The “EU Cookie Directive” (2009/136/EC) and you.
Prompted primarily by a customer enquiry, I recently posted on Twitter asking my followers whether they had any knowledge of industry best standard with respect to the EU Cookie Directive that’s due to come into force on the 26th May. The answer, unfortunately, was a resounding “no”.
This is in most part due to the fact that the Information Commissioner’s Office (ICO) – an independent authority which aims to uphold personal information rights – has not given firm guidance on its interpretation of the directive. The information that it has published falls short of identifying specific methodologies that may or may not fall foul of this directive.
What follows is my understanding of the guidance thus far. Please note that:
- I am not a lawyer
If you are reading this and want a legal interpretation of the law, then I suggest you find someone legally trained and pay for their comments. - Blog posts almost immediately become out of date
By the time I hit “publish” on this post, someone will come along with another interpretation, or the ICO may published improved guidance. Read around the subject.
What exactly is changing
The basic rule that’s changing is that storing information on a user’s computer requires an explicit opt-in from the user. The user must be given the option of not having that information placed on their computer. Placing information on a user’s computer without a conscious and informed decision by the user would be breaking this directive.
So, cookies are out then?
It’s important to highlight that the EU directive makes no explicit differentiation between any local storage mechanism, whether they be cookies, Flash Local Storage or any other mechanism. Specifically, the ICO guidance says:
The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as “Flash Cookies”).
If you store any information on a user’s machine then this directive almost certainly applies. Just because the industry has concerned themselves with HTTP cookies as one impact, it is not the only one. Even if you are using a “client-side” technology such as Flash, you may well still be affected. My recommendation is not to focus on eliminating cookies but to focus on any technology that places information that could affect a user’s privacy on the client machine.
How will this opt-in work?
Unfortunately the EU haven’t stated how this opt-in would work. They’ve defined that the user must give their consent to it happening, but shied away from exactly how that works. Various suggestions have been included such as explicit agreement to revised Terms and Conditions (note: you can’t just hide it away – it has to be explicit) or the use of popup windows to inform the user of what will happen.
The user’s browser accepts cookies, so they’ve opted in… Right?
Not in the ICO’s eyes. The theory is that long-term this might be an option, it currently is not.
This will ruin the user’s “flow”, what can I do about it?
<shrug />
At the moment, there is little industry agreement on what ways this can be accomplished without adversely affecting the way in which a user interacts with a site. My guess is that most websites will start to refrain from setting cookies unless the user has to log-in. Or, more likely in the medium term, websites will not change until they are forced to by the law being enforced.
Are there any exclusions to the opt-in rule?
Yes, although they’re vague and open to interpretation. The basic exclusion is that cookies are allowed where they are technically required to complete an action the user has explicitly requested. In other words, if the cookie is required in order for a function to be completed, you don’t necessarily need opt-in. The directive’s worded in such a way that this is not a get-out clause for cookie use. An article that discusses specific exclusions is available from Jeremy Gordon.
Should we panic?
No. The ICO have stated that they expect this to be phased in. If they receive a complaint from a user then their first step will be to ask what analysis they have done. If you have done – or are in the process of doing – that analysis then you’ll be in good stead.
What should we do now?
The current ICO guidance is to identify what cookies (and other equivalent technologies) you use and to try and identify the impact their usage has on an individual’s privacy.
- Speak to your web developers/designers
They will quite easily be able to give you an idea of what cookies – or Flash Local Storage, or equivalent technologies – are in use and be able to give you an idea of which categories they fall into. They should also be able to guide you upon what impact these cookies may have on a user’s privacy. Remember: this directive is approaching it from the perspective of the user’s privacy, not how your current site – or business – works. Long-term they will expect you to change if the two are not compatible. - Decide whether these cookies are required for the site to function (and, if so, in what capacity)
If not, can a plan be devised to turn them off? - Analyse whether these cookies impact the user’s privacy (and, if so, to what degree)
The ICO guidance says that the directive is intended to improve the level of privacy for individuals who use the web and it’s important to bear this in mind when analysing your current cookie usage; the more intrusive your use of cookies is, the more important it is that you have a plan to allow users to opt-in or, conversely, opt-out.
