Understanding the E-Privacy Directive and Its Impact on UK Websites

Gavel and legal law book in front of a flag of eh European Union.

The E-Privacy Directive is an EU-wide regulation that focuses on the transparency of online tracking.

Introduction to the E-Privacy Directive

The E-Privacy Directive, which came into effect on May 26, 2012, is an EU-wide regulation that focuses on the transparency of online tracking. The directive mandates that consumers should be informed about the tracking activities that occur when they visit a website. This includes the data that’s stored on the website’s server, which can be accessed when the same device revisits the site.

Implications for Business Owners

The E-Privacy Directive directive brings about significant changes for business owners. They will need to ensure that they obtain clear consent from consumers before collecting their data. This not only means finding an effective way to gain this consent but also potentially seeing a decrease in the amount of customer data available due to increased transparency.

Loss of Traffic Reporting in Analytics

When a visitor chooses not to be tracked, it directly impacts the data captured by analytics tools. Even though the traffic from such users still exists and they continue to interact with the website, their activities remain invisible in the analytics report. This can lead to a perceived drop in website traffic, even though the actual number of visitors hasn’t decreased. Business owners need to understand this distinction, as making decisions based on incomplete data can lead to misguided strategies.

Methods of Obtaining Consent

There are several ways businesses can obtain consent from their visitors:

  1. E-Privacy Directive Policy Link: A clearly visible link on the homepage that leads to the Privacy Policy page.
  2. Pop-up Windows: A window that appears when a user visits the site for the first time, or when there are changes in the law or content, asking for their consent.
  3. Header/Footer Content: Incorporating the E-Privacy Directive Policy within the header or footer of the website.

However, it’s essential to choose a method that is not too intrusive. For instance, many users might find pop-up windows disruptive, and relying solely on browser settings might not be foolproof.

The Importance of Compliance

Nick Stringer, the head of regulatory affairs at the Internet Advertising Bureau (IAB), emphasises that there are no shortcuts to compliance. Businesses must be transparent and adopt good business practices. After all, it’s the law. The Information Commissioner Office provides resources to help business owners understand and comply with this new directive.

A Brief Overview of Cookies

For those unfamiliar with cookies, they are small text files, sometimes encrypted, stored in browser directories. They help users navigate websites more efficiently and can serve various purposes, such as identification, user preferences, and authentication. Disabling these cookies might hinder the user experience on some sites. Here’s a brief summary:

What Are Cookies? 
When a user visits a website, a small text file called a cookie is created and sent from the website to the user’s device. This cookie helps the website remember the user’s previous interactions and preferences. When the user revisits the site, the cookie is retrieved, allowing the website to recall past visits and preferences.

Browser Cookies:
These cookies store information about a visitor on the website’s server. For returning visitors, browser cookies simplify certain processes. For instance, they can automatically log a user into a secure section of the site, eliminating the need for manual login every time.

Persistent Cookies (or Tracking Cookies):
These cookies remember a user’s specific preferences for a website. For example, they can recall how a user prefers to view items on a site, such as sorting products from low to high prices or viewing categories in alphabetical order. These preferences are remembered every time the user accesses the site from the same device.

Session Cookies:
These cookies monitor a user’s actions during a single website session. Their tracking capabilities end once the user closes the browser. They don’t store long-term data and are deleted after the session ends.

For a more in-depth understanding of cookies read our brief summary below, you can visit All About Cookies.

The Legal Documentation of the E-Privacy Directive

Below is a summary of how the actual EU E-Privacy Directive reads, but for a more extensive, in-depth look at the law, take a look here to further educate yourself about this important new piece of legislation:  ePrivacy Directive Procedures.

The new requirement is essentially that cookies can only be placed
on machines where the user or subscriber has given their consent.

(1)    Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal
equipment–

(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

(3) Where an electronic communications network is used by the
same person to store or access information in the terminal equipment
of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2)
are met in respect of the initial use.

“(3A) For the purposes of paragraph (2), consent may be signified by a
subscriber who amends or sets controls on the internet browser which
the subscriber uses or by using another application or programme to
signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or
access to, information–

(a) for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the
provision of an information society service requested by the subscriber
or user.

We suggest you consult with your web development team to discuss the best options for implementing this mandatory piece of legislation and remember that the deadline for the new directive is May 26, 2012.

