Conscious Guide to the EU Directive on use of Cookies

A summary of the issues and what it all means for your website

Andrew Gray represents Conscious Solutions

New rules about the use of cookies came into effect in the UK on 26 May 2011. Many people have asked what impact the new rules will have on Users of their websites and what they need to do to ensure compliance with the new law. This document answers those questions.

The legal landscape – how did we get here?

Personal details

For years there has been legitimate concern over the use and exchange of personal information (eg name, address, age) – this was addressed in the Data Protection Act (DPA) of 1998. Most people have heard about the Act and appreciate the need for it. The Act deals with a wide range of issues to do with the collection, storage and exchange of “personal data” and applies regardless of how the information is obtained (ie The Act certainly covers data gathered via the Internet but is not restricted to it).

Behavioural data

More recently, concern has grown over a rather different form of personal information that can best be described as “behavioural data”. This is information that can be derived about you without necessarily knowing exactly who you are. If you visit three different websites that all happen to carry advertising delivered by the same advertising network then it is possible for that network to track the fact that you have used all three sites and derive some knowledge from that which could be commercially valuable. For example, the advertising network might use the information to determine what advertisements to display to you.

In most cases, the companies that collect behavioural data about your Internet usage will not know exactly who you are, but they will know that you are the same person who used website-A last Monday and website-B last Wednesday. Advertising networks do this by assigning you a unique ID that is stored in a cookie by your web browser.

It is this form of use/abuse of personal information that was supposed to be the primary motivation behind the EU Privacy Directive published in 2002 and updated in 2009.

What’s the problem?

The EU Directive ended up being written quite broadly – it is not limited to the use of cookies by advertising networks (so called “third party cookies”) it applies equally to all cookies and even to other non-cookie-based technologies that might be used to identify a User.

What are cookies?

A cookie is used by a website to send ‘state information’ to a User’s browser and for the browser to return the state information to the website. The state information can be used for authentication, identification of a User session, User preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the User’s computer.

Cookies cannot be programmed, cannot carry viruses, and cannot install malware on the host computer. However, they can be used by spyware to track user’s browsing activities – a major privacy concern that prompted European and US law makers to take action.

Cookies are used extensively – almost all sites use them in order to track anonymous Users ( ie Users who have not registered or logged in). Why? Because it’s helpful to know how many people are using your site and how they navigate through the site (you track them as a unique “visitor” even though you make no effort to try to identify them in person). But that the current legislation states that explicit consent must be obtained before any cookie is set. The User must also be given an ability to opt-out from having cookies stored on their computer.

When did the law change and who enforces it?

The original EU legislation that became known as the “E-Privacy Directive“ was published in 2003 and implemented as European Directive – 2002/58/EC. It was concerned quite widely with the protection of privacy in the electronic communications sector. In 2009 the Directive was amended by Directive 2009/136/EC that included a change requiring consent for storage or access to information stored on a subscriber or users terminal equipment – in other words a requirement to obtain consent for cookies and similar technologies.

The EU Directive entered UK law on 26th May 2011 as “The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011”. It is regulated by the Information Commissioner’s Office (ICO).

The ICO quickly issued guidance notes saying that they would give industry one year to comply with the new law – ie until 25th May 2012.

In December 2011 the ICO issued more detailed guidance notes which made it clear what UK industry was expected to do in order to comply with the new legislation.

Are modifications to T&C’s or privacy policies not sufficient?

No. The Data Protection Act (DPA) of 1998 used to govern the management of information by website. As a website owner, it meant that you had to publish clear policies about the collection of information and the use of cookies. The result was a few million “Privacy Policies” got added to websites and not a lot else. The policy at the time was easy to implement, it did not require an “opt-in” or an “opt-out” but simply a “disclaimer” in the form of a privacy policy or modifications to Terms and Conditions.

