The EU Privacy directive affecting website cookies came into force in UK law on 26 May 2011, and applies not just to UK based websites but any website that caters for people in the European market—wherever the company is based. That means every website visited by people in the EU, including those outside the EU, is affected.
I have written two articles about the EU cookie directive. You are reading the in-depth article, which includes detailed discussion with reference to the directive itself. For a more concise post that explains what it means and what you need to do about it, see: How To Get Ready For The EU Cookie Directive
If you’re looking for help or solutions, see EU Cookies Services
Below, this post answers the following questions:
- What is the EU Privacy/Cookie Directive?
- When does it apply to my business?
- How do I find out what cookies my website creates?
- Does this affect my website?
- What do I need to do about the EU Privacy/Cookie Directive?
- When do I need to make the changes?
- I am a masochist: Where is a full reference/link to the EU Cookie Directive?
- Summary: act now, but don’t panic (unless you are a big consumer brand!)
Important: 1) I’m not a lawyer; 2) This article is about cookies but law related to this directive may have other implications for your business (e.g. for information your website stores in other ways).
What is the EU Privacy/Cookie Directive?
When does the cookie directive have legal force?
The directive is in force, but it is not legally enforceable in any jurisdiction until it has been incorporated into the law of that EU country which tends to happen over a widely differing rates. However, once it is in force in one jurisdiction you may be affected directly by that, wherever your business is based, including outside the EU.
If your business is focussed in particular EU countries you may want to consider the attitude and plans for compliance in each jurisdiction so that you can prioritise and plan your response accordingly.
At time of writing (May 2011), it is not yet being enforced in any EU jurisdiction as far as I am aware. It became law in the UK on 26th May 2011, and so is legally enforceable already, but the government has decided to suspend enforcement for a year so we have an effective deadline of 25th May 2012. So I suggest…
Don’t panic, but act now to inform yourself. The relevance to you and your business will vary depending on your circumstances.
Does this affect my website?
I would advise that all businesses at least do an audit of current and planned website functionality to establish what cookies are being placed on the computer of your visitors, and by what features of your website. As well as things your web designer might have included, third party features (such as analytics, embedded advertising, plug-ins and so on) will almost certainly be creating cookies, so you need a way of checking everything. See next.
How do I find out what cookies my website creates?
I recommend a FireFox browser with an add-on called HttpFox and have written a short post to show you how to do this with step by step setup so anyone can do it. See: How to see/monitor the cookies a website creates.
HttpFox is useful for more than this of course, it will help you debug and streamline your website too (look out for requests highlighted in red for example, any “404” responses?)
Other Useful Tools
I expect there will be additional tools created to help with this so check back, or let me know if you find something handy by sharing in a comment.
Website Hosting Discount Coupon
From £3.33/month including domain name for life!
(Approx. $5.50/month or €3.80/month)
Plus 50% off these prices for your first year
Tell your friends or get your discount by visiting the above link.
What do I need to do about the EU Privacy/Cookie Directive?
Once you know what features of your website rely on setting client side cookies you have some idea of the scale of the problem and need to think about each area individually.
You need to ask yourself questions such as the following:
- how and when would enforcement affect me?
- what are the fines (not yet known in most jurisdictions)?
- what would being found in breach do to my reputation?
- what website features are affected and how can they be brought into compliance?
- will the web browser provide a solution, or part of a solution?
Clearly you’ll need to monitor both the solutions (from other businesses and the web browser companies), as well as the approach and timetable of enforcement in your relevant jurisdictions (but remember, it is not where you are but where your customers are that matters).
So to begin you should:
- understand the situation in different jurisdictions within the EU so you can minimise business risk
- monitor on-going developments in enforcement and solutions (from websites, website vendors and web browsers)
How can I solve this on my website?
Essentially you need permission from each user before writing cookies on the user’s machine where the cookie might be used to infringe that user’s privacy (as defined by the directive, or a particular jurisdiction’s interpretation of the directive).
Here are some potential solutions for obtaining permission (see caveat):
- use your website’s terms and conditions in some way
- provide a passive indication on the page of cookie use, and a way for users to opt-in or opt-out
- provide a pop-up seeking permission and providing an opt-out
- obtain permission during a sign-up process
- obtain permission through a user controlled browser setting (a feature being considered by browser manufacturers)
In all these cases we are left with a problem: what to do if the user does not provide permission? This is tricky because so many usability features of websites rely on cookies. You solution will have two stages:
- At the very least every website needs a way for cookie use to be disabled (one reason it will be better to put this in the browser, but its not clear if that will avoid the need for a server side ‘cookie switch’).
- Once the cookie switch is turned off by a user, you need to consider how to handle the loss of functionality that results. Ideally you would consider each feature and degrade this as gracefully as possible. You’ll need to consider the impact on your particular visitors and their potential reactions on your business, as well as look at how competitors and other businesses respond to the same issues.
When do I need to make the changes?
For compliance with UK law, you need to be ready by 25th May 2012 (as explained above). In other jurisdictions this will vary widely, possibly by years, but remember it is not where YOU are but where your VISITOR is that matters. If you are outside the EU, your business will still be affected.
The UK is, as usual, one of the early implementers. You must make your own decision about this, but being based in the UK with a very small business, I think I can afford to be relaxed for the time being. I will monitor developments and develop a plan as the deadline of May 2012 approaches. If you are more risk averse, a larger business, have a well known brand, are very consumer oriented, I suggest you need to be a lot more concerned and pro-active about this.
Where is a full reference/link to the EU Cookie Directive?
You must be mad or a lawyer to want to read this, but here it is: DIRECTIVE 2009/136/EC.
(Thanks to Paul Carpenter for saving me the trouble of digging this up, and for providing a funny example of EU cookie directive pop-up hell—which illustrates why a user friendly solution is so desirable. My guess is that this will be within the browser rather than your website, but at this point its not possible to say.)
Summary: Act now, but don’t panic (unless you are a big consumer brand!)
Even though the directive is already active, for most small businesses there is no need to panic, but you should definitely take appropriate action now. At the very least understand how your business website would be affected by disabling cookies, and the options available to you for seeking permission and turning cookie use off. Once you understand this you can plan your response, monitor developments, and decide when to act.
Larger businesses, brands, consumer oriented, and more reputation sensitive businesses probably need to be the most pro-active, and developing solutions that are compliant (to minimise the risk of non-compliance) and to minimise the impact on their online customer interface.
Everyone should inform themselves to ensure you don’t get caught out, but I think smaller less consumer focussed businesses may find that industry (e.g. web browser, website solutions vendors and larger companies) thrash out some good solutions we can all take advantage of in time. Remember that date though: May 2012 is when you should have something in place.
I will follow this and aim to keep you posted, so to help stay informed you can follow me using Facebook, Twitter, Blog email or Newsletter (see the buttons and form at the right on this page).
EU Privacy/Cookies Directive Compliance Service
If you want help getting ready, to help you decide how best to comply with EU privacy law, contact me to discuss this. For example I can perform a review and analysis of your website cookie use, assess the risks to your business, highlight implications and suggest remedial actions, as well as making changes to your website.
For a more concise post that explains what it means and what you need to do about it, see: How To Get Ready For The EU Cookie Directive
If you’re looking for help or solutions, take a look here: EU Cookies Services