained).

If you are using cookies for google analytics, then this service is not explicitly requested, and therefore the user would need to be asked if they wanted to allow analytics to place tracking data on their computer. This is much more problematic, and could mean that Google Analytics will no longer be available in the UK. Google could get around this by having a browser based solution in the google toolbar, or in the Chrome browser ( there is already a consent aspect to the toolbar when using page rank data ), but this will not help anyone using firefox or IE which will not have browser based solutions. The majority of web users rarely update their browsers. If google analytics were blocked from the majority of users, then the data gained from analytics would be essentailly meaningless since you would have no idea about how many people refuse analytics. At present there is a very small number of people that use ad and cookie blocking that hide under the radar of analytics, but this percentage is so small as to be essentaily negligable. If the majority of EU visitors were excluded from analytics tracking, then there is little point in using the service. You would then have to go back to using web log analysers to get an accurate picture of site usage, which is not always practical in shared hosting environments, and you would not easily be able to track referral to conversion routes like you can with google analytics. another option would be to use 'Browser Fingerprints' - each browser has a different user agent that is sent to the website on every page request. Combine this with IP address and you have a relatively unique set of credentials. Part of the problem with this approach is when you have many identical computers on a corporate network that all share the same IP address. In this case it might be possible to use IPV6 addresses as a unique identifier, or possibly have an open source global service which issues browsers with a browser ID number. But if each browser had a unique ID number, then it would be possible to use behavioural advertising even more effectively, which is the thing that Article 66 was created to prevent, so is unlikely to be used by the good guys (and possibly more likely to be used by the bad guys to get round the legislation).

What happens on 25th May?

Apart from my little girls birthday, not much according to the Information Commisioners Office. Here's the full text of the ICO guidelines on using cookies  (PDF 127k).

There is a change from opt-out to opt-in premise for consent. The ICO's clarification of the explicit consent exception goes as follows:

The only exception to this rule is if what you are doing is 'strictly necessary' for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the 'add to basket' or 'proceed to checkout' button, your site 'remembers' what they chose on a previous page. You would not need to get consent for this type of activity.

This exception needs to be interpreted quite narrowly because the use of the phrase "strictly necessary" means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services "explicitly requested" by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word "explicitly". The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users' preferences or if you decide to use a cookie to collect statistical information about the use of your website.

The sentence here is the last one which indicates that using cookies to save user preferences, or to collect web stats does not count as 'strictly necessary' - therefore, using this interpretation of the EU Directive, Google Analytics cookies would require explicit informed consent before being used on a website. Bad news for those using analytics then. In germany, Google Analytics is already a contentious issue, and there is some indication that websites could be fined for using it. You can download an opt-out add on for GA, but the law requires explicit opt-in, so this solution is not sufficient for compliance with the regulations.

Will I be prosecuted for using Google Analytics and other third party cookies?

The regulations state the following:

"The government's view is that there should be a phased approach to the implementation of these changes. In light of this if the ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules.

The ICO will be issuing separate guidance on how we intend to enforce these Regulations. "

So basically, if you are currently using storage for non essential services without explicit consent, you will not be sent a court summons straight away. If a complaint is made about your website, you may be contacted by the ICO asking how you are planning to comply with the rules. If you cooperate with the regulations, there should be no problem, but if you refused to do anything or try to ignore the issue, then you may find that you are prosecuted. The penalties for non-conformance have not been issued to date.

Can't I just use browser settings to imply consent?

The short answer is 'no'.

The ICO regulations state this:

"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user's equipment that they have to gain consent some other way. "

Summary

As the cover of the Hitchhikers Guide to the Galaxy states: DON'T PANIC . For the majority of people who use first party cookies as part of the essential operation of their website, there will be no problem. For some people who use cookies for things like remembering user preferences you may have to rethink the way your website works - possibly having an opt-in consent form for remembering these settings. For people using Affiliate Marketing, you might have to look at how your affiliate marketing company operates or how consent to use affialite links is handled, and for those using google analytics, you might have a difficult time in the short term, but its very unlikely that a complaint will be made about a website that only uses GA cookies for no other reason than to track overall traffic trends. I would think that there will be a revision of the rules in the next couple of years that gives greater exceptions for 'friendly 3rd party cookies' (ie those used for the power of good) and possibly greater penalties for 'unfriendly cookies' (those used for behavioural advertising, malware, black hat SEO or other such nefarious activities).