A direct quote from the ICO guidelines follows:

”¦it is important to note that changing the terms of use alone to include consent for cookies would not be good enough even if the user had previously consented to the overarching terms. Consent has to be specific and informed. To satisfy the rules on cookies, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms.

Can I ignore this legislation?

Unfortunately no. The Directive is part of UK law and you now need to comply.

The web development community is no fan of this new legislation. Cookies are fundamental to the operation of almost all websites and in many cases giving people an “opt-out” is hardly practical. There is legitimate concern over the use of “third party” cookies but unfortunately the legislation has been written in such a way that it covers the use of all cookies.

What visual changes need to be made to comply?

The changes we are making to our Content Management System (CMS) are designed to implement the approach recommend by the ICO on page 16 of their guidance notes. Real examples are included as an appendix to this document. Here’s a summary of what we plan to do to ensure that you stay on the right side of the law:

1. New “Privacy Options” tab: We will add a sliding, horizontal tab to the visible portion of your homepage that alerts users to the new legislation and invites them to click for more information. Your homepage will display in the normal fashion, but after two seconds the “Privacy Options” button tab will slide into view from the right-hand edge of the screen. It will stay for a few seconds and then disappear.

Clicking on the tab will open a new window containing privacy control options as well as links for more information (see the Implementation Examples in the PDF version of this Guide).

The Privacy Options tab only appears on the homepage of the site and will appear every time the page is visited unless a Privacy Options Cookie has already been set (ie the tab will continue to appear until the User has answered the question – either Yes or No).

2. Footer panel with “Opt-in” and “Opt-out”: We will also add a discrete panel of information to the very bottom of the page. The panel will provide users with buttons for “opt-in” and “opt-out” as well as a links to more information that will be held on the Privacy Page.

The ICO recommend the following format:

3. Updates to Privacy Policy and Terms & Conditions: These will need to be modified to explain the use of cookies and to make reference to the new legislation. We will supply “compliant” text for this so you will only need to review it.

The Privacy Options tab does not need to appear on every page of the site and we believe that it would be irritating and unnecessarily intrusive if it did. The purpose of the tab is to promote the existence of the new controls. Compliance is achieved satisfactorily by a combination of “promotion” (having the Privacy Options tab appear in the visible portion of the homepage) and “control” by having the Privacy Options panel appear in the footer of every page of the site.

What technical changes need to be made to comply?

Here’s a summary of the complex technical work that is being undertaken within the core of our CMS in order to ensure compliance with the new law:

1. Change the “Apache Cookie” to be session-specific: At present the CMS issues all new users with an identification cookie that lives for 2 years. We will modify this so that it lives only for the duration of the browser session. The cookie contains no personal information and is not used for tracking so is classified as “low risk” by the ICO.

2. Add a “Cookie Preference Cookie: Strange as it may sound, we have to give the user a cookie in order to record the fact that the user has “opted-out” of cookies – there is no other way to record preferences. We call this the Cookie Preference Cookie.

3. Modify Google Analytics logic: We use Google Analytics to track usage on your site. The CMS currently adds the Google tracking code to the footer of every page automatically. We will modify this logic so that Google Analytics code is not added to the page if the user has opted out.

4. Modify the cookie setting process: There are several functions within the CMS (eg login, and forms submission) that must set cookies in order to work correctly. In these situations, the CMS must now be modified so that it first checks the Cookie Preference Cookie before proceeding with its normal operation. If the User requests a function (eg login) but has previously opted-out of cookies then the CMS will redirect the User to an error page that explains the problem and invites them to “opt-in” to cookies.

What happens if Users click “I agree” in order to opt-in?

If Users opt-in, then the site will record this by setting a Cookie Preference Cookie. The site will work in very much the same way as it does today. The consent question that appears in the footer of every page of the site will change to indicate that consent has been granted (and to give Users the ability to change this (ie to opt-out) if necessary.

What happens if Users click “No thanks” in order to opt-out?

