New EU Cookie Law Guidance and Commentary

May 2011

Many websites use cookies. If a website provides e-commerce facilities or requires a user to login in order to use the site or certain parts of it, chances are, it will use cookies. A cookie, in its most basic form, is a small text file which a website places on a visitor’s computer when it needs to “remember” something. Other websites may use cookies for storing personalisation options such as content, colour scheme, layout and so forth.

Cookies are also used by many websites to track users’ behaviour. These are often implemented by third parties (and are thus known as “third-party cookies”) and track users’ activities including their movement around a particular website, but also certain preferences they demonstrate. Cookies of this type are commonly used in advertising. Anyone who has had the somewhat eerie experience of searching for something, for example “ancient Rome”, one day and being faced with endless flashing advertisements for “City Breaks in Rome!” for days after will be providing a home for such cookies on their computer.

The Law of Cookies

At present, the law within the EU requires users to opt-out of receiving cookies. Users are required to adjust their internet browser settings to block cookies. This, of course, can hamper the functionality of certain websites if not done correctly although the latest versions of the mainstream internet browsers (for example, Chrome, Firefox, Internet Explorer, Safari and Opera) allow users to be more selective about which cookies are permitted and which are blocked, giving the choice to block third party cookies alone or, in some cases, the facility to install specific lists of barred cookies.

New Laws for May 2011

Taking effect on 26th May 2011 the law regarding cookies within the EU will change. Rather than leaving users to opt-out, EU-owned websites must require users to opt-in where third-party cookies are involved. Given the large number of cookies used by some websites this may seem extreme, but under a strict interpretation of the new law, users must be asked for permission before placing such cookies.

Isn’t that a bit extreme?

It could be. Much depends upon how your website uses cookies. Not all cookies are caught by this particular cookie monster. If a cookie forms an integral part of a website’s functionality – for example, a shopping basket or the storage of a user’s personal preferences – no consent need be obtained and life, for both the website owner and the user, goes on as normal. We would also speculate that cookies used by services such as Google AdWords and Google Analytics could be deemed to be part of the service provided by your website, thus also falling outside of the new rules. There is however, as must be expected, nothing in the way of concrete evidence at this early stage.

The reason for this change in the law is to regulate third-party cookies and the use of users’ private data without consent. It should be noted that private data in this sense does not necessarily extend as far as personal data as defined by the Data Protection Act, but rather a user’s browsing habits and certain of their activity around the web.

So what should I do?

The truthful answer to that question is “nobody really knows”. This change in the law has been a long time coming yet guidance is still somewhat sketchy. The Information Commissioners’ Office (“ICO”) recently published its guidance; the substantive elements of which are incorporated in this information. Commentators from within the industry and many lawyers have also offered speculative guidance.

There are, at present, two principal schools of thought. The first suggests that a user opts-in and gives consent to cookies simply by virtue of their internet browser’s privacy settings. In other words, nothing changes from the current opt-out system. The EU Regulation which implements the new law tells us that this may be acceptable, yet the Directive upon which the Regulation is based says nothing of it.

The principle problem with this argument is that many internet users do not even know what a cookie is, let alone how to adjust their privacy settings. Therefore informed consent (or even implied) is hardly being given as required by the law. Clearly many users do not know how to opt-out; hence those same users cannot possibly have wilfully and knowingly opted-in. The ICO’s guidance, and indeed that provided by many other commentators suggests that, at least at this stage, browser settings may not be enough.

The second school of thought suggests that any websites providing cookies which do not fall within the exceptions outlined above must provide some form of pop-up or landing page expressly requesting consent. Unfortunately, immediate issues arise here too. From a website owner’s perspective this has the potential to incur the cost of hiring web developers to update their websites and, from a user’s perspective, the internet is already plagued with intrusive pop-ups which, in turn may have a negative impact on the website’s traffic. “Do we really need even more pop-ups?” “And what is a tracking cookie anyway?” “Who is this third party?” “Is it watching me?” “Is this violating my privacy?” “Maybe I shouldn’t use this website” “Yes, I’ll go somewhere else that’s safe”.

Indeed the potential for annoyance and confusion is high, as is illustrated somewhat sarcastically (yet also believably) by the following website from David Naylor: EU Cookies Directive Interactive Guide.

