2. Reactive
Cookies & EU Law
Cookies & EU Law:
Introduction
The European Union’s E-Privacy Directive is concerned with
privacy and the confidentiality of information. One of the
main targets of the legislation has been website cookies. This
document examines what the new law says, its implications
and possible solutions. The purpose of this document is to
provide an introduction to the general issues surrounding this
area of law rather than to form the basis of legal advice for a
specific company or website.
P2
3. Reactive
Cookies & EU Law
1
What are cookies?
Cookies are small files which sit on a user’s computer. There are different types of cookies and they
are used for a wide range of purposes; storing login information so the user can enter and leave a
site without having to re-enter the same authentication over and over, saving information about
a user’s activities so users can pick up where they left off, store ordering information for shopping
carts, analytics that can improve website usability, saving user preferences and lots of other stuff
that users find useful. Cookies can, however, be used for malicious purposes. Since they store
information about a user’s browsing preferences and history — cookies can be used to act as a
form of spyware.
2
What is the EU law on cookies?
Before we can explain what the law is we need to understand what an EU Directive is. An EU
Directive is a legislative Act which requires Member States to achieve a particular result without
dictating the means of achieving that result. This means that the individual governments of the
27 Member States have the freedom to interpret and implement the Directive differently. So, the
rules in different countries can be stricter than required or phrased differently; they must simply
achieve the result that the Directive seeks to dictate. (For example the Dutch Government has
made it so that websites must be able to prove that users have given consent whereas the British
Government has no such condition).
What does the EU Directive on E-Privacy say?
“Member States shall ensure that the storing of information or the gaining of access to
information already stored, in the terminal equipment of a subscriber or user is only allowed on
condition that the subscriber or user concerned has given his or her consent, having been provided
with clear and comprehensive information... about the purposes of the processing. This shall not
prevent any technical storage or access for the sole purpose of carrying out the transmission of
a communication over an electronic communications network, or as strictly necessary in order
for the provider of an information society service explicitly requested by the subscriber or user to
provide the service”. Directive 2002/58, Article 5 (3).
What does that mean for cookies?
Essentially it means that cookies can only be placed on machines where the user has given
their consent. The only exception to this rule is if the cookie is “strictly necessary” for a service
“explicitly requested” by the user. This exception is narrow but might apply, for example, to a
cookie you use to ensure that when a user of your site has chosen the goods they wish to buy
and clicks “add to the basket” that your site remembers what they chose once they get to the
checkout. You would not need to get consent for this type of activity.
P3
4.
5. Reactive
Cookies & EU Law
3
What does the new EU law mean for websites?
Which websites are affected?
The new law affects any website which has users in the EU. It does not matter where the website
is hosted.
What will websites have to do in order to be compliant?
That is the big question the answer to which is not entirely clear yet. There is a whole section
dedicated to possible solutions. One bit of good news is that once consent has been given it does
not have to be obtained on subsequent visits.
How will the law be enforced?
There are two ways that a user’s rights may be enforced:
1. Firstly, action can be taken by the information commissioner in a particular country. In this
instance the aggrieved individual makes a complaint to the information commissioner. The
information commissioner is obliged to first of all seek an amicable resolution between the
parties. If this is not possible then the commissioner can make a decision on the case and
impose a fine. The maximum fine varies between countries.
2. Secondly, in most countries an individual who has suffered damages as a result of a breach
can bring a claim for damages against the person who committed the breach. There is a
defence of reasonable care against such a claim. So, for example, if where the use of cookies
results in someone’s bank details being obtained by a third party there may be a financial loss
and a right of action.
4
One of the most complicating factors of this law is that it is not clear what is expected of website
owners. As of December 2011 the vast majority of websites have not implemented the changes
that the legislation appears to require. Below are some of the solutions proposed:
a. Screen prompts: Of the few websites that have tried to lead on compliance, screen prompts
have been the most popular route. These amount to pop ups or banners that explain broadly
what the cookies are used for and why.
Example: The Information Commissioners Office, UK
“On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of
the cookies we use is essential for parts of the site to operate and has already been set. You may
delete and block all cookies from this site, but parts of the site will not work. To find out more
about cookies on this website and how to delete cookies, see our privacy notice.”
