E-Privacy Directive and How it Affects UK Websites
Taking effect on May 26, 2012, the new E-Privacy Directive (originally amended in May 2011), is an EU wide 
legislation, sometimes known as the ‘cookie law’, that will affect every UK online business. Until now the use of cookies and other tracking technology to collect user behaviour information has been only loosely regulated. However, the new law requires that companies must receive ‘informed consent’ from the consumer prior to using, or installing cookies and other tracking technology for such use on a users’ device (PC, iPad, mobile phone, etc.,). Even if the tracking technology is not cookie-based, the ePrivacy Directive is still enforced.
The EU directive states that consumers should be aware that when they visit a website, what they do whilst there is being tracked and that tracking information stored on the website’s server to be recalled when the same device returns to log in to that website on another visit. Offering transparency for the consumer, there will obviously be quite an impact on the business owner, not only to find the appropriate format for obtaining consumer consent but also a reduction in the amount of customer data that will be available.
Privacy Policy Link
Suggestions for obtaining consent range from the inclusion of an E-Privacy Directive Policy link that is highly visible on the home page, to adding a pop-up window requesting visitors to confirm their consent (on a first time visit to the site, and only on a subsequent visit where the law has changed or content has changed), and also possibly including the eprivacy directive policy in header / footer content.
The headache for business and website owners is finding the most appropriate and less invasive method of acquiring consent. There will of course be many visitors, as well as business owners who’ll be turned-off by a pop-up window requesting consent, and the option of using browser settings is still not yet refined enough to work flawlessly in this regard, so clearly this is an area causing much concern for online businesses.
However, there is no chance of non-compliance, as the head of regulatory affairs at IAB (Internet Advertising Bureau), Nick Stringer states, ‘there are no short cuts to complying ….it’s about transparency and developing good business practice’, adding, ‘it’s the law’!
To help business owners better understand the new law, the Information Commissioners Office have created an extensive New Cookies Guidance document which details how a business can fully comply with the new directive.
Ultimately, by including a concise description of how cookies are utilised on your site (in a highly visible location), and by receiving consent from each visitor to your site, you will show transparency and therefore not suffer any penalty for non-compliance of this new ePrivacy Directive.
Know your cookies, know your rights
For those requiring a little more understanding of Cookies, here’s a brief summary:
Cookies, browser cookies, persistent cookies, session cookies, and tracking cookies are small, sometimes encrypted text files located in browser directories. They allow a visitor to easily navigate a website, and can be used for identification purposes, identify user preferences and authentication, amongst others. Disabling these cookies will often prevent a visitor from using your site.
What Cookies Do
In effect when a visitor enters a website, a cookie (text file) is automatically generated and sent from the website to the users’ device. Each time that same visitor returns to the site the file is accessed from the website’s server, it remembers the previous visit and visitor preferences.
Browser Cookies
Allow a visitor’s information to be stored on the website server. If one is a returning visitor to that site then instead of having to log-in each time to access a secure part of the site, the cookies handle that process without the user’s input.
Persistent Cookies, also known as Tracking Cookies
Allow you to add your personal preferences on how you view a particular site, for example how you’d search for a particular item, i.e. low price to high, categories A to Z. They are remembered each time the user logs in to a particular site, after the first initial visit (when using the same device)
Session Cookies
Are used to track a user’s behaviour on the website for that one particular session. Once the browser has been closed there is no tracking capability.
It helps to be knowledgeable about these little fellows that have inspired the e-privacy directive so should you wish to further inform yourself then we suggest you take a look at the full explanation of Cookies at: http://www.allaboutcookies.org/
The Legal Documentation of the E-Privacy Directive
Below is a summary of how the actual EU ePrivacy Directive reads, but for a more extensive, in-depth look at the law, take a look here to further educate yourself about this important new piece of legislation: ePrivacy Directive Procedures
The new requirement is essentially that cookies can only be placed
on machines where the user or subscriber has given their consent.
(1) Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal
equipment–
(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the
same person to store or access information in the terminal equipment
of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2)
are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a
subscriber who amends or sets controls on the internet browser which
the subscriber uses or by using another application or programme to
signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or
access to, information–
(a) for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the
provision of an information society service requested by the subscriber
or user.
Time is now running out for those who have not yet taken steps to incorporate the eprivacy policy changes to their website content. We suggest you consult with your web development team to discuss the best options for implementing this mandatory piece of legislation and remember that deadline for the new directive is May 26, 2012.
The world wide web is still relatively new in this modern age of technology and as such, whether we agree with them or not, the laws and best practices will continue to evolve. Don’t let these new laws and legislations overwhelm you.
I was under the impression that the EU was no longer telling us what to do. Seems I am wrong. How does this affect our websites and is there a way that it can be implemented without looking like a ugly pop-up to have a visitor agree to your website terms?
Thanks for the comment Cathy. Currently we are looking at how others have been interpreting this law and what we can and cannot do. I am hearing mixed reactions to this – I can sympathise that businesses and website owners do not want ugly pop-ups on their websites. I think a way this could work if link in the footer of the page (After all most know to look at the footer of a website for the legal info) that was dedicated to the Cookie Policy.
My understanding is that just putting a link to your cookie policy in the footer is not enough, you have to ask for explicit agreement to set non-essential cookies on a users computer.
As you can set essential cookies e.g. the ones for managing the shopping cart and I’m assuming login cookies as they are exempt you only need permission to set those cookies as required to run adsense, analytics and so on i.e. non-essential.
Why would a user bother to click a box to let you a web site track them or show them ads?
