Introduction | Cookie Compliance Regulation
A recent amendment to the EU’s Privacy and Electronic Communications Directive, bought into force on 26th May 2011, has significant implications for the way that cookies are used on websites.
In its essence, it requires that companies actively obtain the consent of their users for storing cookies (and similar technologies for storing information) on their access devices (for example, laptops and PCs).
Previously the rule on cookies was essentially that you had to:
(ii) tell them how they could opt out if they objected.
This has generally led to a state of ‘passive’ acceptance of cookies by users. In other words, users had to actively object, i.e. by opting out; otherwise their acceptance of the cookies was implied. However, this is no longer the case.
Who Needs to Act?
It is clear that this new legislation places the burden of compliance on those collecting the data (i.e. the companies’ who are obtaining the data via cookies on their websites) and not on the provider (i.e. the users).
The EU law states that:
“Member States shall ensure that the storing of information… in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”
This was also made clear by European Justice Commissioner Viviane Redding in a speech to the European Parliament:
“I want to explicitly clarify that people shall have the right – and not only the possibility – to withdraw their consent to data processing. The burden of proof should be on data controllers – those who process your personal data. They must prove that they need to keep the data, rather than individuals having to prove that collecting their data is not necessary.”
Complexities – Not All Cookies are Created Equal
The task of ensuring compliance is made significantly harder for companies by the simple fact that most have no idea exactly how many cookies they are running or what they are all for.
The legislation itself does not view all cookies as equal. Some are recognised as being essential for service (“strictly necessary”), such as a cookie that ensures items you place in your shopping basket remain in there. At the other end of the scale; there are Third Party Cookies. For example, if your website displays content from a third party (e.g. from an advertising network ) this third party may read and write their own cookies onto “your” users’ devices. For obvious reasons, the process of identifying and categorising these cookies is potentially a huge challenge even before getting to the stage of ensuring that the user is aware of what is being collected and by whom.
Am I Intruding?