An Introduction to Cookie Compliance

Introduction | Cookie Compliance Regulation

A recent amendment to the EU’s Privacy and Electronic Communications Directive, bought into force on 26th May 2011, has significant implications for the way that cookies are used on websites.

In its essence, it requires that companies actively obtain the consent of their users for storing cookies (and similar technologies for storing information) on their access devices (for example, laptops and PCs).

Previously the rule on cookies was essentially that you had to:

(i) tell people how you use cookies
(ii) tell them how they could opt out if they objected.

Compliance with this regulation has typically been achieved through making available general information about how the cookies are used in a Privacy Policy and detailing how to ‘opt out ‘ if desired.

This has generally led to a state of ‘passive’ acceptance of cookies by users. In other words, users had to actively object, i.e. by opting out; otherwise their acceptance of the cookies was implied. However, this is no longer the case.

Who Needs to Act?

It is clear that this new legislation places the burden of compliance on those collecting the data (i.e. the companies’ who are obtaining the data via cookies on their websites) and not on the provider (i.e. the users).

The EU law states that:

“Member States shall ensure that the storing of information… in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”

This was also made clear by European Justice Commissioner Viviane Redding in a speech to the European Parliament:

“I want to explicitly clarify that people shall have the right – and not only the possibility – to withdraw their consent to data processing. The burden of proof should be on data controllers – those who process your personal data. They must prove that they need to keep the data, rather than individuals having to prove that collecting their data is not necessary.”

Complexities – Not All Cookies are Created Equal

The task of ensuring compliance is made significantly harder for companies by the simple fact that most have no idea exactly how many cookies they are running or what they are all for.

The legislation itself does not view all cookies as equal. Some are recognised as being essential for service (“strictly necessary”), such as a cookie that ensures items you place in your shopping basket remain in there. At the other end of the scale; there are Third Party Cookies. For example, if your website displays content from a third party (e.g. from an advertising network ) this third party may read and write their own cookies onto “your” users’ devices. For obvious reasons, the process of identifying and categorising these cookies is potentially a huge challenge even before getting to the stage of ensuring that the user is aware of what is being collected and by whom.

Am I Intruding?

The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it. For example, some cookies involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that this could be considered intrusive behaviour.