This article aims to give an overview of what is required by the new 2011 EU Directive on the use of internet cookies and how webmasters and businesses may look to satisfy the new rules.
The broad requirements of the Directive for businesses and webmasters are to:
- Provide clear and comprehensive information to users of their website(s) detailing what cookies will be used and how they will be used.
Scope of the Directive
The Directive applies to all cookies except:
- Cookies that are absolutely essential to the working of a service which the user has explicitly requested.
- e.g., a checkout process which requires the site to remember items in a shopping cart from one screen to another.
- 3rd party cookies or cookies relating to 3rd party content which must be clearly identified and explained and will require a solution to be found between all parties involved to obtain consent from the user.
Who will have the ultimate responsibility for 3rd party cookies as a rule is a little bit ambiguous and each case will need to be assessed on its merits. That is not to say that it is an opportunity to avoid the requirements of the Directive. In fact the use of these cookies may require more communication from each party involved to explain and obtain consent from the end user.
- The information describing what cookies a site will use and how they will be used must be provided before the user is asked to consent to theme being deployed.
- The amount and detail of the information that is provided by a website should reflect the degree to which personal information is gathered and the user’s privacy is affected.
- Once the user has consented to cookies being used for a site, the information and consent request don’t need to be presented again unless new cookies are introduced.
There are a number of possible ways in which the sites can satisfy the requirements of the new Directive:
- Pop up windows which users see when landing on site (on each visit until they respond)
- this may cause usability and accessibility issues
- A Terms & Conditions checkbox which is included when a user agrees to the T&Cs whilst, for example, signing up for a new account.
- An additional setting which needs to be turned on, for example, within account portals or against particular pieces of functionality.
- A prompt that the user sees before using a particular feature or piece of functionality on a site.
The regulations are enforceable in the UK by the ICO who have the following powers (as per the 2003 Directive):
- To perform an audit of action that a webmaster has taken to comply with the Directive
- £1,000 fixed fine for not resolving any breaches that are identified
- (In the worst case scenario) A fine of up to £500k.
- These fines will only apply where serious breaches of data protection covered by the Directive result in extensive or serious damage or distress.
- but relevant if we are dealing with personal data.
- Request information regarding 3rd party breaches
The EU Directive and ICO regulation has been in place since 26 May 2011 however the ICO has allowed a lead time of 12 months for webmasters to work on and implement their solutions.
The key dates are as follows:
- 26 May 2011 – 26 May 2012: Demonstrable planning and work should be ongoing to provide a solution.
- 26 May 2012: Solutions must be in place