Staying Ahead in the Age of Online Privacy

The E-Privacy Directive is there to protect website visitors, especially in an age where there is more demand for online transparency and the protection of consumer privacy. By understanding the role of privacy cookies on your website and securing explicit consent from your visitors, you not only safeguard your business from potential penalties but also ensure adherence to this directive. It’s crucial to remain updated and proactive in developing privacy regulations. Misinterpretations of the E-Privacy Directive have been common, with some businesses either overcomplicating its implementation or not applying it accurately. Staying informed and seeking clarity on such matters is essential for maintaining trust and ensuring a seamless online experience for users.

Sources and citations:

  • E-Privacy Directive: This is the main subject of the article. It’s an EU-wide regulation that came into effect on May 26, 2012, focusing on online tracking transparency. However, a direct link to the official directive was not provided in the original content.
  • Internet Advertising Bureau (IAB): Mentioned about Nick Stringer’s statement on the importance of compliance. The IAB is a trade association promoting digital advertising. You can learn more about the IAB here, though the original content did not provide a direct link.
  • Information Commissioners Office: This office provides resources to help business owners understand and comply with the new directive. While the article mentions its role, a direct link to the office or its resources was not provided in the original content. You can visit the ICO official site here.

The World Wide Web is still relatively new in this modern age of technology and as such, whether we agree with them or not, the laws and best practices will continue to evolve.  Don’t let these new laws and legislations overwhelm you.

18 replies
  1. Cathy L
    Cathy L says:

    I was under the impression that the EU was no longer telling us what to do. Seems I am wrong. How does this affect our websites and is there a way that it can be implemented without looking like a ugly pop-up to have a visitor agree to your website terms?

    Reply
    • Vincent
      Vincent says:

      Thanks for the comment Cathy. Currently we are looking at how others have been interpreting this law and what we can and cannot do. I am hearing mixed reactions to this – I can sympathise that businesses and website owners do not want ugly pop-ups on their websites. I think a way this could work if link in the footer of the page (After all most know to look at the footer of a website for the legal info) that was dedicated to the Cookie Policy.

      Reply
  2. Paul
    Paul says:

    My understanding is that just putting a link to your cookie policy in the footer is not enough, you have to ask for explicit agreement to set non-essential cookies on a users computer.

    As you can set essential cookies e.g. the ones for managing the shopping cart and I’m assuming login cookies as they are exempt you only need permission to set those cookies as required to run adsense, analytics and so on i.e. non-essential.

    Why would a user bother to click a box to let you a web site track them or show them ads?

    The solutions I’ve seen range from a big modal dialog box which stops the user using the site to a big banner accross the top of the page. As you have to detail what the cookies are for it probably doesn’t really help if you’re making it prominent, and modal well I’d argue usability.

    The stupid part is if you ask the user to choose and they say no you can’t set cookies, you still end up setting a cookie in order to remember their choice or you have to ask them on every page, irony?

    Even if you’re not in Europe but your website targets or is used(?) by the European market you have to follow this directive, although I’m not sure how they are going to manage that and those I’ve spoken to basically blew it off, so we shall see on that.

    Reply
    • Vincent
      Vincent says:

      Hi Paul

      Good response.  After speaking the last couple of days with colleagues and some business site owners nobody wants a big modal box and as you say:

      “…and modal well I’d argue usability.”

      If usability becomes an issue then surely the architects of this directive did not take into account accessibility laws in the UK.

      The vexing point here is that a directive has been introduced with no clear direction on implementation – though on one level it appears to be a great idea and a nod to greater transparency. On the other hand I do not feel that enough research was conducted on it’s behaviour in a real-time environment.

       

      Reply
      • Paul
        Paul says:

        If you’ve not seen it already then look at the solution used on https://ico.org.uk/ looks good doesn’t it and really makes you want to click it doesn’t it?
        However if you go to the privacy policy they do show how the cookie information should be shown. I wonder how many users understand that though.

        Reply
        • Cathy L
          Cathy L says:

          “looks good doesn’t it and really makes you want to click it doesn’t it?” 

          Do I detect the languid tone of irony there, or are you being serious? I think it is horrible. I do not want on my website a box that has to ask permission from users to use my website. ‘Yes we are tracking you albeit harmlessly’ it will cause panic.

          Why have the not the smart heads at Google come up with something?  After all I think that most sites use their analytics technology. They have not said anything about it.  Hey, if they give me the money to fight a legal battle for this I would mount one.