One may even go so far as to speculate that it would not be long before more knowledgeable internet users begin to develop “cookie consent pop-up killer” browser extensions in order to speed up and clean up their browsing experience. Notwithstanding these obvious and annoying real-world implications, the majority of legal (as opposed to technical) commentators seem to suggest that this is the preferred option.

How viable is the browser option?

Questionably so. The latest browsers are making it easier to block unwanted cookies whilst continuing to allow those which are important (and unaffected by the Directive), however they still rely upon users having a certain degree of knowledge. That said; certain browsers such as Apple’s Safari (including the mobile versions used on iOS devices) block third party cookies by default. Other mainstream browsers allow the blocking of third-party cookies (whilst continuing to accept first-party cookies so as not to disrupt the functionality of websites), however their default settings, for now at least, allow them. Many speculate that other browsers will soon follow suit (Though one must ask, would Google – a notable user of cookies – actually wish to hamper their own services with their in-house browser, Chrome?).

How viable is the pop-up / landing page option?

That depends upon how tolerant your visitors are. The ICO and other legal commentators have suggested that the browser settings option does not satisfy the requirements of the law whereas the pop-up / landing page option does. The wording of the Regulation notwithstanding, this would certainly appear to be the case as the Regulation’s reference to browser settings must surely be interpreted in light of the fact that, until third-party cookie blocking is the norm, many users will be reluctant to “tinker around under the bonnet”. However with so much emphasis on a positive, uncluttered end-user experience on the internet and a clearly demonstrable end-user dislike for pop-ups and other similar intrusions there is a compelling argument to be made that suggests that users will be more bothered that your website keeps asking them questions than they would be by the fact that advertisements seem to magically know what they are interested in.

And so I should…?

The first step in any case is to ensure that you have an up-to-date, comprehensive privacy policy which describes precisely what cookies your website uses. Moreover, you should ensure that a link to this policy appears on every page of your website. Simply-docs has updated its Website Privacy Policy Template with greater emphasis on third-party cookies and the user’s ability to control which types of cookies are placed on their computers via their browser settings.

If your website only uses cookies placed by you (that is “first party cookies”) which perform or support functions that are integral to your website and the end-user experience, then you need do nothing more.

If your website places third party cookies that track your users’ browsing, this should be made clear in your privacy policy. You should also consider carefully and seriously what you use such cookies for and whether or not they are really necessary for you and/or your users.

As for obtaining consent it is recommended that you simply use good judgement. This law unreasonably, in our opinion, puts businesses between a rock and a hard place and it is certainly proving unpopular with the technical community. Indeed, a Google search for “stupid EU law” reveals many results about this very subject. The ICO’s guidance advises businesses to “decide what solution to obtain consent will be best in your circumstances” which, with respect, is somewhat unhelpful. Moreover, despite including the text of the regulation on page 3 of their guidance, page 5 tells us that “one of the suggestions…is that browser settings are one possible means of getting consent…” seemingly ignoring the text of the Regulation which appears less than two pages prior. The guidance also suggests that most browsers’ settings are not yet sophisticated enough to allow users to block third-party cookies. We would respectfully argue that this is wrong. Browsers do allow the blocking of such cookies; however it is perhaps more their default settings and users’ own knowledge which are a cause for concern.

The ICO guidance represents, at present, the official line on the new EU cookie law. It makes it clear that website owners cannot simply sit back and do nothing; but also suggests that there will be something of a transitional period while everyone (including the government) works out how best to comply with this law.  The ICO guidance is available here.

Strictly speaking, expressly asking for – and obtaining – consent from users prior to letting them into your site is the only way; however given the potential ramifications and end-user reaction to such prompts perhaps the best course of action is to keep such unnecessary cookies to an absolute minimum (or indeed eliminate them altogether), put your privacy policy in plain sight, and advise your visitors to upgrade to the latest version of their browser of choice in order to optimise their experience of your website.

If you must use cookies which could be deemed to be unduly intrusive or unnecessary, then perhaps a one-time pop-up message (itself based upon a cookie which ensures that it will only appear on a user’s first visit) stating that your website uses third party cookies, details of which are included in your privacy policy, and which can be blocked by adjusting their browser’s privacy settings) would be the preferred solution.

It is likely that further commentary will emerge from official, legal and technical sources as the new law settles in after its entry into force on 26th May. Simply-docs will keep you up-to-date with any important developments.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.