The EU ePrivacy Directive

The EU ePrivacy Directive came into effect on 25 May 2011. The relevant part of the new directive states:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.;”

Although directives are not themselves pieces of law, they constitute a requirement for EU member states to put laws in place that meet the requirements of the directive. The new directive has become commonly known as ‘The Cookie Law’.

Explained: What does this mean for you and your website?

Before any website is able to store or retrieve any information from a computer, mobile phone or other device, the end user must give informed consent.

Although specific member states have interpreted the directive in widely different ways from each other, there are two consistent themes that run through all of the implementations.

  1. In order for consent to be given, a site visitor must have been provided with clear and comprehensive information about the cookies that are being set on their device, including the purpose and description of each cookie. It is recommended that a separate cookie statement (policy) be drafted detailing all of the cookies in use, their purpose and the data they store.
  2. Cookies defined as ‘strictly necessary’ are considered exempt from this law. Strictly necessary is defined in the directive to mean “cookies for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.

The method by which this consent is given is dependent on the local (country specific) implementation of the directive and includes explicit consent, implied consent, or consent derived from browser settings. The intention of the directive is to increase the privacy of the end user and prevent organisations from obtaining information about people without them knowing about it.

Who is affected?

Whether you’re based in the EU or not, if you sell to or provide infomation to EU citizens, you must comply with the EU legislation. The location of your hosting platform is not relevant when investigating exceptions from this law; it is the location of your site visitor that is relevant to determine if a site falls within the legal jurisdiction of the EU.

Each of the EU member states have their own enactment of this law, all of which are based on the same EU directive, but may differ slightly from each other with regards to methods of gaining consent and the enforcement for sites which are non-compliant.

Are there are exceptions?

The law allows an exception for cookies that are considered “strictly necessary”, strictly necessary is defined in the directive to mean “cookies for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. For example cookies that are used to remember when something has been added to a shopping basket. These cookies would be expected by the user implicitly for the purpose for which they have visited the site. Another example would be a web based login where cookies are required to provide the requested functionality.

A list of other possible exceptions has been provided by the UK Information Commissionaires Office but could be applied to most member states.

Activities likely to fall within the exception Activities unlikely to fall within the exception
A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket. Cookies used for analytics purposes to count the number of unique visits to a website for example.
Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services. First and third party advertising cookies.
Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

 

Are any specific website functions prohibited?

Although no specific website functions or actions have been prohibited by this directive, the Article 29 Working Party made special mention with regards to advertising cookies.

“Behavioural advertising entails the tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertising matching their interests. While the Article 29 Working Party does not question the economic benefits that behavioural advertising may bring for stakeholders, it firmly believes that such practice must not be carried out at the expense of individuals’ rights to privacy and data protection. Advertising network providers are bound by Article 5(3) of the ePrivacy Directive pursuant to which placing cookies or similar devices on users’ terminal equipment or obtaining information through such devices is only allowed with the informed consent of the users.”

Some of the member states have added specific clauses to their local laws to detail specifically with advertising cookies or cookies storing personal information.

If your website makes use of behavioural advertising or targeted advertising it is highly recommended that this use is detailed in your cookie statement so that you are being as transparent and compliant as is possible.

Becoming Compliant

Becoming complaint should not be seen as a penalty or an arduous task. It should be embraced as an opportunity to review your web estate to ensure that you understand fully what you are publishing to the internet and exactly how it works.

There are a number of compelling reasons to ensure that your website estate is compliant with the new laws.

  1. Legal Compliance – It is important to be able to demonstrate that your business takes legal compliance seriously and that as a business you take every step necessary to act in accordance with all prevailing legislation. Failing to comply with one law may well raise questions over your compliance with all and any other laws.
  2. Protect against fines – Being complaint will help your business protect itself against possible fines for non-compliance. For example the current maximum fine for non-compliance in the UK is £500,000 and in Portugal it is 5 million euros.
  3. Brand Trust – Your brand is one of the most valuable assets that your business has, and the trust your customers place in that brand is very important. Being open, honest and transparent with your customers about how your site functions and the type of information that you record and store about them will assist in maintaining this trust.
  4. Mitigate user confusion – By applying a unified solution across your web estate you will help mitigate any confusion on the part of your users. They will have a clear and informed understanding of how their information is handled.

