We Are Tincan

EU Cookie Directive Update

News

By Brian 20 May 2012

We're only a few days away from when the EU 'cookie law' is due to be implemented and (as with the last update we posted: 'Cookie Crumb of Relief' ) it still looks like no one is really any clearer what the actual implications of these regulations are going to be. There's a huge amount of background detail, yet despite that (or maybe because of that) there's also been a significant amount of vague and shifting information (not least from the bodies tasked with leading on how to comply with the directive). Also ahead of the deadline, solutions from some big brands have begun to appear. Whilst some of the solutions are quite awful, there is also a fair bit of hope and a general expectation that there's a lot of noise being generated which will settle down and a reasonable approach to the directive and general cookie compliance will win out.

As mentioned above several approaches to compliance have begun to appear. The least attractive (read nuclear) being some form of obtrusive UX intervention - a modal dialogue, status bar and/ or warning bar. The ICO themselves have led the way on implementing one such option (see the warning bar at the top of the ICO website). The problem is that there's ample evidence that this obtrusive approach has resulted in a significant (read 90%) drop in website visitors that are willing to accept a cookie from the ICO website.

What that means (for digital marketers at least) is a potential return to the dark ages of shooting in the dark and not being able to understand who your audience is let alone being able to measure how improvements and online initiatives are performing as you lose your (Google Analytics) tracking data.

Fortunately, other less obtrusive and far more human friendly options have also emerged and from soundings coming out of the ICO (and elsewhere), it looks like they'll be compliant too.

So as the deadline approaches the feeling is that (a) simpler solutions will be compliant plus (and this is equally important) (b) not having a solution implemented for the 26th will be 'ok' (as long as you have it in hand to comply sooner vs later).

However, before we get there (unfortunately this isn't a 5 minute issue) it's necessary to jump into some of the detailed background info.

'Ok, give me some background to this catchily titled 'EU directive (Directive 2009/136/EC)'

The cookie law comes from an EU directive (Directive 2009/136/EC) as handed down by the EU to member states to be incorporated into each local legal jurisdiction as law. At the EU level the directive states that a subscriber or website user must be asked to give their informed consent before they receive any cookies from a website.

The EU legislation aims to safeguard privacy online and protected web users from unwanted marketing. Organisations that collect information need to obtain people’s agreement, and you have to tell them what you want to do with it.

So the aim is to protect user privacy, and ensure that they are giving informed consent for using their information.

'Who's overseeing this in the UK?'

The ICO (Information Commissioner's Office). In the UK the debate around how to do this has been running for the last twelve months since the Information Commissioner's Office (ICO) gave UK website owners a year's grace from the original EU implementation date. The ICO are the body responsible for implementation and enforcement of the EU directive in the UK ; they already carry out this role in relation to all aspects of data protection in this country.

'Does it matter if my site is hosted outside the UK/ EU?'

No. Website owners who fall under the jurisdiction of the ICO in the UK need to comply. If you don’t fall under the jurisdiction of the ICO, you don’t. Its irrelevant where your servers are, its about where the website owner is located. Another way of looking at it, is that the new EU Cookie Directive applies to any website targeting any country within the EU and so that obviously includes the UK. So even if a website is hosted outside the UK, it has to comply if its content is aimed at UK users.

'And what have you been doing Tincan?'

Given the ICO's position they're the most important voice in relation to the new requirements, and as such we've been using their statements as the primary source of information on what's required to comply with the legislation.

We've been working on our response to the introduction of the legislation over the last year. Until recently this has primarily been a watching brief, the reason being there has been considerable confusion and uncertainty about what compliance might look like. To paraphrase the ICO from a recent article on the subject this is because 'EU Legislators left the definiton of compliance broad (expecting industry to define solutions), and there was no steering on cookie issues. In addition exemptions for strictly necessary cookies were not drawn widely enough.'

As a result a solution providing consent for cookies is not straightforward.

'Will the ICO use carrots or sticks?'

The ICO have stated that 'they're here to educate and to promote good practice, not slap fines on people'. They will take a risk based approach to assessing whether to take action in relation to a particular site. They've also said that as far as they're concerned they're interested in organisations following the spirit of the law (user privacy protection), not the letter. What's important is that organisations can demonstrate they're showing willing and have a plan for implementation. The ICO don't have an enforcement team that will be actively searching out sites that don't comply, they'll be relying on feedback from users to identify sites that may be a cause for concern.

'What about the deadline - what will happen if my site isn't compliant on May 26th?'

In terms of the timeline, 26th May isn't a hard deadline - large numbers of site owners have been waiting to see what solutions may become available before deciding what route to go. For example, many UK Government websites will not be compliant on 26th May.

'Ok, can you get to the bones of it - what does the actual legislation say?'

