New Laws for the use of cookies that store online user information

May 26th 2011 marks the date when new rules, the EU’s Privacy and Electronic Communications Directive, governing the use of cookies by websites comes into force in the UK and across Europe. (See BBC video below for an overview.)

Andy Williams and the Cookie Bear

Have you got a Cookie?

For those who can remember the Cookie Bear in the Andy Williams Show in the 60’s and early 70’s the title will ring a bell.

Needless to say the bear never ever got his cookie but our legislators have decided that we might all be getting far too many for our own good!

Existing policy

Most websites, in their Privacy Policy, gave visitors an outline of what information was collected and why and what cookies that were being set and an explanation that it was possible, through browser settings, to “Opt out”.

Information Commission website

How Information Commission Have Addressed It

There was generally an explanation of why they were used and the effect of turning them off completely eg losing the ability to purchase on site (most ecommerce applications store basic visitor data including those products added to the shopping basket).

What are cookies?

In principle they are:-

  • A small text file placed on your computer by the websites you visit
  • A piece of code placed in your browser by a website server
  • A text file placed on a hard drive to store and transmit information to the server of websites you visit and return to from that browser/computer.

Cookies are used for a great many reasons and, there are different types of cookies.

1st party and 3rd party cookies

The term “party” refers to the domain associated with the cookie; the website that initiates the cookie. For example, when you visit www.bbc.co.uk, the domain stored in the cookie placed on your computer would be www.bbc.co.uk, it is classed as a first-party cookie. If, however, you visit www.bbc.co.uk and the cookie placed on your computer says www.tracking-you.com, then this is a third-party cookie.

It’s not entirely clear what the intention of the directive is! Is it to control and limit all cookies or mainly 3rd party cookies which, can be but not always, used for user tracking and behavioural advertising purposes?

Some cookies can be regarded as essential

Many 1st party cookies such as ecommerce cart content storage, Facebook login data and most analytics packages eg Google Analytics, could be argued as a service and benefit providing users with a better experience.

These may be considered as essential as they offer a benefit, albeit in the case of analytics at a different level, but they could all well be considered to offer some value to a visitor.

However, it can be quite surprising and shocking just how much information is collected and stored about our browsing habits.

You only have to set your browser, almost all give you the option, to prompt each time a cookie is requested and you will probably very quickly switch it back as the whole experience is repeatedly interrupted and rendered increasingly less the relatively straightforward process we currently enjoy.

Just try it yourself and see!

Visitors will now have to Opt-in

From 26 May 2011 websites will need to specifically gain the consent of visitors with an “Opt In” to be able to store cookies on their computer or other devices.

This is clearly going to be both difficult to implement and equally difficult to manage and enforcement will more than likely be done tentatively and with encouragement rather than with the threat of fines and penalties although fines of upto £500,000 could be levied.

The Information Commissioner’s Office (ICO) has issued a briefing note setting out guidelines on how not to fall foul of the directive

Even the ICO (Information Commissioners Office) website who are responsible seem to be confused as they have agreed a 12 month period for implementation and on their own site in their Privacy Policy show that they too want to use cookies for session tracking, analytics and set one to record the fact that you are happy to accept their cookies.

The problems associated with it’s implementation has already been recognised and full compliance deferred for 12 months. Below is a BBC video which outlines some of the issues.

What does the new law say?

The new requirement is essentially that cookies can only be placed on machines where the user or subscriber has given their consent.

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment– (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use. “(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

What are the implications of the Cookie Bill for us all?

We have a year to come to terms with how and what we are going to do and what measures we can take to comply. It maybe we will have to follow the ICO example and request each visitor to opt-in or simply not use them at all.

How practical all that is for both website owners and visitors/consumers will only become obvious as during the next 12 months we start to address the technical issues it now looks it will impose.

What do you think? How will it affect you? Comment below…

Share This