The EU Cookie Law Briefing
What you need to know
If you, as a website owner store usage information, you will need to provide clear and comprehensive information about why you are storing the information and get the visitor's 'explicit' consent.
Essential cookies that a website provides for the visitor at their request (for example on subscription and e-commerce services) will not need such consent. More information on what cookies are and how they are used?
What is the so-called "Cookie Law"?
The "Cookie Law" stems from a modification to the EU Privacy and Electronic Communications Directive (PECD), which became law in November 2009. It was designed to safeguard privacy online and protect web users from unwanted marketing. Cookies can be used to build up a profile of where you have been and how you have behaved on a range of websites and other digital media.
The law aims to make sure that any company that collects information about a web user must ask for the user’s consent first. Before this law, websites only had to ask visitors to opt out of cookies. Now they have to opt in to all "non-essential" cookies. The law was imported into UK law in May 2011, but UK companies were given one year to comply. The deadline for compliance was 26 May, 2012.
There are other technologies, like Flash and HTML5 Local Storage that do similar things, and these are also covered by the legislation, but as cookies are the most common technology in use, it has therefore become known colloquially as the Cookie Law.
What you need to do
In the UK, the Information Commissioner's Office (ICO) has advised website owners to conduct a full audit of their websites to analyse which cookies are used, and which are 'strictly necessary'? "Strictly necessary" cookies are those mentioned, for subscription and e-commerce services. Few audit services exist, and even fewer are undertaken.
Cookies that are deemed, or likely to be seen as 'intrusive' by users should be removed, changed or a consent process included. There is a trend for cookie blocking and broad third party opt-out.
Who needs to comply with it?
The law applies to all member states of the European Union. Websites outside of the EU must comply with the law if they are targeting people within member states. So a website based in the USA that sells to people in the UK will also have to comply.
Consent options available to you
This Cookie law has preceded the browser development, so the onus is currently on the website owner. Current solutions to gather consent include:
Feature-led consent - This is when a website remembers feature-led preferences, such as content personalisation. A user can be informed of the cookie when the feature is activated.
Functional uses - Tracking is a common example of this - occurring in the background without the consent of the user. A proposed solution is to place relevant text about the cookie in the header or footer of the page, or link to an information page. This is something that is now hindered by the rise in use of cookie and ad blockers.
Pop-ups - Whilst these can detract from the user experience, and are often blocked by browsers, they are probably the simplest option to implement to inform the user and to gain their consent. Pop-unders are even more annoying, as the user is often unaware that they have even opened, and they are often secretly initiated (they can not open automatically, by themselves).
Tracking icons - These are indicators on adverts that show clearly that an advert uses tracking technology. AOL and Google, for example, have committed to this, but there is currently no mention of 'consent'.
What to do
Compliance with the cookie law comes down to three basic steps:
- Work out what cookies your site sets, and what they are used for, with a cookie audit.
- Obtain their consent and give them some control.
Penalties for a failure to comply
Whilst the directive came into force on the 26th May 2011, the complexity of the technology, and development lag, meant that it has taken some time to become fully operational. Heavy fines are still likely - none have been publicised, but I would suggest that if end-users find the constant 'consent' too fiddly and annoying, the directive may have to be rethought, and 'penalties' deferred still further.
Technically, the maximum penalty for not complying is £500,000 for cases where there is a deliberate breach of the law that causes substantial distress. There are also smaller penalties such as being sent an information notice or an enforcement notice. However, this has proven to be an incredibly difficult law to police and enforce as it affects so many sites.
For more detail on this legislation, please click here.
If you have questions about how the cookie law could affect your business and your digital marketing, contact Jack Marketing Solutions today.
Glossary: Ad Server, Advertising, Adware, Affiliate Programme, Astroturfing, Browsers, Cache, Cloaking, Cookie, Dark Marketing, Data Protection Act, Digital Marketing, E-commerce, E-Privacy Directive, Floating Ads, Google Adwords, Header, Meta Data, Mobile Marketing, Navigation, Obfuscation, Opt-in, Personalisation, Pop-ups, Programmatic Buying, Real-Time Advertising, Real-Time Bidding, Repeat Visitor, Search Engine, Site Visit, Social Advertising, Spyware, Tracking, Visit, Visit Duration, Visitor, Visitor Session, Website