European Union “Cookies Law”

In May of 2011, the European Union passed a directive that was adopted by all EU countries. Simply put, it forces websites to be more transparent about how they use cookies and give site visitors control over whether or not they agree to be subject to cookies. Most countries provided a one-year grace period for compliance and were expected to begin enforcing the law in May 2012.

A cookie, of course, is a text file that a web browser places on your computer’s hard drive on behalf of the website being served.  At the most basic level, most sites deploy a cookie that contains information, such as a user or session ID, that allows the website to remember who you are across multiple page views or browsing sessions. Most websites have 10 or more cookies. There are much more complicated cookies that facilitate very sophisticated data tracking and can compromise a user’s privacy and support intrusive marketing, fraud, or other criminal behavior. This type of cookie usage is what the EU intends to combat.

Who is Affected?

The law applies to all Member States of the European Union, so it most obviously applies to any company within an EU country. However, even websites outside the EU are required to comply with the law if they are targeting Member States. For example, a site based in the U.S. that sells products to consumers in the UK or has a French-language version of its site aimed at users in France will still have to comply.

Any site that uses cookies will need to explain how it uses cookies, what kind of data it collects, and provide an opt-in mechanism for every visitor. There are technically two classes of cookies under this directive:

  • Strictly necessary: cookies that are required for a website or functionality to operate properly, which the user can be assumed to know are in effect. For example, an e-commerce application and shopping cart will not function without a cookie. Explicit user opt-in is not required in that case.
  • Not strictly necessary: just about any other kind of cookie, including those used with Google Analytics. In these cases, formal opt-in is required.

The Privacy Policy is also required to be more prominent.

Why Does It Matter?

It is the law, and Member States have indicated that (although some of them have reservations about the practicality of implementation) they will not tolerate flagrant disobedience. Many speculate that the law will be hard to enforce, but for companies that do business in the EU it could be an unacceptable risk: sites that do not comply could be liable for major fines (up to 500,000 pounds in the UK), probably only in situations where deliberate contravention leads to substantial damage or distress. There are less severe penalties for minor contraventions.

When Does It Start?

The law was passed in May of 2011, so even with the one-year grace period the law has taken full effect as of May 26, 2012.

How Does a Website Comply with the Law?

The law is not precise about how, specifically, compliance should be attained, documented, or reported. Nor does it describe any methods that would be considered either appropriate or not-compliant. Thus the execution of compliance is very open to interpretation and could vary from client to client. The UK has given some helpful suggestions about technical implementation that could be used to comply:

  • JavaScript pop-up box: explaining cookie use and offering ‘yes’ and ‘no’ options for consent
  • Splash page: at first site entrance, with the same sort of copy
  • Banner: shown along the top of the page to first-time visitors with a tick box to allow users to consent, with cookies disabled until the visitor ticks to indicate consent
  • Footer bar: similar to the banner concept, this would be displayed along the bottom

All of these solutions require the interruption of the user website experience, and shutting down cookies will also negatively impact the user experience. The one positive point is that a user is only required to opt-in once (per site visit) and not required to do so for every page.

How Should You Respond?

There are several steps that need to be taken for all web properties:

  • Determine whether the law applies (i.e., do you have a business location within an EU Member State?)You may need to ask your legal team to review and issue a decision about whether you need to conform.
  • Determine what your compliance solution would be. This might vary from site to site. A good example of compliance is found at www.bt.com (look in the lower right).
  • Implement a solution on a site-by-site basis. This will require an audit of all site cookie use, design, and copywriting of new pages/screens detailing the required information, and programming to implement the solution and accomplish any cookie disabling or documentation that is deemed necessary.

Bottom Line

The law is not precise in its requirements, but it is the law. Presumably any interpretation that can be deemed legally defensible, or that include a good-faith effort to comply with the law’s intent, will suffice. You have to be very careful about implementing solutions that will so negatively affect the user’s visit that he or she abandons the site or does not return. This has to be balanced with cost of implementation contrasted with the risk of non-implementation.

Further Information

Full text of the EU Directive
The Cookie Law Explained
Google Analytics and the Cookie Law
A less formal summary of what you need to know