The EU Cookie Law

The Privacy and Electronic Communications Directive is a European Union directive on data protection and privacy in the digital age.

What Is the Cookie Law?

It deals with the parameters of issues regarding the confidentiality of information, treatment of traffic data, spam and cookies. The Directive also applies to anything that behaves like a cookie, such as Flash Cookies and HTML5 Local Storage.

The directive introduced several changes in the UK concerning cookies. UK websites now need to gain consent from users before placing cookies on their web browsing devices (PCs, smartphones, etc.). The Information Commissioner’s Office (ICO), who enforces the Data Protection Act, has been tasked with enforcing it.

What Is A Cookie?

A cookie is a text file sent from a website and stored in a user’s web browser while the user is visiting a site. When the user browses the same website again, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity. Only a website’s webmaster can view the data from cookies, not the entire internet.

Cookies can have many functions which include:

  • Staying logged into websites
  • Form filling (i.e. data entered does not disappear when you navigate away from the form and come back)
  • Storing shopping basket items
  • Recording user preferences (e.g. keeping your preferred cinema as default)
  • Security.

Although cookies cannot carry viruses and/or install malicious software to a host computer, they have become a major privacy issue, prompting EU and US law makers to take action.

Who Needs To Comply With It?

Currently, the law applies to all EU member states, as well as websites external to the EU, but who market in the UK. So an Australian based website selling in the UK would also have to comply. However, a site does not need permission from users to create cookies if they are necessary for the site to function (e.g. a submission form) or are used in first party analytics. But users must be informed of what cookies are being used for, which should be detailed in a website’s privacy policy.

Google Analytics

Google Analytics (GA), a service offered by Google that generates detailed statistics about the visits to a website, uses tracking cookies. Services like these will require user consent as the cookies are not considered to be essential.

This means that, if a web user declines the use of cookies while visiting a website, its webmaster will no longer be able to track what users do on the site. If multiple users decline the use of cookies, the value of these services will decrease. For services like GA it is not clear if user permission is actually needed, but the ICO will not come down hard on sites as long as they display some sort of cookie policy.

ICO Guidelines

The UK’s information commissioner changed cookie guidelines just before they came into force, to provide additional guidance to information surrounding the issue of “implied consent.”

Implied Consent is a valid form of consent as long as:

  • It is used with revised cookie rules.
  • Websites relying on implied consent make it clear to their users that their actions will result in cookies being set, or no informed consent was given.
  • Websites do not rely on the possibility of users reading a privacy policy hard to find or difficult to understand.
  • Explicit consent has to be given in situations where sensitive personal data is collected from users, such as health.

Where Can I Find Out More About Cookies?

If you would like more information regarding cookies you can visit the ICO’s Cookie guide, or - to make your site compliant – email Binamic or call 01753 878 435.

Comments are closed.