EU Privacy Directive (Cookie Law)

• EU Law,
• Cookies

Does It Apply To You?

First of all — what is a Cookie?

A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user's device.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) which applies to how you use cookies and similar technologies for storing information on a user's equipment such as their computer or mobile device changed on 26 May 2011. The Information Commissioner's Office (ICO) who are the body responsible for upholding the EU Privacy Directive updated the guidance regarding the changes to the cookies law in May 2012 to explain the steps you need to take to ensure you comply.

So What Must I Do?

Unfortunately because many site visitors don't understand cookies or how to setup their browsers to "turn cookies off" website owners must take responisbility for "informing" visitors when their website stores cookies on a user's device.

Research into consumers' understanding of the internet and cookies demonstrates that current levels of awareness of the way cookies are used and the options available to manage them is limited. An online survey[1] of over 1000 individuals in February 2011 illustrates that significant percentages of 'internet savvy' consumers have limited understanding of cookies and how to manage them:

• 41% of those surveyed were unaware of any of the different types of cookies (first party, third-party, Flash / Local Storage). Only 50% were aware of first party cookies.
• Only 13% of respondents indicated that they fully understood how cookies work, 37% had heard of internet cookies but did not understand how they work and 2% of people had not heard of internet cookies before participating in the survey.
• 37% said they did not know how to manage cookies on their computer.
• The survey tested respondents' knowledge of cookies, asking them to confirm if a number of statements about cookies were correct or not. Out of the sixteen statements only one was answered correctly by the majority of respondents.

What Are The Penalties If A Site Doesn't Comply With The Cookie Law?

Penalties of up to £500,000 can be served to organisations that seriously breach the law. Details are still being defined and are likely to be tested in court.

What Should I Do Next?

There are only two real options for website owners:

• Stop using cookies OR
• Start asking for permission for those cookies not deemed essential. This can be through "implied consent".

Implied Consent

• Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
• In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

Steps To Take

Check what type of cookies and similar technologies you use and how you use them.

• Cookie Name - The name used in implementation (e.g. UID).
• Cookie Friendly Name (e.g. Username).
• Description - The description should provide as much detail about the purpose of the cookie as possible.

Assess how intrusive your use of cookies is.

• Potential Intrusiveness to User - Each cookie should be rated for its intrusiveness.
• Expiry - The number of days it takes for the cookie to expire.

Where you need consent.

• Decide the best solution to obtain consent, otherwise remove non-essential cookies.

Update your Privacy Policy.

• Make sure that your privacy policy has a clear section on cookies and how your site uses them. Be 100% transparent. See https://www.gov.uk/help/cookies as an example.

"Necessary" Or "Non-Essential" Cookies (Seek Advice)

Some cookie's are required for a site to work e.g. if a user adds an item to their shopping basket, that would be considered necessary - a cookie is technically required to remember that user and retain their shopping cart contents. Similarly, a cookie may be necessary to log into a website.

However a cookie which was set to welcome a user back to a website, or to record what pages they view would not be strictly necessary. In particular, this means you can't use traditional analytics without making sure your site visitor knows you are collecting statistical data.

More Information

• ICO Information about Cookies: https://ico.org.uk/for-the-public/online/cookies/
• How to manage Cookies: AboutCookies.org
• Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
• Guide to privacy and Electronic Communications Regulations: gds-cookies-implementer-guide.pdf.

Contact Us

If you are concerned about whether you have cookies on your site and whether they comply with the new law contact us for advice.

[1] The Department for Culture, Media and Sport | PricewaterhouseCoopers LLP (PWC)