Impending enforcement of European Union Cookie Law directive!
Last May posted an announcement by ICO (Information Commissioner’s Office) that New Laws for the use of cookies that store online user information were to be introduced on 26 May 2011.
The announcement made it clear that websites that don’t comply with the european law directive could be prosecuted with large fines levied but that enforcement was being delaying for a 12-month period.
The delay was to allow time for site owners, developers and other interested parties to understand and apply necessary controls to achieve the required compliance.
That date (26 May 2012) is not far off, now, and to be honest it appears not a lot has been done to date!
It may be that as it is only an EU (european union) directive the rest of the world is just ignoring the issue and as such will continue ‘business as usual’.
Some light at end of tunnel for Google Analytics
In December 2011 the ICO produced another document Guidance on the rules on use of cookies and similar technologies (pdf) which on the very last page and almost the very last paragraph gives some indication that although not strictly in compliance with the directive there is a chink of light particularly in relation to applications such as Google Analytics.
1st & 3rd party cookies
The purpose of the directive is vague but has been introduced largely from a privacy perspective to control the proliferation of platforms tracking user entered data including browsing habits to enable the publishing/pushing of personalised advertising to web site visitors based on their online behaviour and browsing history.
Ad targeting works over multiple websites following browsers from site to site storing information in 3rd party cookies (small text files set and stored on your website) tracking your search, browsing history and other data so that advertising can be targeted to your assumed interests based on how and what you view and engage with online.
It is largely these 3rd party cookies and tracking I believe the directive was envisaged to control but it seems to have been applied across the board to include 1st party cookies which many sites use for shopping cart tracking, storing of user preferences and for analytics to monitor web site visitors when browsing sites.
Many 1st party cookies are session based and expire when a visitor leaves the site or last for specified periods as is the case with analytics to identify returning visitors and are anonymous in that they do not store personal user details.
Although 1st party cookies are covered by the directive the most recent ICO guide gives an indication that, in the case of analytics cookies, there might just be a relaxation of enforcement where they are concerned and they will not be priority area of concern.
The following is the section of the guide (at the very end) which is relevant:-
Q. We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website?
A. The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful.
Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.
Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
What is important is that it should still be made clear to visitors that if cookies are used what they are being used for and there is an opportunity for them to control their use.
It is not clear, however, whether simply providing browser-based information on how to control the use of all types of cookies will be enough to satisfy the legislation and a close watch on developments over the next few months still needs to be made.
There are methods available which help achieve compliance and if anyone is concerned about how they might be affected WebMedia can provide an audit of cookies used on your site and the means to bring your site into compliance with the legislation.