EU Privacy Directive (Cookie Law)
Does It Apply To You?
First of all — what is a Cookie?
A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user's device.
So What Must I Do?
Unfortunately because many site visitors don't understand cookies or how to setup their browsers to "turn cookies off" website owners must take responisbility for "informing" visitors when their website stores cookies on a user's device.
Research into consumers' understanding of the internet and cookies demonstrates that current levels of awareness of the way cookies are used and the options available to manage them is limited. An online survey of over 1000 individuals in February 2011 illustrates that significant percentages of 'internet savvy' consumers have limited understanding of cookies and how to manage them:
- 41% of those surveyed were unaware of any of the different types of cookies (first party, third-party, Flash / Local Storage). Only 50% were aware of first party cookies.
- Only 13% of respondents indicated that they fully understood how cookies work, 37% had heard of internet cookies but did not understand how they work and 2% of people had not heard of internet cookies before participating in the survey.
- 37% said they did not know how to manage cookies on their computer.
- The survey tested respondents' knowledge of cookies, asking them to confirm if a number of statements about cookies were correct or not. Out of the sixteen statements only one was answered correctly by the majority of respondents.
What Are The Penalties If A Site Doesn't Comply With The Cookie Law?
Penalties of up to £500,000 can be served to organisations that seriously breach the law. Details are still being defined and are likely to be tested in court.
What Should I Do Next?
There are only two real options for website owners:
- Stop using cookies OR
- Start asking for permission for those cookies not deemed essential. This can be through "implied consent".
- Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
- In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
Steps To Take
Check what type of cookies and similar technologies you use and how you use them.
- Cookie Name - The name used in implementation (e.g. UID).
- Cookie Friendly Name (e.g. Username).
- Description - The description should provide as much detail about the purpose of the cookie as possible.
- Potential Intrusiveness to User - Each cookie should be rated for its intrusiveness.
- Expiry - The number of days it takes for the cookie to expire.
Where you need consent.
- Decide the best solution to obtain consent, otherwise remove non-essential cookies.
"Necessary" Or "Non-Essential" Cookies (Seek Advice)
Some cookie's are required for a site to work e.g. if a user adds an item to their shopping basket, that would be considered necessary - a cookie is technically required to remember that user and retain their shopping cart contents. Similarly, a cookie may be necessary to log into a website.
However a cookie which was set to welcome a user back to a website, or to record what pages they view would not be strictly necessary. In particular, this means you can't use traditional analytics without making sure your site visitor knows you are collecting statistical data.
- ICO Information about Cookies: https://ico.org.uk/for-the-public/online/cookies/
- How to manage Cookies: AboutCookies.org
- Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
- Guide to privacy and Electronic Communications Regulations: gds-cookies-implementer-guide.pdf.
If you are concerned about whether you have cookies on your site and whether they comply with the new law contact us for advice.
 The Department for Culture, Media and Sport | PricewaterhouseCoopers LLP (PWC)