Prompted primarily by a customer enquiry, I recently posted on Twitter asking my followers whether they had any knowledge of industry best standard with respect to the EU Cookie Directive that’s due to come into force on the 26th May. The answer, unfortunately, was a resounding “no”.
This is in most part due to the fact that the Information Commissioner’s Office (ICO) – an independent authority which aims to uphold personal information rights – has not given firm guidance on its interpretation of the directive. The information that it has published falls short of identifying specific methodologies that may or may not fall foul of this directive.
What follows is my understanding of the guidance thus far. Please note that:
- I am not a lawyer
If you are reading this and want a legal interpretation of the law, then I suggest you find someone legally trained and pay for their comments.
- Blog posts almost immediately become out of date
By the time I hit “publish” on this post, someone will come along with another interpretation, or the ICO may published improved guidance. Read around the subject.
What exactly is changing
The basic rule that’s changing is that storing information on a user’s computer requires an explicit opt-in from the user. The user must be given the option of not having that information placed on their computer. Placing information on a user’s computer without a conscious and informed decision by the user would be breaking this directive.
So, cookies are out then?
It’s important to highlight that the EU directive makes no explicit differentiation between any local storage mechanism, whether they be cookies, Flash Local Storage or any other mechanism. Specifically, the ICO guidance says:
The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as “Flash Cookies”).
If you store any information on a user’s machine then this directive almost certainly applies. Just because the industry has concerned themselves with HTTP cookies as one impact, it is not the only one. Even if you are using a “client-side” technology such as Flash, you may well still be affected. My recommendation is not to focus on eliminating cookies but to focus on any technology that places information that could affect a user’s privacy on the client machine.
How will this opt-in work?
Unfortunately the EU haven’t stated how this opt-in would work. They’ve defined that the user must give their consent to it happening, but shied away from exactly how that works. Various suggestions have been included such as explicit agreement to revised Terms and Conditions (note: you can’t just hide it away – it has to be explicit) or the use of popup windows to inform the user of what will happen.
The user’s browser accepts cookies, so they’ve opted in… Right?
Not in the ICO’s eyes. The theory is that long-term this might be an option, it currently is not.
This will ruin the user’s “flow”, what can I do about it?
At the moment, there is little industry agreement on what ways this can be accomplished without adversely affecting the way in which a user interacts with a site. My guess is that most websites will start to refrain from setting cookies unless the user has to log-in. Or, more likely in the medium term, websites will not change until they are forced to by the law being enforced.
Are there any exclusions to the opt-in rule?
Yes, although they’re vague and open to interpretation. The basic exclusion is that cookies are allowed where they are technically required to complete an action the user has explicitly requested. In other words, if the cookie is required in order for a function to be completed, you don’t necessarily need opt-in. The directive’s worded in such a way that this is not a get-out clause for cookie use. An article that discusses specific exclusions is available from Jeremy Gordon.
Should we panic?
No. The ICO have stated that they expect this to be phased in. If they receive a complaint from a user then their first step will be to ask what analysis they have done. If you have done – or are in the process of doing – that analysis then you’ll be in good stead.
What should we do now?
The current ICO guidance is to identify what cookies (and other equivalent technologies) you use and to try and identify the impact their usage has on an individual’s privacy.
- Speak to your web developers/designers
They will quite easily be able to give you an idea of what cookies – or Flash Local Storage, or equivalent technologies – are in use and be able to give you an idea of which categories they fall into. They should also be able to guide you upon what impact these cookies may have on a user’s privacy. Remember: this directive is approaching it from the perspective of the user’s privacy, not how your current site – or business – works. Long-term they will expect you to change if the two are not compatible.
- Decide whether these cookies are required for the site to function (and, if so, in what capacity)
If not, can a plan be devised to turn them off?
- Analyse whether these cookies impact the user’s privacy (and, if so, to what degree)
Is there a simple answer or fix – can we use another technology instead?
Typically there’s no simple “if we’d used technology X to do A instead of technology Y then we’d be okay now“. This is because the way in which web pages work – HTTP – is “stateless”. That means that if you visit the homepage of a website, then go to the checkout, there’s no explicit relationship between the two page visits. If you need to be able to track that user across the requests, you have to use something like cookies to achieve it.
If your analysis determines that you’re only using cookies to maintain session state then there may be options some options depending upon what your website does:
- Turn session state off
Most web frameworks give you the option to turn off session state entirely. If your website doesn’t offer online purchasing or doesn’t require a login (or does, but only to administer it), then it’s possible that the solution is exceptionally simple – just turn them off.
- Track session state using another technique
Some web frameworks allow session state to be tracked using the URL, although this can have an ugly effect on your URLs.
But wait, you’re wrong!
I may well be – I am not a lawyer, and the industry hasn’t come up with viable guidance for clients. That’s the point of this blog post – to hopefully start a discussion. If you have a comment, guidance, or would like to berate my interpretation of anything, please comment!
Update: Other posts on this issue
- Thanks to Andrew Westgarth who took the time to comment. He also has a blog postthat looks into the irony of the potential practical impacts of getting cookie opt-in. I agree, it’s a complete mess that’s only further going to be muddied by the use of third-party services (who may be US-based and not be willing to modify their methodologies in line with the EU directive).