Is there a simple answer or fix – can we use another technology instead?
Typically there’s no simple “if we’d used technology X to do A instead of technology Y then we’d be okay now“. This is because the way in which web pages work – HTTP – is “stateless”. That means that if you visit the homepage of a website, then go to the checkout, there’s no explicit relationship between the two page visits. If you need to be able to track that user across the requests, you have to use something like cookies to achieve it.
If your analysis determines that you’re only using cookies to maintain session state then there may be options some options depending upon what your website does:
- Turn session state off
Most web frameworks give you the option to turn off session state entirely. If your website doesn’t offer online purchasing or doesn’t require a login (or does, but only to administer it), then it’s possible that the solution is exceptionally simple – just turn them off. - Track session state using another technique
Some web frameworks allow session state to be tracked using the URL, although this can have an ugly effect on your URLs.
But wait, you’re wrong!
I may well be – I am not a lawyer, and the industry hasn’t come up with viable guidance for clients. That’s the point of this blog post – to hopefully start a discussion. If you have a comment, guidance, or would like to berate my interpretation of anything, please comment!
Update: Other posts on this issue
- Thanks to Andrew Westgarth who took the time to comment. He also has a blog postthat looks into the irony of the potential practical impacts of getting cookie opt-in. I agree, it’s a complete mess that’s only further going to be muddied by the use of third-party services (who may be US-based and not be willing to modify their methodologies in line with the EU directive).
Andrew Westgarth:
May 23rd, 2011 at 9:16 pm
Great post and also reassurring to know that I have a similar understanding to you. I wait with baited breath to see how some of the big sites handle this.
Google Analytics, a service which most sites make use of, implements on average four cookies per site, and analytics certainly aren’t required for the function of a website, so this will catch lots of people out and Google have not provided any guidance to the masses or suggested how the service can be used without cookies.
I think at present the biggest issue is not many people are aware of the issue!
Craig Hawker:
May 24th, 2011 at 6:10 am
I agree completely re: third party services. We have a couple of clients that use statistical packages such as GA, banner advertising, affiliate networks, etc. All of these use a combination of first and third party cookies for a variety of reasons. Some of these reasons could definitely be thought of as being potential privacy risks.
The only thing I have seen from Google re: Analytics was a post on a Google Groups from an engineer insinuating that, as the cookies are first-party cookies (yep, I had to go check it myself too), that they didn’t think they needed to make any changes to their service…
What I may do is take a couple of the sites – some written by us, some hosted by us, and do an anonymised “analysis” into their cookie usage. I think this could be quite useful for smaller agencies that may not know what sort of thing to put together at this stage – what do you think?
Terry Brown:
May 24th, 2011 at 7:02 am
great post – this (after reading yours and andrews’ posts) is solidifying a little for me.
We definitely use cookies on our site that aren’t important from a ‘required to use the site’ aspect, though the limitations we’d have to place on the site if we were to attempt to implement the same functionality without terrifies me.
I suspect the modified T&C is the path of least resistance, and that’s the initial path people will take – whether that turns out to be ‘acceptable’ in the ICO’s eyes is another matter.
Craig Hawker:
May 24th, 2011 at 7:19 am
I think that most people will go down the T&C route, but even that may be fraught with issues: remember that you’ll have to get the T&Cs agreed to before the user gets given any cookie. So your T&Cs page will need to have no cookies set, and neither will any page that the user visits prior.
Also the ICO guidance has a section just on that option and they state that users must be aware of the changes and re-agree to them. You can’t just modify existing T&Cs that have a clause that people have already agreed to.
