What the New EU Directive on Cookies Means for Webmasters

This article aims to give an overview of what is required by the new 2011 EU Directive on the use of internet cookies and how webmasters and businesses may look to satisfy the new rules.

Overview
The general remit of the original EU Directive, the Directive on Privacy and Electronic Communications which dates from 2003 is to tackle data protection in digital/electronic media. The 2011 update particularly concerns the appropriate use of cookies. In the UK the Directive is enforced by the Information Commissioners Office (ICO)

The broad requirements of the Directive for businesses and webmasters are to:

  • Provide clear and comprehensive information to users of their website(s) detailing what cookies will be used and how they will be used.
  • Obtain consent to the use of cookies from each user before deploying them, having provided the above information.

Scope of the Directive

The Directive applies to all cookies except:

  • Cookies that are absolutely essential to the working of a service which the user has explicitly requested.
    • e.g., a checkout process which requires the site to remember items in a shopping cart from one screen to another.
  • 3rd party cookies or cookies relating to 3rd party content which must be clearly identified and explained and will require a solution to be found between all parties involved to obtain consent from the user.

Who will have the ultimate responsibility for 3rd party cookies as a rule is a little bit ambiguous and each case will need to be assessed on its merits. That is not to say that it is an opportunity to avoid the requirements of the Directive. In fact the use of these cookies may require more communication from each party involved to explain and obtain consent from the end user.

The Rules

  • The information describing what cookies a site will use and how they will be used must be provided before the user is asked to consent to theme being deployed.
  • The amount and detail of the information that is provided by a website should reflect the degree to which personal information is gathered and the user’s privacy is affected.
  • Once the user has consented to cookies being used for a site, the information and consent request don’t need to be presented again unless new cookies are introduced.
  • An opt-out or similar ‘failure to object’ does not equate to consent. The only exception here is if consent is sought/included as part of a broader process which itself explicitly requests consent. For example, a user signs up to a service and it is explained to the user that by doing so they are consenting to the use of cookies

Potential Solutions

There are a number of possible ways in which the sites can satisfy the requirements of the new Directive:

  • Pop up windows which users see when landing on site (on each visit until they respond)
    • this may cause usability and accessibility issues
  • A Terms & Conditions checkbox which is included when a user agrees to the T&Cs whilst, for example, signing up for a new account.
  • An additional setting which needs to be turned on, for example, within account portals or against particular pieces of functionality.
  • A scrolling information banner which appears on landing pages to inform the user that cookies are not turned on and that they should visit another page (e.g., Privacy Policy) for more information and to turn them on.
  • A prompt that the user sees before using a particular feature or piece of functionality on a site.

In any case, webmasters should look to streamline and monitor the use of cookies on their site to the reduce the risk of a breach and/or the layers of consent and information that are required across the site.

Enforcement

The regulations are enforceable in the UK by the ICO who have the following powers (as per the 2003 Directive):

  • To perform an audit of action that a webmaster has taken to comply with the Directive
  • £1,000 fixed fine for not resolving any breaches that are identified
  • (In the worst case scenario) A fine of up to £500k.
    • These fines will only apply where serious breaches of data protection covered by the Directive result in extensive or serious damage or distress.
    • but relevant if we are dealing with personal data.
  • Request information regarding 3rd party breaches

Timeline

The EU Directive and ICO regulation has been in place since 26 May 2011 however the ICO has allowed a lead time of 12 months for webmasters to work on and implement their solutions.

The key dates are as follows:

  • 26 May 2011 – 26 May 2012: Demonstrable planning and work should be ongoing to provide a solution.
  • 26 May 2012: Solutions must be in place

Internet Privacy 2010 – “Super Cookies” and the Global Debate

The concern and debate about the ethical issues of a third party tracking and selling PC users online habits is not new in the Internet age. Yet the debate on personal Internet privacy is dramatically heating up in 2010 and gaining worldwide attention from civic and governmental organizations around the globe. The impetus for renewed focus on standardized levels of consumer online privacy is largely fueled by new technologies in cookie tracking tools that is garnering a name for itself in some industry circles as “super cookies.”

To understand the latest round in the online privacy debate we must first get a brief, non-technical overview of what is a super cookie and how it differs from a standard browser cookie. The standard browser cookie is familiar to most PC users. It is a non-viral small piece of text that is stored on a user’s computer by a web-browser primarily for authentication, session tracking, user preferences, shopping carts, etc. but also allows for personal information and preferences data capture. Web bugs are particularly sneaky cookies that can be deposited on your PC through your browser or via a small 1X1 pixel graphic that can be stored in a document or email that someone sends to you. Standard browser cookies are, for the most part, easy to identify and delete, if desired, through your browser’s cookie management tools.

The new breed of super cookie transcends traditional environments and can be used for the same good or questionable purposes. What really differentiates a super cookie from a standard cookie is how they go about tracking a user’s online activity, what they are storing, and the difficulty in identifying and managing a super cookie. Today’s super cookies are synonymous with Adobe Flash and Microsoft Silverlight cookies, which are browser independent.

According to a WIRED.com article I read recently about a UC Berkeley report on Internet privacy, the phenomenal explosion of non-browser cookies created via tools such as Adobe Flash and Microsoft Silverlight should give us pause for thought. The article cites from the report that “More than half of the Internet’s top web sites use Flash cookies to track users and store information about them.”

Adobe Flash software is estimated to be installed on roughly 98% of personal computers. So, when you visit a site like YouTube you’re likely using a multi-media tool like Adobe Flash that can deposit a cookie on your system each time you visit. The cookie is not actually in your browser where you could normally find and delete it. They are browser-independent so even if you switched your browser, that cookie would still be on your system, following your next online visit and accumulating an ongoing profile of your habits. What is most alarming is that few sites acknowledge use of Flash in their privacy statements.

The fundamental concern is how much and to what extent of anyone’s online habits can be stored for behavioral targeting and contextual online advertising when the user is unaware of how and what is being tracked? Especially when the user believes he is taking adequate steps to protect his privacy. Globally, the question on the table is “Who regulates the tracking and selling of personal and online purchase data?”

With the proliferation of super cookies, industry and government regulation is evolving as an agenda topic in the debate on Internet privacy as it relates to stored online activities. The “Do not call” telemarketing database protection of several years ago (and unsolicited FAX many more moons previously) is actually working to a great extent. It’s not flawless but it does offer consumers some level of protection against invasion of privacy. The same applies to the CANSPAM laws for opting out of a company’s unsolicited email. It’s not OK to call me during dinner time if I explicitly ask not to be. Similarly, if I opt out of a company’s email solicitations, I should expect no more emails from that company within a reasonable timeframe that allows the company to flag me as “no email” in their database. Yet now, our online habits are being tracked, bought and sold without our knowledge and subtly re-sold back to us in the way of our next “suggested” site visit or “contextual ad.”

The consumer privacy ramifications of super cookies are already on the radar for the Federal Trade Commission (FTC), many U.S government State offices, and global Internet privacy organizations. It will be interesting to follow the outcome of the recent FTC roundtable debates on this topic held in California in January 2010. Also, let’s see how Barbara Anthony, the Undersecretary of Consumer Affairs in Massachusetts may break ground with her declaration that she wants similar consumer online data protection in her home state by March 1st. All we ask for when it comes to our online privacy is somewhat of a gentlemen’s agreement relative to disclosure and recourse. We just want a level playing field, regulated by the industry or the government that protects us in an age of unscrupulous big business practices, identity theft and invisible personal data collection.

On the technology side, we know that there will be vast increases in the code and practices that spawn viruses and malware and spam. We also know that creative good-guy vendors will stay pretty close to the heels of the bad guys who create these vile things. But super cookies aren’t coming from bad guys in an unidentified location. They’re coming from large companies with heavy ties to the industry and deep-pocket access to government lobbyists.

The online user is at a disadvantage because super cookie management technology seems to be largely in its infancy. Even if there is government or industry self-regulation in the coming months and years, the user needs a comprehensive tool to auto manage and manually adjust all types of permissible and non-permissible cookies according to their personal data protection requirements. With all the renewed global discussion about online privacy, especially since the recent proliferation of super cookies, 2010 will likely be a watershed year for positive changes in online consumer protection.

An Introduction to Cookie Compliance

Introduction | Cookie Compliance Regulation

A recent amendment to the EU’s Privacy and Electronic Communications Directive, bought into force on 26th May 2011, has significant implications for the way that cookies are used on websites.

In its essence, it requires that companies actively obtain the consent of their users for storing cookies (and similar technologies for storing information) on their access devices (for example, laptops and PCs).

Previously the rule on cookies was essentially that you had to:

(i) tell people how you use cookies
(ii) tell them how they could opt out if they objected.

Compliance with this regulation has typically been achieved through making available general information about how the cookies are used in a Privacy Policy and detailing how to ‘opt out ‘ if desired.

This has generally led to a state of ‘passive’ acceptance of cookies by users. In other words, users had to actively object, i.e. by opting out; otherwise their acceptance of the cookies was implied. However, this is no longer the case.

Who Needs to Act?

It is clear that this new legislation places the burden of compliance on those collecting the data (i.e. the companies’ who are obtaining the data via cookies on their websites) and not on the provider (i.e. the users).

The EU law states that:

“Member States shall ensure that the storing of information… in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”

This was also made clear by European Justice Commissioner Viviane Redding in a speech to the European Parliament:

“I want to explicitly clarify that people shall have the right – and not only the possibility – to withdraw their consent to data processing. The burden of proof should be on data controllers – those who process your personal data. They must prove that they need to keep the data, rather than individuals having to prove that collecting their data is not necessary.”

Complexities – Not All Cookies are Created Equal

The task of ensuring compliance is made significantly harder for companies by the simple fact that most have no idea exactly how many cookies they are running or what they are all for.

The legislation itself does not view all cookies as equal. Some are recognised as being essential for service (“strictly necessary”), such as a cookie that ensures items you place in your shopping basket remain in there. At the other end of the scale; there are Third Party Cookies. For example, if your website displays content from a third party (e.g. from an advertising network ) this third party may read and write their own cookies onto “your” users’ devices. For obvious reasons, the process of identifying and categorising these cookies is potentially a huge challenge even before getting to the stage of ensuring that the user is aware of what is being collected and by whom.

Am I Intruding?

The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it. For example, some cookies involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that this could be considered intrusive behaviour.