EU Cookie Law Regulations
This is a major shift from the previous guidance, which stated that websites must obtain explicit consent before using cookies.
We can only think this change has been made because of the practical difficulties on obtaining express and prior consent. Also, most UK government websites have yet to comply with the previous guidance. The ICO may have received a large number of complaints regarding non-compliance, had the guidelines not been changed at the 11th hour.
Our own opinion is that this has been a significant waste of time and resources for websites attempting to comply, and actually threatened the provision of free information and services on the internet - most of which rely upon advertising revenue to pay for the free services.
Please note that our own Cookies Policy complies with the latest guidelines from the ICO.
In the UK the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 implements European Directive 2009/136/EC. This is more commonly known as the new cookie law and will come into force on 26th May 2012. The regulations were due to come into force on 26th May 2011, but the UK has given websites an extra 12 months to attempt to comply.
What are cookies?
Cookies are small files containing a short string of numbers and letters placed automatically by a website into the cookie folder in your browser. Cookies are generally used to make use of a website easier and faster. The cookie recognises that a device is or has accessed the website and acts accordingly, (depending on what the cookie is designed to do.) Mostly cookies perform mundane, but necessary tasks, such as:
- Remembering you as a registered user, if you signup to a website.
- Monitoring a website to ensure it loads correctly and efficiently.
- Allowing customers to add items to a shopping basket and pay.
- Serving ads that are more relevant to you.
- Analysing how visitors use a website to spot ways to improve it.
The new cookie law was drafted to combat those websites that over-use or abuse the cookie process. Only a small percentage of websites do this, and most are located outside the UK or EU anyway – and so are not covered by the regulations.
Shopping basket exception
Cookies used during the shopping basket / checkout process on ecommerce websites do not require any consent as such. This is because the visitor has specifically requested a service from a website - to buy something. Cookies are used to ensure what is added by the customer to their basket remains in their basket throughout the checkout and payment process – basically so that they get what they pay for.
The Information Commissioner’s Office
From our own discussions with the Information Commissioner’s Office (ICO) we have obtained the following broad guidance.
1. The new law is designed to stop websites using intrusive cookies that track visitors on a website, and in some cases continue to track visitors when they subsequently visit other websites. These cookies are purposefully designed to obtain as much data about visitors as possible. This data is not required to provide a service to the visitor on the website, it is obtained to create a data profile of the visitor.
The use of such cookies are clearly to the detriment of visitors – this is a key point of the regulations – are the cookies used detrimental to the visitor?
2. The ICO has stated that if a website can show it has taken reasonable steps in order to comply with the law that website will be less likely to have broken the law.
Enforcement and Penalties
The ICO has stated they will look at any website reported to them to see if a breach has been committed. As stated above, action is less likely to be taken where the website can show that it has attempted to comply with the regulations.
Basically the ICO is going to go after those websites whose clear intent is to collect as much data as possible in the hope of selling such data. The ICO probably already has a good idea of the likely worst offenders and will act against them if they receive a complaint.
The ICO has already stated that it will work with websites to ensure they are as compliant as possible and that actual enforcement against a website will be a last resort.
The ICO has the following enforcement and penalty options under the regulations, (taken directly from the ICO’s own guidance):
Information notice: this requires organisations to provide the Information Commissioner with specified information within a certain time period.
Undertaking: this commits an organisation to a particular course of action in order to improve its compliance.
Enforcement notice: this compels an organisation to take the action specified in the notice to bring about compliance with the regulations. For example, a notice may be served to compel an organisation to display a clear Cookies Policy. Failure to comply with an enforcement notice can be a criminal offence.
Monetary penalty notice: a monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met, if any person has seriously contravened the regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
Even though these powers may seem draconian a website would need to be in serious breach to receive a monetary penalty notice. The level of breach would be more akin to installing spyware on a visitor’s computer or mobile device.
Attempting to comply
Other ways to comply
One possible way to comply would be to require all visitors to your website to register and open an account. This would involve users giving their consent to cookies by agreeing to the relevant terms & conditions. However, imagine how much of the internet would become closed off. Casual browsing of the internet could become a thing of the past, and accessing free content would take considerably longer. Also, it would make it harder for search engines to find and index content, so searching would become less rewarding too.
Also from our discussions with the ICO they have stated that they have no jurisdiction over websites and organisations based outside the UK. If a website and organisation is based in another country within the EU they may be able to request compliance through the relevant body within that EU country. That is assuming that the country in question has actually implemented the directive.
However, the best way to avoid these regulations is to simply host your website in a jurisdiction outside the EU. Most major hosting companies have international locations; so moving websites abroad is relatively simple.
It is important to note that your company will also need to be relocated outside the UK and EU to avoid the regulations. This is a significant step, but is still a practical option. Needless to say this will have an impact on tax receipts for the UK government and will hamper the UK’s push to nurture tech businesses in the UK.
Ultimately the decision to move will rest upon the degree of enforcement once the regulations come into force and in the months afterwards.
However, if a large number of UK and EU websites take these steps consumers will find their favourite websites may take slightly longer to load because the websites are based in overseas locations. Any request from the UK will need to pass through more computers and infrastructure to reach the website and the website will have to deliver the website content back through the same longer route.
(Incidentally this is why Google has a large number of servers spread across the world, rather than all located at their headquarters in California. When you carry out a search on Google from the UK your request will go to a server in the UK or another one of their servers in the EU, not to the US. This saves valuable mille-seconds and is the reason why results in Google load so quickly.)
The questions then are:
1. Does the average internet user want to give up this convenience?
2. Will Google and others move their servers outside the EU taking investment and jobs with them?
Threat to free
The internet is a wonderful thing, especially since large parts of it are completely free – have you ever paid to search on Google, have you ever paid to poke a friend on Facebook?
Websites can offer free services because they carry adverts and they serve adverts that may be of interest to you. These adverts “target” you based on your previous searches and visits to other websites. However, this “targeting” is largely anonymous. Google knows what you like, but unless you signup for their new social network Google+ it does not know who you actually are.
The threat to advertising could mean an end to some existing free services on the internet and certainly fewer free services in the future.
Now, surely that would be to the detriment to internet users?