My concern is the same as yours – achieving similar functionality to current systems without cookies is going to be hard. Even as simple as a section on-page showing whether the user has logged in will be interesting to maintain (without a session ID cookie).
My gut feeling is that most sites will end up drawing up plans as per the ICO guidance but won’t enact them until they’re either forced to by law (i.e. when companies start getting prosecuted), or the law’ll be severely neutered before it’s enforced, or it’ll just get largely ignored. I think all we can do at the moment is plan…?
DaylightGambler:
May 24th, 2011 at 7:45 am
My understanding of the EU Cookie Directive was that it’s initial intention was to ensure permission is granted before cross-site tracking cookies are used (ad-networks etc)to protect privacy. The problem came down to how to word the directive to cut off any loop holes, and it is the now rather vague wording that is causing the problem.
As Craig says, “Remember: this directive is approaching it from the perspective of the user’s privacy, not how your current site – or business – works. Long-term they will expect you to change if the two are not compatible.”
Anything that can vaguely be argued as required for site specific functionality (and not shared with other sites) is presumably unlikely to come under the directive.
The big elephant in the room, as Andrew says, is Google Analytics (and other third party services) – whilst unanimous stats for a specific website can be argued as critical to a website functionality, how much collating of this data does Google do for a specific user that would cause privacy concerns?
Ultimately I can only hope that Google will either get around to informing users on whether their provided code is legal under the directive (or how to make it so), or that anyone prosecuted under the related law will have Google’s lawyers behind them.
Craig Hawker:
May 24th, 2011 at 7:59 am
I agree as well – it’s likely that this law was kicked off to target very specific aggregation of personal information by the exceptionally large advertising networks that seem to dominate the arena. The directive, though, was termed in such a way as to not target them specifically.
The problem with these directives is that the way in which they’re enforced is probably often in stark contrast to what people want to achieve when they’re writing them.
The problem comes that the current wording is ambiguous and – in the worst-case reading – does target pretty much anything that cookies are used for aside from cookies used specifically to support an explicit user action. The post by Jeremy is quite interesting as he is looking at the wording of the directive from a legal perspective, then analysing common actions.
I really hope you’re right, though.
Andrew Westgarth:
May 24th, 2011 at 8:46 am
I think this is going to cause a huge amount of debate, hence why I can’t believe relevant industry individuals or groups were properly consulted on this issue.
According to the information from the ICO there is no distinction between first and third party cookies so therein Google’s most recent response is no longer valid. I believe the EU’s intention originally was to protect users against third party data uses (primarily browsing driven advertisement selection and placement) but as Craig says through the vagueness of the detail it now covers everything.
As regards issues with Session Cookies I’d argue that because HTTP is stateless and without any other mechanism is it is extremely difficult to provide the same functionality, then Session Cookies are necessary for sites to function.
Tim Barlow:
May 24th, 2011 at 12:59 pm
Arh good, more people who agree that Google Analytics is being eyed up by the directive.
It will be interesting to see how the ICO deal with it as they have GA installed on their own site. You can see the T&Cs now but will they do something more on Thursday to get “consent”?
My interpretation of the guidelines is that they will and my best guess is that we will see something along the lines of CCTV notices in supermarkets.
Ned Wilsher:
May 15th, 2012 at 2:34 pm
I can only think of the term “a hammer to crack a nut”. I have a neat piece of code that tests for both JavaScript and Cookies. If both are found a session variable is set so that the code does not have to run on every page. If either are turned off a polite message is sent to the user – all designed to make the user experience much easier. But that code cannot run without dropping a session cookie in the first (that is partly how it tests if cookies are enabled). So how am I now supposed to check this? Maybe
$frustrated = new didTheEUEverUnderstandHowToBuildAWebsite();
I, too, am no lawyer but I see no reason to change my approach. In the UK we have a speed limit of 30 mph. People frequently go faster than that. Laws are to be broken – especially bad laws.