Since the 24th November last year, European country governments are required to legislate for better electronic privacy — which includes bringing in much more transparency over the use of the “Cookie”.
The way European Union law develops is designed to work as an effective compromise between having one consistent law for the whole of Europe and to allow for the specific requirements of individual nations. What this actually means is that it serves to ensure that national governments can debate laws before then largely implementing them in a predominantly similar manner. In fact technically, national governments are required to implement European Directives within 18 months of them being signed into European law.
What this leads to is a situation whereby laws such as the Electronic Communications Directive which was passed by the European Parliament on the 24th of November last year, will be implemented into law by individual nations at different times and with different interpretations.
For international website marketers, this situation poses two problems. Firstly, website functioning — and particularly analytics — depend heavily on the use of cookies. Secondly, different requirements for ‘transparency’ may ultimately be needed in different countries.
What The European Law Says
The European Directive explains the situation thus:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.
The European Directive requires national governments to implement a law as described here:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
What That Really Means?
So it’s clear that there are certain key issues:
- Europe is concerned the giving easy access to Cookies could allow malicious access for things such as spyware or viruses.
- Users need to be provided with clear and concise information
- How the information is provided should be “User-Friendly”
- An exception exists where the user has requested a service – such as a subscription or paid for service
- The user’s consent may be conveyed through browser settings
- Clear information has to be given and the “user concerned has given his or her consent”
Summarising What We’ve Got
What we’ve arrived at is a set of words which are so wide open to interpretation that in the case of this directive, the issue is not the directive itself — but how that directive is implemented locally. It is entirely possible for governments to say that consent must be given via an “opt-in” or via an “opt-out”. The same conundrum existed over email legislation when that was updated some years ago and in fact the European Parliament considered enforcing the “Opt In” approach in this case too.
How The Implementations Can Vary?
This means that the key question for marketers when examining the treatment in different markets is to look for the opt-in requirement instead of the opt-out approach. Opt-in means that you cannot load cookies on a user’s computer unless they have previously agreed that you may do so or you choose to allow at that point.
Opt-out means that you may continue to use cookies but users must have clear information and have the obvious ability to opt-out.
The UK Implementation Approach
The UK Information Commissioner has provided some guidance to help with the interpretation and application of the coming legislation.
Firstly, the Information Commissioner gives us a real scare story:
Although devices which process personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of personal data.
The Information Commissioner goes on to say “cookies…. must not be used unless the subscriber or user….is provided with clear and comprehensive information about the purposes of the storage…. and is given the opportunity to refuse the storage of, or access to, that information.”
The guidance document continues by explaining that, whilst there is no clear instructions on what has to be said, the user has to be given the opportunity to refuse the cookie. The following strong words seem to lead us in a clear direction:
The mechanism by which a subscriber or user may exercise their right to refuse continued storage should be prominent, intelligible and readily available to all, not just the most computer literate or technically aware. Where the relevant information is included in a privacy policy, for example, the policy should be clearly signposted at least on those pages where a user may enter a website.
The guidance also says that the site owner is responsible for the cookies of third parties on its site — including for instance advertisers — and those third parties would ALSO be responsible for providing the information.
In the UK, the attitude towards opt in in or out is that there is actually no requirement in the legislation either way (this means the UK is an opt-out example in practice). The guidance does point to a new area of conflict between an employer’s wish to use cookies for a particular facility and an employee’s right to privacy. (I don’t get that one — how can an employee’s right to privacy on their work computer take precedence over the employer’s wish to perform a certain task?).
So, we can conclude that:
- Arguing that the data is anonymous will not be a sufficient defence for collecting the data or not seeking consent
- The user has to be provided with clear and concise information.
- The opportunity to deny consent has to exist
- There needs to be clear signposting on the page about the use of cookies anywhere where the user may “enter a website”.
- Third party cookies are of equal concern
- Cookies need to be deleted when no longer needed
Best Practice Cookie Code for Pan-European Web Marketers
Here’s what I think marketers targeting the whole of Europe should do:
- 1. Assume the worst and that the legislation is going to land in its toughest form somewhere – at the moment this means very strong transparency and declaration but opt-out — including in Germany (We will keep a close eye on this one)
- 2. Provide very clear and concise guidance on the which cookies are used and what they are used for including those from third parties
- 3. Provide the Cookie guidance on every single landing page
- 4. Delete cookies that are not required after a session is complete — and declare any that remain on the user’s computer and for what purpose they remain for
- 5. Rather than providing a “Privacy” policy — include a “badge” perhaps entitled “Cookies Used on This Site” which lists all cookies in use and what their purpose is
Will the Cookie Survive?
Most certainly the Cookie has a future but it’s use will need to be much more open and transparent from now on. Cookie’s in general have been abused by some organisations — including tracking systems which leave a cookie behind and continue feeding data after a user’s visit to the original cookie source site has ended.
It is my view that the “Opt-in” will remain the way that cookies are handled — and that if changes on transparency are made, control taken over third party cookies — then the Cookie will thrive and continue to deliver value in the future.
Andy Atkins-Kruger
Latest posts by Andy Atkins-Kruger (see all)
- Launching our new concept – Webcertain In-house! - July 26, 2019
- Yes, the robots are here and they’re running Google Ads! - April 10, 2019
- Be prepared: A personal message from Webcertain’s CEO - May 15, 2018