          Reply
          • Paul
            Paul says:

            Oh, I was being Ironic with that comment, it doesn’t look good, it interferes with the users experience leaving the only option of dropping all nonessential cookies.
            Try it on an iPhone etc, even less space for the user to see the site contents.

  3. Vincent
    Vincent says:

    The day the E-Privacy Directive goes into effect is a couple of weeks away, we are still not any the wiser on which way to go with this. I have been looking at several ways we can tackle this from pop-overs which I am adamant should not be used as they raise a multitude of issues from accessibility to small device usage (As Paul pointed out).  Deana had the idea to place a visible link that states “Read Our Cookie Policy” that would go to a page that would then comply with the ruling. Quite frankly it is not a bad idea and I have been entertaining this now for quite a while.

    Reply
    • Paul
      Paul says:

      ” had the idea to place a visible link that states “Read Our Cookie Policy” that would go to a page” my understanding is that doesn’t comply, you’ve informed the user but they have not given permission to you to place anything onto their machine, the grant of permission is a click?
      I did have one solution but it required modification of the server side code, which is Ok if you wrote it but if it’s a 3rd party script then each time you upgrade you’d have to apply the modifications again, which is not workable as clients won’t pay for it.

      Reply
      • Deana
        Deana says:

         

        Hi Paul,

         

        We are back where we started and none the wiser. We feel a pop-up will not work, many have them tuned off, a pop-over ruins the aesthetic experience of a website and will not work on small devices correctly. The server-side script you talk about which will need modding time and again. What is left?

         

        A lot of head scratching here as you can imagine. 🙂

         

         

        Reply
        • Paul
          Paul says:

          A lot of head scratching here to.
          Needs JavaScript which captures all the analytics etc stuff on the page and stops it running, puts a bar at the top of the page asking permission + telling people how to accept. If they accept sets a cookie so the next page load the analytics etc loads as normal, if they don’t accept it nags them on every page.
          Issue I have is catching all the things on the page which might use a cookie and stopping them from running unless the server side scripts are aware of the acceptance cookie and don’t send cookies until they see it.
          Plus do you know what all the cookies are for in any web script you use so you can detail them?
          What happens if the user doesn’t have JavaScript on, then setting the acceptance needs to happen via server side scripting.
          I can make a solution work for clearFusionCMS because I control all of it, but that’s not the point.

          Reply
    • Paul
      Paul says:

      That’s the same sort of thing that I’ve been using for eons.
      Did you see the new stuff they added on implied consent, i.e. the using of the website implies consent.

      Reply
      • Vincent
        Vincent says:

        Thanks for pointing that out to me, I had not seen that. I am seeing sites that are not asking permissions but implying the same.  It’s a better idea depending how you read it. I was on a website yesterday that when I clicked the refusal button (To see what happens) I was still able to view the content.  Now I wonder if they had turned off tracking automatically when I refused  (I doubt it), or they were just paying lip-service to the directive?

         

        Reply
        • Paul
          Paul says:

          It was only added something like 24 hours before the deadline, but if I read it correctly the old privacy policy that tells them that we use cookies is now good enough again?

          Reply
    • Yasmin
      Yasmin says:

      I think the idea of good’ and bad’ cookies is a daeorngus one. It isn’t the cookie itself that is bad, but the use to which it is put. A cookie that tracks my progress through searches or other activity on a website is potentially useful in predicting the information I may wish to see next, but if you then sell that information to a data-mining company to allow targetted spam, then precisely the same cookie has transitioned from good’ to bad’. Similarly allowing me to say I like’ a page is good, using the same cookie that provides for that functionality to track my progress through any page with a like button, without me being aware of it and with the intention, again, of selling that information, is going far beyond the perceived use I signed up for. Like any tool, it isn’t the tool itself that decides the morality, but the user and what they choose to use it for.

      Reply
      • Paul
        Paul says:

        Nicely put Yasmin, but unfortunately I don’t see this law helping with the use of the information, really how many users are going to read any cookie policies, they just want the site to work and will click any notifications away as quickly as possible.

        Reply
  4. Vincent
    Vincent says:

    To add a note here. The UK is not the only EU country – all EU countries must comply with this policy. We have now started implementing the policy across client sites usually with a notification bar at the very top of the page.

    I love the idea of transparency but still believe educating consumers to go to a websites privacy policy in a standard location would be a better compromise than degrading the design of a site.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *