How-to: Compliance with EU Cookie Regulation

As previously stated in an earlier blog post, the contents of this column should in no way be taken as sound legal advice. Or legal advice of any kind.

In an attempt to demonstrate that it was serious about data privacy (and having nothing to do with court proceedings against Google in the EU), over the Summer, Google sent out a letter to users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products:

Dear Publisher,
We want to let you know about a new policy about obtaining EU end-users’ consent.

It clarifies your duty to obtain end-user consent when you use products like Google AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange.

Please ensure that you comply with this policy as soon as possible, and not later than September 30th, 2015.

To recap, in 2009, the EU amended the 2003 directive on electronic privacy to include provisions for the use of cookies on web sites. The cookie law went into effect in the United Kingdom in May 2012 with the threat of stiff penalties (£100,000) for non-compliance. This is the legislation under which various test cases were filed.

The Information Commissioner’s Office (ICO), is the UK government agency responsible for data protection, consumer privacy, and information security. However, the ICO hasn't appeared too keen on enforcing the legislation; there are no 'patrols', no 'ticketing' or issuing of fines, no quotas and no targets.

Instead, the ICO only responds to specific complaints filed by the public through its formal reporting procedure. And according to the ICO's own figures, the overwhelming majority of cookie complaints are in fact, vexatious, personal, and time-wasting complaints by business rivals and disgruntled customers, with little or nothing to do with the use of cookies on websites. So far no-one in the UK has received more than a formal letter from the ICO.

ICO - Action Taken (from the ICO website)
"Between January to March 2015, we received 39 concerns reported about cookies via our website. In the same period, individuals used our website to report 37,561 concerns about unwanted marketing communications. The total concerns reported about cookies via our website during the financial year 2014 – 2015 were 164. It is important to note that many of the concerns we received about cookies did not relate to individual sites or provide any information about specific instances of non-compliance.

Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. However, we have maintained a consumer threat level of ‘low’ in this area due to the very low levels of concerns reported by members of the public."

The current cookie rules, enacted in 2011, have been so poorly implemented and enforced (only two companies across the EU received formal penalties), it is easy to argue they have brought no benefit for consumers' online privacy.

The UK guidelines
The ICO’s implementation guidance requires web sites to:
  •     Inform site visitors when a site uses cookies
  •     Explain what the non-essential cookies are and what they do
  •     Obtain consent to store non-essential cookies on the visitor’s device.
Essential cookies include
  • those that keep you logged in to a web site, or 
  • keep your items in your shopping cart, or 
  • keep your language preference stored. 
You do not need to explain or gain consent for essential cookies.

Non-essential cookies include
  • third party advertising beacons
  • social media connections
  • analytics cookies. 
To comply with current cookie legislation, there is no requirement to:
  • use plugins, scripts, pop-ups, drop-downs, overlays or third party services (to) request or demand consent to accept cookies
  • reject site visitors who decline to accept cookies 
  • redirect site visitors rejecting cookies to an external site.
What you DO need is a link to your Cookies and Privacy Policy, which links to your cookie disclaimer. This should be placed somewhere on the persistent page header or footer so it is accessible everywhere on your site, irrespective of where a visitor lands.

The disclaimer itself can be a simple list of the cookies used and what function they serve.

In your cookie disclaimer, you need only advise your site visitors to grant their consent through their individual browser settings. Point to the browser help pages for dealing with cookies; if people have an issue with cookies, they should be empowered to exercise the controls that have been in place since 1998. If that sounds too difficult, suggest browser add-ons like Disconnect.

What's next?
A timetable for reform of the e-Privacy Directive outlined in a new document from the EU Commission, shows work as "ongoing, expected to end in 2016", riding on the back of the Data Protection Regulation due to complete by the end of 2015.

As ever, the definition of 'consent' under the law is unclear, and 'implied' consent may no longer be sufficient. That suggests that explicit consent may become mandatory, in which case implied consent, or opt-out will need to be revised as opt-in, and a range of measures defined for site visitors who reject cookies.

What types of cookies would be covered under the revised legislation? There's a scale of privacy invasion for different types of cookies, potentially demanding different responses.

What should happen if a visitor rejects the placement of cookies? Force them to leave the site? Re-direct to a non-cookied version? Continue with reduced functionality (if that's possible)?

And can users respond in the right way? As the ICO points out in its guidance, current browser settings are not in line with the needs of the legislation. While the Do Not Track option is now universal there is no consensus about how sites should respond to Do Not Track (DNT) requests.

What hasn't yet been made clear is that cookies are not themselves the source of a problem; they are merely carriers of information, the problem with cookies is what organisations choose to do with the information that is returned and stored elsewhere. RC