If Users opt-out then the site will record this by setting a Cookie Preference Cookie. The consent question that appears in the footer of every page of the site will change to indicate that consent has been denied (and to give Users the ability to change this ie to opt-out). If the User attempts to use a service that requires cookies (eg login to an Extranet or use Billpay or SecureForms) the User will be redirected to a page that explains that the service requires cookies and invites them to change their settings.

What happens if Users do not answer?

If Users ignore the question it’s OK to give them cookies. They will not be given a Cookie Preference Cookie because they have not answered the question but the site will behave as if they had answered “I agree” – the site will set cookies as necessary.

A direct quote from the ICO guidelines follows:

Some users might not click on either of the options available and go straight through to another part of the site. If they do, you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site. This is an option that relies on the user being aware that the consequence of using the site is the setting of cookies. If you choose this option you might want the reassurance of a notice appearing elsewhere on the site which reminds users that you are setting cookies.

I have multiple websites – does the User need to indicate consent multiple times?

In theory “No” – if the User indicates their consent on one of our sites you can assume that they have given consent to your other sites. However, in practice the answer is “Yes” because it is not technically possible because cookies can only be read from the current domain. For example, a cookie set by a process running on www.site1.com cannot be read by a process running on www.site2.com or vice versa (this security is built into all browsers). So if you have several websites your Users will have to answer the question several times and be given a Privacy Options Cookie by each site.

Technical note: It is possible to read cookies across sub-domains so www1.site.com could share cookies with www2.site.com but if you have several websites the chances are that each will be running on it’s own domain (rather than a sub-domain).

I have a mobile site – are they affected?

In theory “Yes” but in practice “No”. The mobile websites that we provide are fundamentally less complex than desktop websites. The only cookies used by our mobile sites are those needed by Google Analytics and the ICO has made it clear that it treats those cookies as a very low risk.

A direct quote from the ICO guidelines follows:

The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ”˜strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.

In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

Can’t Users simply be told to opt-out using their browser settings?

No – the guidance notes issues by the ICO are very clear about this point. They do not consider it sufficient to rely on Users knowing how to change their cookie preferences. They are right about this – not many users know that the controls exist let alone how to change them.

Can I wait for browser settings options to be changed?

No – the direct quote from the ICO guidelines follows:

No, ”¦ this will take some time and it is not clear that even when the necessary changes are achieved you could rely on all users instantly using the most up to date version of any browser. Browser settings are part of the solution and you will increasingly be able to rely on these as part of the mechanism for satisfying yourself that you have a users consent to set cookies. For now, you will need to work on implementing another solution.

People say this law just isn’t practical – what happens if I do nothing and wait for it all to go away?

The direct quote from the ICO guidelines follows:

This isn’t going away. It’s the law. The UK Regulations come from a European Directive that was passed in 2009. The requirements cannot easily be changed and cannot just be ignored. Many organisations are making a lot of effort to comply. The Information Commissioner has been clear that he will take a practical and proportionate approach to enforcing these rules where organisations are making the effort to comply.

In the event that you choose to ignore this change in the law and do nothing with your website, we need to send you a simple “Waiver Document” to sign – just confirming that we have explained things to you.

What will the impact be on my Google Analytics reports?

Google Analytics uses cookies to identify Users and distinguish between different sessions. If a User decides to opt-out (ie to reject cookies) the normal Google Analytics code not be inserted into any page that they visit. The net result is that your Google Analytics reports will be less complete. However, much of the value derived from Google Analytics comes from the study of trends and relative figures (eg this link is twice as popular as that link). We believe that the validity of this data will be relatively unaffected by these changes, but that the absolute values will drop significantly.

We are investigating alternative methods of tracking usage and will update you as our industry develops technical solutions.

Implementation examples

Implementation examples are included in the PDF version of this Guide

Andrew Gray is the Client Services Director for Conscious Solutions and is one of the founders of the company. With a background in web development since 1996 he is responsible for overseeing the technical development of the Conscious Solutions platform.

Email agray@conscious.co.uk.