The Compliance Journey

There are 5 key steps to take in order to achieve a compliant web site or web estate. Each step needs to be carried out in sequence, but doing so will greatly assist in gaining compliance and in giving your business a much clearer understanding of its web presence and assist in a clear understanding of your customers in how their data is treated, which in turn will bolster your brand and the trust your customers place in it.

  1. Assess your web estate understanding what’s out there. Look at the functionality that is provided via your website, look at the technologies that are in use and ensure that you fully understand what is on your web estate, why it is there and what impact it has on the users.
  2. Thoroughly audit websites. This should be in the form of a comprehensive audit of your website, checking what cookies are being used and also why. You should analyse which cookies are strictly necessary and which ones are not.
  3. Report the cookies in use – offering appropriate information. Create a specific cookie statement (or policy), which details all of the cookies that are in use on the site. This should be “clear and comprehensive information” about the cookies, their purpose and the type of information that they store. It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other.
  4. Remove unwanted, unknown and unnecessary cookie. This is an opportunity to ‘clean up’ your web estate and stop using any cookies that are unnecessary or which have been superseded as your estate has evolved. Any cookies that are not “needed” by your site should be removed. Update your cookie statement as required when removing cookies to ensure that it stays up to date.
  5. Achieve agreement on setting of cookies. Decide on the method by you will gain consent from your visitors, ensure that the solution that you will use will be compliant with the regional laws of the countries in which you do business.

What will happen if I do nothing?

Doing nothing is always an option; however it is an option that should be avoided. It shows a lack of willingness to be legally compliant and demonstrates a desire to avoid being transparent with your visitors. This will ultimately have an impact on your brand and the trust your customers place in that brand.

In addition different member states have different levels of penalty for non-compliant websites. In the UK the ICO has the power to fine websites up to £500,000 for non-compliance and in Portugal the maximum fine is 5 million euros, these are considerable sums of money but it’s not just the financial penalty that should be taken into consideration.

Consent Options

There are 3 generally accepted options when considering how to gain the consent of the end user of your website.

  • Explicit consent – This is where consent is actively given by the end user BEFORE a cookie is placed onto the end users terminal or web enabled device. This is the highest level of compliance that can be achieved. In some member states this is the required level of consent to be legally compliant.
  • Implied consent – A level of implied consent is acceptable in certain member states (including the UK). This is where the user’s acceptance of cookies is implied and cookies can be set before active consent is given. This is normally done via some form of notification window informing the user that cookies are used but without any active consent.
  • Browser settings – The majority of member states do not accept this as a method of gaining consent. This is minimal consent at best and it is recommended that this not be used.

Irrespective of which solution you decide to implement there is a prescribed set of information that must be supplied.

The key part of the legislation is that the consent must be “informed”, that requires you to supply sufficient information to the user in order to allow them to make a decision. You must also provide appropriate information with regards to how to remove and block these cookies for future visits to your site.

The consent option you select must meet (or exceed) the legal requirements relevant to your location and the specific member stage legislation.

How have member states enacted the law?

The following is a summary of how each of the EU member states has enacted the directive into their local law.

Consent PluginsA number of consent solutions have been created by a number of companies across the EU, with varying levels of success and compliance with the member state laws. Some provide a very specific solution e.g. Google Analytics, others are more generic and try to cover all cookies. They range from a simple small pop up which tells the end user that you use cookies and little more information, right through to full EU compliant solutions that offer full detailed cookie audits, automated cookie policy creation, centralised management and publishing of your data and optional opt-in/opt-out functionality.There are in general 3 types of notification that are employed by these plugins.

  • Banners – This is a section of screen real estate used at the top or bottom of the webpage alerting the end user to the use of cookies on your site.
  • Pop ups – This is normally a window that is shown in the center of the web which alerts the user to the use of cookies on you site. This is sometimes referred to as a lightbox.
  • Tabs – This is normally a small button or tab placed at the bottom of your website which when clicked will detail the cookie usage on your site.