Turning to what the legislation states, the requirements are:

  • You need to give clear and comprehensive information and cover each cookie your site sets

  • The user has to give consent, they only need to do this once

  • Browser settings aren’t up to the job, new functionality and apps may be developed to provide it (but that won’t solve the problem of people using old browsers)

  • Where a cookie is strictly necessary for the operation of the services provided by the site, you DON’T need consent (e.g. shopping basket on an eCommerce site).

'How do I (as a website owner) get user consent?'

Recently and in the context of discussion around what constitutes user consent, the ICO has softened its position on the second bullet above (the user has to give consent, they only need to do this once). There are broadly speaking two readings of what consent might look like - 'Opt In', and 'Implied Consent'.

Opt In refers to getting site visitors to check a box(or equivalent) to ok the use of cookies on the site - this could extend to having them opt in to each cookie on an individual basis. This needs to happen before a user starts using a site (i.e. before any cookies are written to the user's computer). Industry isn't keen on this, although a number of sites and software providers have developed solutions that provide for it. The risk is that large numbers of users won't understand what cookies are for, and will therefore opt out - essentially disabling large swathes of website functionality. Or they'll simply go elsewhere.

Implied Consent refers to providing clearly signposted information on the cookies in use on the site, with clear explanations of what they do and any personal information they use (this is also required for Opt In). Continued use of the site given this information is available implies the user has given consent for the site's cookie use. To succeed it depends on educating the user community as a whole which will take time, but it has the significant advantage of not complicating the user's experience by putting pop-ups and checkboxes in their way before they can use the site.

The ICO have said that implied consent may be sufficient to meet the legislation. They've also said that best practice will become evident over time, we'll see where we get as an industry in next twelve months. They certainly won't penalise anyone who has gone down the implied consent route as long as they're willing to take advice and move to Opt In if that's the direction the industry takes as a whole over time.

'Ok, I think I'm getting it. So what are you recommending in terms of solution and can you help me implement it?'

On the basis of the above (i.e. the ICO having said that implied consent may be sufficient to meet the legislation etc), we are recommending an Implied Consent solution to our clients - providing details of individual cookies and their use of personal data on site, clearly signposted to users. We're also putting a plan in place for an Opt In style solution in the event that we need to move to this in future.

'Ok, what does that mean ... practically?'

In practical terms, what this means is we'll provide details of the cookies in use to each of our clients (for use on a cookie page similar to the privacy policy page you already have), as well as an example of cross-site signposting to the cookie information that we can help you to set up. We'll have these available to you in the next couple of weeks.

A big brand which has already implemented this approach is John Lewis. They have expanded their existing 'Privacy' statement (to include general information on cookies, what cookies are being used on the John Lewis site, how users can disable them and what it means if users do disable their cookies), changed their link title from 'Privacy' to 'Privacy + Cookies' and placed that link in both the header and footer sitewide on the John Lewis site. It's a relatively simple, straightforward solution and one which as we say, looks as if it'll be compliant.

'Han on a minute, I feel a bit cheated - all that noise for what essentially will be an informational page?'

In some ways - yes. There has been an awful lot of noise, vagueness and no small of confusion - not helped by a lack of clarity between the EU and UK government, an evolving (read shifting) approach from the ICO, the mashup of legal and technical speak, several different solutions appearing in advance of the deadline and no small amount of scaremongering in some quarters.

'I'm still reading and I want to read more!'

If you do feel so inclined - it might help with the cheated feeling - there's a hefty body of online articles, resources and general reading on the nattily named EU directive (Directive 2009/136/EC) you can avail yourself of - see below.

'Are there any other not-too-obtrusive approaches out there?'

Yep. An alternative approach which is a bit more involved but still likely to be compliant and still not as obtrusive as the ICO nuclear option can be seen on a couple of other big brand sites who have just implemented their EU cookie solution, namely:

  • FT.com: http://www.ft.com
  • The Mirror: http://www.mirror.co.uk/

The FT has a pop-up which displays for new visitors, which links to the site's cookie policy, as well as information on how to disable them. Rather than asking customers to opt-in, it assumes consent for setting cookies if users close the window, unless they have already disabled them.

Mirror Online has a smaller pop-up which appears towards the bottom right of the page. The pop up informs visitors about cookies, and tells users that, by continuing to use the website having seen the messge, this means they're OK with cookies. Unlike the FT approach, where the pop-up remains until users close it, the Mirror's message will vanish after 12 seconds.

Both (the FT and The Mirror sites) require the user to opt-in but the simple act of closing the popup suffices - i.e. closing the popup assumes consent. One possible drawback in this approach is that it's not clear how adaptive/ mobile friendly it is plus the solution might require javascript to be enabled. Additionally it would most likely require more support from your web developer to implement.