The solutions I’ve seen range from a big modal dialog box which stops the user using the site to a big banner accross the top of the page. As you have to detail what the cookies are for it probably doesn’t really help if you’re making it prominent, and modal well I’d argue usability.
The stupid part is if you ask the user to choose and they say no you can’t set cookies, you still end up setting a cookie in order to remember their choice or you have to ask them on every page, irony?
Even if you’re not in Europe but your website targets or is used(?) by the European market you have to follow this directive, although I’m not sure how they are going to manage that and those I’ve spoken to basically blew it off, so we shall see on that.
Hi Paul
Good response. After speaking the last couple of days with colleagues and some business site owners nobody wants a big modal box and as you say:
“…and modal well I’d argue usability.”
If usability becomes an issue then surely the architects of this directive did not take into account accessibility laws in the UK.
The vexing point here is that a directive has been introduced with no clear direction on implementation – though on one level it appears to be a great idea and a nod to greater transparency. On the other hand I do not feel that enough research was conducted on it’s behaviour in a real-time environment.
If you’ve not seen it already then look at the solution used on https://ico.org.uk/ looks good doesn’t it and really makes you want to click it doesn’t it?
However if you go to the privacy policy they do show how the cookie information should be shown. I wonder how many users understand that though.
“looks good doesn’t it and really makes you want to click it doesn’t it?”
Do I detect the languid tone of irony there, or are you being serious? I think it is horrible. I do not want on my website a box that has to ask permission from users to use my website. ‘Yes we are tracking you albeit harmlessly’ it will cause panic.
Why have the not the smart heads at Google come up with something? After all I think that most sites use their analytics technology. They have not said anything about it. Hey, if they give me the money to fight a legal battle for this I would mount one.
Oh, I was being Ironic with that comment, it doesn’t look good, it interferes with the users experience leaving the only option of dropping all nonessential cookies.
Try it on an iPhone etc, even less space for the user to see the site contents.
The day the E-Privacy Directive goes into effect is a couple of weeks away, we are still not any the wiser on which way to go with this. I have been looking at several ways we can tackle this from pop-overs which I am adamant should not be used as they raise a multitude of issues from accessibility to small device usage (As Paul pointed out). Deana had the idea to place a visible link that states “Read Our Cookie Policy” that would go to a page that would then comply with the ruling. Quite frankly it is not a bad idea and I have been entertaining this now for quite a while.
” had the idea to place a visible link that states “Read Our Cookie Policy” that would go to a page” my understanding is that doesn’t comply, you’ve informed the user but they have not given permission to you to place anything onto their machine, the grant of permission is a click?
I did have one solution but it required modification of the server side code, which is Ok if you wrote it but if it’s a 3rd party script then each time you upgrade you’d have to apply the modifications again, which is not workable as clients won’t pay for it.
Hi Paul,
We are back where we started and none the wiser. We feel a pop-up will not work, many have them tuned off, a pop-over ruins the aesthetic experience of a website and will not work on small devices correctly. The server-side script you talk about which will need modding time and again. What is left?
A lot of head scratching here as you can imagine. 🙂
A lot of head scratching here to.
Needs JavaScript which captures all the analytics etc stuff on the page and stops it running, puts a bar at the top of the page asking permission + telling people how to accept. If they accept sets a cookie so the next page load the analytics etc loads as normal, if they don’t accept it nags them on every page.
Issue I have is catching all the things on the page which might use a cookie and stopping them from running unless the server side scripts are aware of the acceptance cookie and don’t send cookies until they see it.
Plus do you know what all the cookies are for in any web script you use so you can detail them?
What happens if the user doesn’t have JavaScript on, then setting the acceptance needs to happen via server side scripting.
I can make a solution work for clearFusionCMS because I control all of it, but that’s not the point.
Ours is now here in our Privacy Policy: https://sonet.digital/legal/privacy-policy/ it is accessible from every page of the website.
Interestingly enough we have been using a similar policy ons ome of our clients website for over four years at least.
That’s the same sort of thing that I’ve been using for eons.
Did you see the new stuff they added on implied consent, i.e. the using of the website implies consent.
Thanks for pointing that out to me, I had not seen that. I am seeing sites that are not asking permissions but implying the same. It’s a better idea depending how you read it. I was on a website yesterday that when I clicked the refusal button (To see what happens) I was still able to view the content. Now I wonder if they had turned off tracking automatically when I refused (I doubt it), or they were just paying lip-service to the directive?
It was only added something like 24 hours before the deadline, but if I read it correctly the old privacy policy that tells them that we use cookies is now good enough again?
I think the idea of good’ and bad’ cookies is a daeorngus one. It isn’t the cookie itself that is bad, but the use to which it is put. A cookie that tracks my progress through searches or other activity on a website is potentially useful in predicting the information I may wish to see next, but if you then sell that information to a data-mining company to allow targetted spam, then precisely the same cookie has transitioned from good’ to bad’. Similarly allowing me to say I like’ a page is good, using the same cookie that provides for that functionality to track my progress through any page with a like button, without me being aware of it and with the intention, again, of selling that information, is going far beyond the perceived use I signed up for. Like any tool, it isn’t the tool itself that decides the morality, but the user and what they choose to use it for.
Nicely put Yasmin, but unfortunately I don’t see this law helping with the use of the information, really how many users are going to read any cookie policies, they just want the site to work and will click any notifications away as quickly as possible.
To add a note here. The UK is not the only EU country – all EU countries must comply with this policy. We have now started implementing the policy across client sites usually with a notification bar at the very top of the page.
I love the idea of transparency but still believe educating consumers to go to a websites privacy policy in a standard location would be a better compromise than degrading the design of a site.