In general all of these plugins offer the same basic functionality, which is to alert the users to the fact that you use cookies on your site which is a key requirement of the directive.Depending on the solution they may also be given a link to your cookie policy or even the chance to opt out of cookies.Note: A plugin, such as a banner, alone does not ensure compliance. Many plugin providers so not provide any site audit capability and the site owner still needs to run a complete audit of their site. Selecting the right plugin provider, with the ability to audit a site, is key to making sure that you are meeting your legal compliance needs.Why are banners good?Banners have become the most commonly used solution to informing site visitors that a site sets cookies. There are a number of reasons for this:

  • Screen real estate – Banners can be set to inject at the top of a page, so as not to impact the site content, or set to appear over the footer at the bottom window.
  • Informative – a banner gives the opportunity to inform visitors that a site sets cookies and are are not considered intrusive to the visitor journey.
  • Future integration – The Cookie Report banner integrate with our auditing and consent management capability. Once the banner is on a site, any changes to the policy, in response to site changes or compliance requirements, can be handled at the backend and not impact the site.

The most important aspect regarding the use of banners / pop ups is that users do not consider them to be intrusive to the visitor journey.

EU Member State Implemented into local law? Consent Method?
Austria Yes Unclear
Belgium Yes Implied
Bulgaria Yes Implied
Croatia (Non member) Yes Explicit
Cyprus Yes Explicit
Czech Republic Yes Implied
Denmark Yes Implied
Estonia Yes Implied
Finland Yes Browser settings
France Yes Explicit
Germany No Explicit (for personal data)
Greece Yes Explicit
Hungary Yes Browser settings
Iceland No
Ireland Yes Browser settings
Italy Yes Implied
Latvia Yes Explicit (for personal data)
Liechtenstein No
Lithuania Yes Explicit
Luxembourg Yes Browser settings
Malta No
Netherlands Yes Explicit (with burden-of-proof)
Norway No
Poland Yes Browser settings (explicit for targeted ads)
Portugal Yes Explicit
Romania Yes Implied
Slovakia Yes Browser settings
Slovenia No
Spain Yes Browser settings
Sweden Yes Browser settings
United Kingdom Yes Implied

Consent Plugins

A number of consent solutions have been created by a number of companies across the EU, with varying levels of success and compliance with the member state laws. Some provide a very specific solution e.g. Google Analytics, others are more generic and try to cover all cookies.

They range from a simple small pop up which tells the end user that you use cookies and little more information, right through to full EU compliant solutions that offer full detailed cookie audits, automated cookie policy creation, centralised management and publishing of your data and optional opt-in/opt-out functionality.

There are in general 3 types of notification that are employed by these plugins.

  1. Banners – This is a section of screen real estate used at the top or bottom of the webpage alerting the end user to the use of cookies on your site.
  2. Pop ups – This is normally a window that is shown in the center of the web which alerts the user to the use of cookies on you site. This is sometimes referred to as a lightbox.
  3. Tabs – This is normally a small button or tab placed at the bottom of your website which when clicked will detail the cookie usage on your site.

In general all of these plugins offer the same basic functionality, which is to alert the users to the fact that you use cookies on your site which is a key requirement of the directive.

Depending on the solution they may also be given a link to your cookie policy or even the chance to opt out of cookies.

Note: A plugin, such as a banner, alone does not ensure compliance. Many plugin providers so not provide any site audit capability and the site owner still needs to run a complete audit of their site. Selecting the right plugin provider, with the ability to audit a site, is key to making sure that you are meeting your legal compliance needs.

Why are banners good?

Banners have become the most commonly used solution to informing site visitors that a site sets cookies. There are a number of reasons for this:

  1. Screen real estate – Banners can be set to inject at the top of a page, so as not to impact the site content, or set to appear over the footer at the bottom window.
  2. Informative – a banner gives the opportunity to inform visitors that a site sets cookies and are are not considered intrusive to the visitor journey.
  3. Future integration – The Cookie Report banner integrate with our auditing and consent management capability. Once the banner is on a site, any changes to the policy, in response to site changes or compliance requirements, can be handled at the backend and not impact the site.

The most important aspect regarding the use of banners / pop ups is that users do not consider them to be intrusive to the visitor journey.