The EU Cookies Law

Author Simon Lande

In May 2011 a new privacy law came into effect across the European Union (EU), which states that cookies may only be used by website owners with the end-user’s consent. In other words, if you use cookies, then in most cases you need to ask visitors for their permission to do so.

This has a potentially huge impact for marketers, as cookies are widely used on most websites, for many purposes, mostly related to storing various types of information about visitors–hence the privacy issues which this law aims to address.

For example, if you search for “cars” in Google, cookies can be used to remember this search. When you visit another website, Google may then target car ads at you because they remember who you are, and what you searched for. Consider how many searches you do on Google, and other search engines, and you can easily see how much they know about you, and your interests.

Here’s a brief overview of the current situation, and a few suggestions on what you should be doing to address it.

What are Cookies?

A cookie is a piece of text stored on a user’s computer by his or her web browser. Cookies have a range of uses, including authentication, storing site preferences and shopping basket contents.

However, they can also be used to track user activity and build up profiles, and this raises privacy concerns as mentioned above.

Cookies are categorized according to their duration and who sets them:

• Session cookies: These are temporary and last only for the duration of the user’s active visit.
• Persistent or tracker cookies: These are stored on the user’s computer and can be accessed again by the domain that set it whenever browser contact is made.
• First-party cookies: These are set by the website itself (the same domain as in the browser’s address bar)
• Third-party cookies: These are set by different domains from the one shown on the browser address bar

The EU e-Privacy Directive – What is it?

In July 2002 the European Union passed a law (Directive 2002/58/EC) (the “Directive”) which stated that anyone who wanted to insert cookies into the browsers of users had to give notice of this and offer an opt-out.

In December 2009 the European Union amended the Directive to state that users must provide their consent before websites can download cookies onto the user’s machine via the browser. All EU countries were required to implement this change into their national legislation by 25 May 2011 – but most have not yet (see below).

Cookies that are necessary to provide a service that the user has asked for, for example to fill a shopping trolley, are exempt from this legislation. However, the new legislation does cover situations where cookies are used for things the user has not requested, such as the delivery of ads.

Whom Does it Affect?

The amended Directive applies to all organizations who download cookies onto the machines of users based in the EU, whether those organizations are based in the EU or not.

However, an already complex situation is made worse by the fact that all the EU member states are taking different approaches to implementing the new cookie laws. For example:

• In the UK, the directive was transposed into national law on May 25, 2011.  Acknowledging the ambiguities in the law, the UK ICO (Information Commissioner’s Office) has given organizations a year to comply before fines start being issued. Their guidance is that web managers need to start acting now and must be able to show that “they have a realistic plan to achieve compliance“ in order not to be fined.
• The Dutch have taken a very tough approach, adopting a new privacy law, which will require websites to get user permission before recording any personal data or providing such data to third parties.  But not only will Dutch websites have to get permission, they’ll also need to prove they have it.
• Ireland has also implemented the new law, and their interpretation is that websites will need to seek consent to use any cookies that are not deleted when the user leaves their website. But their guidance on obtaining user consent is less than helpful stating  “The Regulations do not prescribe how the information is to be provided or consent is to be obtained, other than this should be as user friendly as possible.“
• In France a draft bill for the implementation of the Cookies Directive exist and is in the process of public consultation.

In most other European states, however, no national law transposing the Directive has yet been passed, so it’s a “wait and see” situation.

How Does All This Affect Marketing?

This move is causing waves because of its potential for chaos and the impact on website usability. Web developers face being hamstrung. Users will potentially be subjected to a forest of pop-ups, annoying layers, or disclaimer pages. Website usability and accessibility will suffer.

The way in which individual companies interpret the letter of the laws emerging across Europe will have a profound effect on their online marketing activity in the years to come.

As outlined above, it is a situation in flux and debate is raging across all sectors of the industry on how to manage these issues. Below are the top three things marketers need to consider right now.

1.  Life Without Analytics?

Web analytics are a core part of any online marketing program. But if you need to ask users for permission to use cookies you can forget about getting meaningful analytics for your site.

Once a user opts out of cookies, he or she also opts out of Google Analytics and any other traffic-measuring devices you may use.

This has been dramatically illustrated by Vicky Brock, who used the UK’s Information Commissioner’s Office (ICO)  website as an example. See  http://www.flickr.com/photos/vickyb/5859873960/

Working around this is something you should definitely start thinking about now.

2.  Watch Your Functionality and Carry Out an Audit

Recent visitors to British Airways’ landing page will have noticed a cookies policy which states that if they don’t accept all their cookies, they can’t use the site. Any cookies that are integral to the working of a website are exempt from the legislation, but it’s definitely worth auditing what you have to make sure functionality won’t be affected.

3. Getting There First Could Mean You Come Last

When it comes to implementing cookies law, becoming an early adopter can be a disadvantage. In the UK, websites like the Radio Times ended up removing their warning layers and pop-ups because they had a negative impact on site usability and user experience.

A Quick Guide to Key Actions

While companies do need to be seen to be taking action, for the time being, it’s best to stick to making sure you know which cookies your site uses and how opting out of them might impact user experience. Here’s a quick guide to what you need to do now:

1. Check that your privacy statement covers cookie usage. It should explain clearly what kind of information is being collected, and for what purpose. If you are using third-party cookies, explain who these companies are and why you are sharing data with them. Consider providing information or links to assist in cookie removal.
2. Ensure that your privacy statement has a link from every web page on your site.
3. Keep track of which cookies are being set by your site. Identify which ones are impacted by this legislation (e.g. how intrusive they are) and remember that cookies “strictly necessary” to fulfill a core purpose of the site (e.g. a shopping basket) are exempt. The most common applications  of third-party cookies relate to:

• Advertising
• Social media widgets
• Web beacons
• Third-party tools, such as mapping
• Visitor activity trackers

4. Document the process for future reference. You may need to demonstrate that you have been actively working towards compliance.
5. Wait a while and see what happens to the legislation across the EU.