References and more reading:

EU Cookie Directive Update

We're only a few days away from when the EU 'cookie law' is due to be implemented and (as with the last update we posted: 'Cookie Crumb of Relief' ) it still looks like no one is really any clearer what the actual implications of these regulations are going to be. There's a huge amount of background detail, yet despite that (or maybe because of that) there's also been a significant amount of vague and shifting information (not least from the bodies tasked with leading on how to comply with the directive). Also ahead of the deadline, solutions from some big brands have begun to appear. Whilst some of the solutions are quite awful, there is also a fair bit of hope and a general expectation that there's a lot of noise being generated which will settle down and a reasonable approach to the directive and general cookie compliance will win out.

As mentioned above several approaches to compliance have begun to appear. The least attractive (read nuclear) being some form of obtrusive UX intervention - a modal dialogue, status bar and/ or warning bar. The ICO themselves have led the way on implementing one such option (see the warning bar at the top of the ICO website). The problem is that there's ample evidence that this obtrusive approach has resulted in a significant (read 90%) drop in website visitors that are willing to accept a cookie from the ICO website.

What that means (for digital marketers at least) is a potential return to the dark ages of shooting in the dark and not being able to understand who your audience is let alone being able to measure how improvements and online initiatives are performing as you lose your (Google Analytics) tracking data.

Fortunately, other less obtrusive and far more human friendly options have also emerged and from soundings coming out of the ICO (and elsewhere), it looks like they'll be compliant too.

So as the deadline approaches the feeling is that (a) simpler solutions will be compliant plus (and this is equally important) (b) not having a solution implemented for the 26th will be 'ok' (as long as you have it in hand to comply sooner vs later).

However, before we get there (unfortunately this isn't a 5 minute issue) it's necessary to jump into some of the detailed background info.

'Ok, give me some background to this catchily titled 'EU directive (Directive 2009/136/EC)'

The cookie law comes from an EU directive (Directive 2009/136/EC) as handed down by the EU to member states to be incorporated into each local legal jurisdiction as law. At the EU level the directive states that a subscriber or website user must be asked to give their informed consent before they receive any cookies from a website.

The EU legislation aims to safeguard privacy online and protected web users from unwanted marketing. Organisations that collect information need to obtain people’s agreement, and you have to tell them what you want to do with it.

So the aim is to protect user privacy, and ensure that they are giving informed consent for using their information.

'Who's overseeing this in the UK?'

The ICO (Information Commissioner's Office). In the UK the debate around how to do this has been running for the last twelve months since the Information Commissioner's Office (ICO) gave UK website owners a year's grace from the original EU implementation date. The ICO are the body responsible for implementation and enforcement of the EU directive in the UK ; they already carry out this role in relation to all aspects of data protection in this country.

'Does it matter if my site is hosted outside the UK/ EU?'

No. Website owners who fall under the jurisdiction of the ICO in the UK need to comply. If you don’t fall under the jurisdiction of the ICO, you don’t. Its irrelevant where your servers are, its about where the website owner is located. Another way of looking at it, is that the new EU Cookie Directive applies to any website targeting any country within the EU and so that obviously includes the UK. So even if a website is hosted outside the UK, it has to comply if its content is aimed at UK users.

'And what have you been doing Tincan?'

Given the ICO's position they're the most important voice in relation to the new requirements, and as such we've been using their statements as the primary source of information on what's required to comply with the legislation.

We've been working on our response to the introduction of the legislation over the last year. Until recently this has primarily been a watching brief, the reason being there has been considerable confusion and uncertainty about what compliance might look like. To paraphrase the ICO from a recent article on the subject this is because 'EU Legislators left the definiton of compliance broad (expecting industry to define solutions), and there was no steering on cookie issues. In addition exemptions for strictly necessary cookies were not drawn widely enough.'

As a result a solution providing consent for cookies is not straightforward.

'Will the ICO use carrots or sticks?'

The ICO have stated that 'they're here to educate and to promote good practice, not slap fines on people'. They will take a risk based approach to assessing whether to take action in relation to a particular site. They've also said that as far as they're concerned they're interested in organisations following the spirit of the law (user privacy protection), not the letter. What's important is that organisations can demonstrate they're showing willing and have a plan for implementation. The ICO don't have an enforcement team that will be actively searching out sites that don't comply, they'll be relying on feedback from users to identify sites that may be a cause for concern.

'What about the deadline - what will happen if my site isn't compliant on May 26th?'

In terms of the timeline, 26th May isn't a hard deadline - large numbers of site owners have been waiting to see what solutions may become available before deciding what route to go. For example, many UK Government websites will not be compliant on 26th May.

'Ok, can you get to the bones of it - what does the actual legislation say?'

