A cookie is a small file sent from a website and stored by the browser, such as Internet Explorer or Mozilla Firefox, of the website user. These files are used to identify the website user on subsequent visits to the website, or in the case of behavioural marketing, can be used by third party websites to identify previous browsing habits. An example of this might be if a website visitor is looking at an online shop for socks, for example, and then subsequently sees online ads for socks when visiting different websites.
In theory, any business that has a website serving visitors within any EU country is required to comply with the legislation with respect to those EU visitors, and that country. This means that even websites operated from the United States that primarily serve Americans must be compliant with this law if any of their visitors reside in an EU country. Since this will apply to nearly all websites in existence, we recommend that your website adhere to the EU Cookie Law, regardless of your location and target audience. That said, Google.com does not seem to issue a notice of consent to EU-based users like Google.co.uk does, which would suggest that they interpret the law to cover only websites that are primarily operated in the EU or aimed at EU-based users.
The directive does recognize the general importance of cookies for the functioning of websites but also warns of the danger they may pose to privacy. The directive therefore does not affect all types of cookies. If a website user requests to use an online service that requires cookies to function, then the website user does not have to give permission for the cookie to be used. An example would be where a website user adds a product to their shopping cart - the website would ordinarily have no way of associating that shopping cart with the website user without the use of one or more cookies.
However, if a cookie is not strictly necessary for the operation of a website, the website user must give their consent to the website before a cookie is stored by their browser. The user must also be given "clear and comprehensive information" relating to why the information in the cookie is being stored or accessed. The directive allows for users to have to give consent only once in order for a website to store cookies in the website user's browser in the future, so long as details of such cookies are included in the information associated with the initial consent.
According to UK regulations, "Implied Consent" is a valid form of gaining your website users' consent to store cookies in their browser, so long as they understand that their actions will result in cookies being set. The BBC News website, for example, employs a notice that informs users that by continuing to use the website their browser will store cookies from the website. Each subsequent visit to any page on the website does not present the same notice, meaning that Implied Consent was granted by the website user when they continued to visit other pages of that website.
An alternative form of Implied Consent would be to continually offer the website user a consent notice until such a time as they dismiss it, thereby signifying their granting of consent. An example of such a method of compliance is Google (UK Site). Since a website would no longer comply with the EU Cookie Law if it is judged that website users do not understand that Implied Consent was given, we recommend that websites employ this method.
In many cases of Implied Consent, such as the BBC News website, cookies are stored by the website user's browser by the same page that offers the notice relating to Implied Consent. This means that the user no longer has a chance to opt-out of the storage of cookies. Explicit Consent requires that a website user actively opts-in to the storage of cookies before any cookies are set. UK regulations suggest that if the website user is providing sensitive information, such as health records, Implied Consent may not be satisfactory, and that the website may serve it's users better by using explicit consent. While the regulations do not categorically state that explicit consent is required for such a scenario, Explicit Consent would ensure that your website users understood that their actions would lead to cookies being stored by their browser.
Whether or not a website uses Implicit Consent or Explicit Consent to adhere to the EU Cookie Law, website visitors must be able to understand what their acceptance of cookies means. UK regulations state that the website user must be provided with "clear and comprehensive" information about why cookies are being stored or accessed. While the EU directive is not specific about what information should be provided, UK regulations state that the information must be "sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so".
Since both the EU directive and the UK regulations are vague, we recommend that you provide as much information as possible. This may involve listing all specific cookies stored by your website, along with their purpose and longevity. And unless you want your notice of consent to take up your entire homepage, we recommend that you link to a separate page of information from your consent notice.
We have highlighted how vague much of the wording of the EU Directive and UK regulations are. While many organizations interpret the wording loosely, we consider it relatively straightforward for most websites to be compliant with even the most stringent interpretation of the law. Here are a list of our recommendations for compliance:
Disclaimer: This article is provided for information purposes only and has not been written by or approved by a legal professional. We must recommend that you seek legal advice before following any advice provided.