What the "EU Cookie Law" Means For Your Website

Since the 26th May 2011, all websites that use cookies for storing information on a user's computer or mobile device in the European Union (EU) must seek the consent of users before doing so.

Web Design & Development
16th October, 2013

Mozilla Firefox

A cookie is a small file sent from a website and stored by the browser, such as Internet Explorer or Mozilla Firefox, of the website user. These files are used to identify the website user on subsequent visits to the website, or in the case of behavioural marketing, can be used by third party websites to identify previous browsing habits. An example of this might be if a website visitor is looking at an online shop for socks, for example, and then subsequently sees online ads for socks when visiting different websites.

EU Directive 2002/58 on Privacy and Electronic Communications

The EU directive on data protection and privacy in the digital age is officially titled "Directive 2002/58 on Privacy and Electronic Communications", and also referred to as the "E-Privacy Directive". It is part of this directive, Article 5(3) that applies to the use of cookies and is widely referred to as the "EU Cookie Law". Such is the nature of an EU directive, which means that EU member states are required to achieve a particular result but can use their own methods to do so, that the directive itself is vague and is therefore open to interpretation. This article will attempt to highlight how to ensure that your website is compliant with the law, however it is interpreted.

Which Websites Should Comply?

In theory, any business that has a website serving visitors within any EU country is required to comply with the legislation with respect to those EU visitors, and that country. This means that even websites operated from the United States that primarily serve Americans must be compliant with this law if any of their visitors reside in an EU country. Since this will apply to nearly all websites in existence, we recommend that your website adhere to the EU Cookie Law, regardless of your location and target audience. That said, Google.com does not seem to issue a notice of consent to EU-based users like Google.co.uk does, which would suggest that they interpret the law to cover only websites that are primarily operated in the EU or aimed at EU-based users.

Necessary & Unnecessary Cookies

The directive does recognize the general importance of cookies for the functioning of websites but also warns of the danger they may pose to privacy. The directive therefore does not affect all types of cookies. If a website user requests to use an online service that requires cookies to function, then the website user does not have to give permission for the cookie to be used. An example would be where a website user adds a product to their shopping cart - the website would ordinarily have no way of associating that shopping cart with the website user without the use of one or more cookies.

However, if a cookie is not strictly necessary for the operation of a website, the website user must give their consent to the website before a cookie is stored by their browser. The user must also be given "clear and comprehensive information" relating to why the information in the cookie is being stored or accessed. The directive allows for users to have to give consent only once in order for a website to store cookies in the website user's browser in the future, so long as details of such cookies are included in the information associated with the initial consent.

The UK e-Privacy Directive states that cookies used for first-party analytics may not require consent from the user. That is, if your website collects non-personal behavioural information about it's visitors by the use of cookies, UK regulations state that an adequate privacy policy will suffice. However, most websites use a third party analytics program, such as Google Analytics, which are not explicitly exempted under UK regulations. This means that in order to ensure your website complies with the EU Cookie Law, we recommend that all websites that take part in a third party analytics program should seek the permission of their website users before storing cookies in their browser.

Implied Consent

According to UK regulations, "Implied Consent" is a valid form of gaining your website users' consent to store cookies in their browser, so long as they understand that their actions will result in cookies being set. The BBC News website, for example, employs a notice that informs users that by continuing to use the website their browser will store cookies from the website. Each subsequent visit to any page on the website does not present the same notice, meaning that Implied Consent was granted by the website user when they continued to visit other pages of that website.

BBC News Cookie Compliance

An alternative form of Implied Consent would be to continually offer the website user a consent notice until such a time as they dismiss it, thereby signifying their granting of consent. An example of such a method of compliance is Google (UK Site). Since a website would no longer comply with the EU Cookie Law if it is judged that website users do not understand that Implied Consent was given, we recommend that websites employ this method.

Explicit Consent

In many cases of Implied Consent, such as the BBC News website, cookies are stored by the website user's browser by the same page that offers the notice relating to Implied Consent. This means that the user no longer has a chance to opt-out of the storage of cookies. Explicit Consent requires that a website user actively opts-in to the storage of cookies before any cookies are set. UK regulations suggest that if the website user is providing sensitive information, such as health records, Implied Consent may not be satisfactory, and that the website may serve it's users better by using explicit consent. While the regulations do not categorically state that explicit consent is required for such a scenario, Explicit Consent would ensure that your website users understood that their actions would lead to cookies being stored by their browser.

Information Provision

Whether or not a website uses Implicit Consent or Explicit Consent to adhere to the EU Cookie Law, website visitors must be able to understand what their acceptance of cookies means. UK regulations state that the website user must be provided with "clear and comprehensive" information about why cookies are being stored or accessed. While the EU directive is not specific about what information should be provided, UK regulations state that the information must be "sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so".

Since both the EU directive and the UK regulations are vague, we recommend that you provide as much information as possible. This may involve listing all specific cookies stored by your website, along with their purpose and longevity. And unless you want your notice of consent to take up your entire homepage, we recommend that you link to a separate page of information from your consent notice.

Responsibility For Providing Information

The EU directive is not clear about who is responsible for providing information and obtaining consent, and while UK regulations clarify that any person operating an online service that uses cookies for their sole purposes is responsible, this does not clarify who is responsible for providing information and obtaining consent for certain third party cookies. For example, the SiteCenter website uses "Like" and "Tweet" buttons to allow website users to share content with friends, and these services may store cookies on the browser of visitors to our website without obtaining consent. Since the directive is vague once again, we recommend that you provide information about any cookie that my be stored as a result of using your website.

Conclusion

We have highlighted how vague much of the wording of the EU Directive and UK regulations are. While many organizations interpret the wording loosely, we consider it relatively straightforward for most websites to be compliant with even the most stringent interpretation of the law. Here are a list of our recommendations for compliance:

All websites should adhere to the EU Cookie Law
Consent to store cookies on the website visitor's browser is required unless all cookies being stored are necessary to provide a service that the website user has requested, or the only cookies being stored relate to first-party analytics.
Use Implied Consent if you are not collecting any sensitive personal information, or Explicit Consent if you are
When seeking Implied Consent, continue to display a notice of consent until it is dismissed by the website user
When seeking consent, either Implied or Explicit, provide information regarding what cookies are, and a list of cookies stored by your website (either first party or third party) along with their purpose and longevity. This can be on a separate page of your website, so long as it is linked to from your notice of consent.
When seeking Explicit Consent, do not store any cookies on the website user's browser until consent has been given.

Disclaimer: This article is provided for information purposes only and has not been written by or approved by a legal professional. We must recommend that you seek legal advice before following any advice provided.