Turning to what the legislation states, the requirements are:

  • You need to give clear and comprehensive information and cover each cookie your site sets

  • The user has to give consent, they only need to do this once

  • Browser settings aren’t up to the job, new functionality and apps may be developed to provide it (but that won’t solve the problem of people using old browsers)

  • Where a cookie is strictly necessary for the operation of the services provided by the site, you DON’T need consent (e.g. shopping basket on an eCommerce site).

'How do I (as a website owner) get user consent?'

Recently and in the context of discussion around what constitutes user consent, the ICO has softened its position on the second bullet above (the user has to give consent, they only need to do this once). There are broadly speaking two readings of what consent might look like - 'Opt In', and 'Implied Consent'.

Opt In refers to getting site visitors to check a box(or equivalent) to ok the use of cookies on the site - this could extend to having them opt in to each cookie on an individual basis. This needs to happen before a user starts using a site (i.e. before any cookies are written to the user's computer). Industry isn't keen on this, although a number of sites and software providers have developed solutions that provide for it. The risk is that large numbers of users won't understand what cookies are for, and will therefore opt out - essentially disabling large swathes of website functionality. Or they'll simply go elsewhere.

Implied Consent refers to providing clearly signposted information on the cookies in use on the site, with clear explanations of what they do and any personal information they use (this is also required for Opt In). Continued use of the site given this information is available implies the user has given consent for the site's cookie use. To succeed it depends on educating the user community as a whole which will take time, but it has the significant advantage of not complicating the user's experience by putting pop-ups and checkboxes in their way before they can use the site.

The ICO have said that implied consent may be sufficient to meet the legislation. They've also said that best practice will become evident over time, we'll see where we get as an industry in next twelve months. They certainly won't penalise anyone who has gone down the implied consent route as long as they're willing to take advice and move to Opt In if that's the direction the industry takes as a whole over time.

'Ok, I think I'm getting it. So what are you recommending in terms of solution and can you help me implement it?'

On the basis of the above (i.e. the ICO having said that implied consent may be sufficient to meet the legislation etc), we are recommending an Implied Consent solution to our clients - providing details of individual cookies and their use of personal data on site, clearly signposted to users. We're also putting a plan in place for an Opt In style solution in the event that we need to move to this in future.

'Ok, what does that mean ... practically?'

In practical terms, what this means is we'll provide details of the cookies in use to each of our clients (for use on a cookie page similar to the privacy policy page you already have), as well as an example of cross-site signposting to the cookie information that we can help you to set up. We'll have these available to you in the next couple of weeks.

A big brand which has already implemented this approach is John Lewis. They have expanded their existing 'Privacy' statement (to include general information on cookies, what cookies are being used on the John Lewis site, how users can disable them and what it means if users do disable their cookies), changed their link title from 'Privacy' to 'Privacy + Cookies' and placed that link in both the header and footer sitewide on the John Lewis site. It's a relatively simple, straightforward solution and one which as we say, looks as if it'll be compliant.

'Han on a minute, I feel a bit cheated - all that noise for what essentially will be an informational page?'

In some ways - yes. There has been an awful lot of noise, vagueness and no small of confusion - not helped by a lack of clarity between the EU and UK government, an evolving (read shifting) approach from the ICO, the mashup of legal and technical speak, several different solutions appearing in advance of the deadline and no small amount of scaremongering in some quarters.

'I'm still reading and I want to read more!'

If you do feel so inclined - it might help with the cheated feeling - there's a hefty body of online articles, resources and general reading on the nattily named EU directive (Directive 2009/136/EC) you can avail yourself of - see below.

'Are there any other not-too-obtrusive approaches out there?'

Yep. An alternative approach which is a bit more involved but still likely to be compliant and still not as obtrusive as the ICO nuclear option can be seen on a couple of other big brand sites who have just implemented their EU cookie solution, namely:

  • FT.com: http://www.ft.com
  • The Mirror: http://www.mirror.co.uk/

The FT has a pop-up which displays for new visitors, which links to the site's cookie policy, as well as information on how to disable them. Rather than asking customers to opt-in, it assumes consent for setting cookies if users close the window, unless they have already disabled them.

Mirror Online has a smaller pop-up which appears towards the bottom right of the page. The pop up informs visitors about cookies, and tells users that, by continuing to use the website having seen the messge, this means they're OK with cookies. Unlike the FT approach, where the pop-up remains until users close it, the Mirror's message will vanish after 12 seconds.

Both (the FT and The Mirror sites) require the user to opt-in but the simple act of closing the popup suffices - i.e. closing the popup assumes consent. One possible drawback in this approach is that it's not clear how adaptive/ mobile friendly it is plus the solution might require javascript to be enabled. Additionally it would most likely require more support from your web developer to implement.

References and more reading: