About the EU Cookies Law

Since 2003 privacy policies had to give people the choice to opt out of cookies.  A European Directive passed in 2009 (2009/136/EC)  has changed these requirements so people had to give consent for cookies to be stored.  The UK introduced this amendment on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 & companies were given a 1 year grace period to exercise compliance.  That period ends tomorrow.

Watch the ICO’s video on Cookies FAQs:

NB: playing YouTube videos sets a cookie

To read more about the EU Cookie Law, download &  read page 2 of the ICO’s cookie guidance

“By analogy, if a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient’s actions based on the fact that there is a shared understanding of what is happening.” (from page 8 of the ICO Cookies Guidance Document)

cookieCookies essentially download onto your device to pass on information like what you want to add to shopping cart & provide performance stats (like how long you spent on a page, what pages are the most visited).  To me, it’s like in-store video surveillance.  I roughly know most stores have it, if I look around I can probably figure out where the cameras are, but I don’t know a lot about it & I can opt not to be tracked by simply not going to that store.  Yes, I’m aware that video surveillance is usually a crime prevention measure, but it does also record me without my consent.  It also gives the store the ability to track my movements, see what I’m looking at & how long I spend on that visit – even though I haven’t consented to this.  I have no idea when I enter a store if they have video surveillance, how long stores retain video surveillance for, how long they store the video for or what they explicitly do with the videos.  That’s fine though.  What’s not fine is that when I visit a website I’m not told & explicitly comply to having some details remembered or having my visit tracked.  Right….

So moving on to how to comply with the EU Cookie Law.

Steps Towards Compliance

Paraphrased from the ICO Cookies Guidance document

If you use cookies, like Google Analytics, on your website, you must obtain informed consent from the user or subscriber.  This means you have to:

  • tell people that the cookies are there
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.
  • ensure you provide information about how consent can be withdrawn, and cookies that have already been set removed, in your privacy policy.
  1. Check what type of cookies and similar technologies you use and how you use them.
    1. Identify which cookies are operating on or through your website
    2. Confirm the purpose(s) of each of these cookies
    3. Confirm whether you link cookies to other information held about users – such as usernames
    4. Identify what data each cookie holds
    5. Confirm the type of cookie – session or persistent
    6. If it is a persistent cookie how long is its lifespan?
    7. Is it a first or third party cookie? If it is a third party cookie who is setting it?
    8. Double check that your privacy policy provides accurate and clear information about each cookie
  2. Assess how intrusive your use of cookies is.
  3. Where you need consent – decide what solution to obtain consent will be best in your circumstances.

Examples of Cookie Law Compliance

Econsultancy has a blog post, including screen shots, of what some major websites are doing to comply with the EU cookie law:   The BBC unveils its EU cookies law solution 

Exceptions

Where cookies are strictly necessary to provide the service requested by the user, consent isn’t required. The ICO have provided these examples of this on page 13 of their guidance document include:

  • A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
  • Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
  • Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.

What are your thoughts about EU cookie law?  & how do you think it’ll affect your enjoyment of visiting websites?

Some things are better shared

  • +1 this