I accept cookies from this site
There is a fear that such measures will mean websites could become more static, less personal and
ultimately less user-friendly if they go down a similar route. If users are presented with permission
pop-ups for every site they visit, the user experience could become very frustrating!
P5
6. Reactive
Cookies & EU Law
4…
b. Obtaining consent through explicit acceptance of terms and conditions: Where users open
an account or sign in to use services, additional terms about cookie usage could be included.
The user must be given specific information about what they are agreeing to and be provided
with a way to show their acceptance. This is most commonly obtained by asking the user to tick
a box to indicate that they consent to the new terms.
c. Settings-led consent: Some cookies are deployed when a user makes a choice about how
the site works for them. In these cases, consent could be gained as part of the process by which
the user confirms what they want to do or how they want the site to work.
d. Feature-led consent: Some objects are stored when a user chooses to use a particular
feature of the site such as watching a video clip or when the site remembers what they have
done on previous visits in order to personalise the content the user served.
e. Browsers: The big hope is that browsers can make changes to allow greater control over
cookies and in effect do the consenting for all the websites they visit through them. This is
certainly the easiest solution for website owners. But, don’t hold your breath! The mostly
US based browser companies make a huge amount of money from behavioural advertising.
Mozilla gets almost all its income from advertisers, with nearly 90% from Google alone. At the
moment most browsers will, by default, accept cookies so it is not, at present, realistic to rely
on a user’s browser settings to gain the necessary consent. Browser companies will come under
increased pressure to make this a tenable option.
f. Opportunities for start-ups: Necessity is the mother of invention and some companies
have already spotted the cookie laws as an opportunity to make money. CookieQ are one such
company. Their solution involves websites signing up and using a button provided by them.
Users can manage their cookie permissions in one trusted place.
5
What should websites do?
There is a lot of confusion as to what is expected of websites. Companies are understandably
reluctant to invest money in making changes when there is the hope that such changes will be
unnecessary. Governments understand this situation too and are taking a phased approach. For
example, in the UK the provisions were meant to come into force in May 2011 but at the last
minute companies were given another year to get their houses in order. To date there has not been
much progress despite the delay.
Even though the cookie laws are in a state of drift and confusion there are certain things that all
website owners can (and probably should) start doing now. Information Commissioners have made
it clear that they will treat companies who have considered the issues and have a policy on cookies
more leniently than those who avoid making any changes to current practice. It is therefore
recommended that websites as a minimum take the following steps:
Check what type of cookies and similar technologies they use and how they use them.
Assess how intrusive their use of cookies is.
Consider what solutions might be best in their particular circumstances.
Seek to inform and educate their users about what cookies they use and why they use them.
P6
7. Reactive
Cookies & EU Law
Further Reading
http://www.malcolmcoles.co.uk/blog/eu-cookie-law-examples-of-sites-already-implementing-it/
http://blogs.computerworlduk.com/management-briefing/2011/09/businesses-risk-crumbling-
without-better-eu-cookie-law-guidance/index.htm
http://blog.baycloudsystems.com/journal/2011/9/13/an-opt-in-cookie-policy-is-good-for-
consumers-and-brands.html
http://www.francisdavey.co.uk/2011/05/restraining-cookies-new-privacy-rules.html
About Reactive
Reactive is an award-winning digital agency specialising in strategy, creative, technology and
marketing with over 90 staff across our five offices in Melbourne, Sydney, New York, London
and Auckland.
Please contact us to discuss your online communication requirements.
Melbourne
Ph +61 (0)3 9415 2333
Fax +61 (0)3 9415 2399
Email melbourne.enquiries@reactive.com
Sydney
Ph +61 (0)2 9339 1001
Fax +61 (0)2 9380 4787
Email sydney.enquiries@reactive.com
New York
Ph +1 (917) 655 8790
Email us.enquiries@reactive.com
London
Ph +44 (0)20 7550 8200
Fax +44 (0)20 7550 8254
Email uk.enquiries@reactive.com
Auckland
Ph +64 (0)9 309 5696
Email: nz.enquiries@reactive.com
P7