EU cookie laws and how they affect your business

‘This website uses cookies’ – an expression that most internet users are very familiar with. Cookies have been around for some time, but some website users and operators alike are still confused by exactly what they do and what the data protection and privacy laws are regarding them. The EU recently clarified the issue, bringing out comprehensive guidelines in 2009 declaring that all EU member states should give individuals living in the EU the right to refuse the use of cookies in order to protect their online privacy. In March 2018 the new General Data Protection Regulation came into force, and with it the way in which companies treat data changed drastically. In fact, the new e-privacy regulation, the draft of which the EU officially presented on 10 January 2017, was to become legally binding at the same time. In the area of application of cookies in particular, it is regarded as a detailed supplement to the GDPR. At present, however, the draft new e-privacy regulation is still passing through the European Parliament. It is not expected to become law before May 2019 at the earliest, thus replacing the EU Cookie Directive and supplementing new regulations. But what is the current state of this law? In this article we will look at the general matter of what cookies are, as well as taking a look ahead to what the new e-Privacy regulations mean for cookie usage for EU visitors browsing your website.

What are cookies?

Cookies are text files that are stored by your browser on your computer when you load a web page. The text file consists of data from your website visit and the idea behind this is to improve user friendliness: your browser will notice login data and language settings, speeding up and streamlining your browsing experience. A typical cookie contains a statement about the life of the text file and a randomly generated number that’s unique to your computer. Cookie data is normally stored anonymously, and the data stored in the text file can only be read on the web server that issued the cookie. Cookies tend to avoid personal data too, usually only requiring it for login information. Their main responsibility is creating this personalised, interactive online world as we know it today.

But despite this user-friendly aspect to cookies, many critics see them an invasion of privacy. Cookies can be used to create what’s known as ‘behavioural profiles’, which use your online habits in order to display certain ads or particular targeted content. They do so because it’s useful for companies to be able to display tailored content depending on whether a user is visiting a website for the first time or the 100th time.

In some cases, cookies stay on your computer between page visits, gathering more information to build up a clearer picture of other interests you might have. In these circumstances, companies can target ads at you when you visit external pages, often displaying tailored images (like the pair of shoes you were viewing on their website, or the new kitchen appliance you’ve been searching for). This is an integral tactic for online businesses battling in the dense e-commerce market, but there are concerns that cookies may sometimes be misused to supply information about personal internet use to unknown companies.

The truth about cookies for users is that you don’t really know how your data is being used without an explanation by the website you’re visiting. And this is the fundamental reason for the EU’s revolutionary regulations from 2011.

What do the EU cookie laws mean?

In 2002, the European Union initiated their ‘Directive on Privacy and Electronic Communications’, with further ammendments to cookie usage made in 2009. Despite coming under criticism for its structuring and difficult interpretation, the EU set a deadline for their directive to be adopted by all member states by May 2011. Becoming known as simply ‘The Cookie Law’, the EU directive recognises the need for cookies in order to create the personalised online universe we enjoy today, but also makes it clear that cookies could be considered an invasion of privacy and that users deserve the right to be made aware of the presence of cookies and their usage. Certain cookies that are considered ‘strictly necessary for the delivery of a service requested by the user’ don’t have to be declared, because they are of far higher benefit to the user than the company. This includes cookies used to track shopping carts in e-commerce and to store important login information that the user requires.

For the use of most cookies, website operators in the EU now require permission from the user. This covers all cookies that don’t meet the requirement mentioned above of being ‘necessary’. This means that advertising cookies for retargeting, analysis, and social media cookies now require permission from the user. But the main issue that many companies have with these EU regulations is that the guidelines don’t clarify exactly how they should be implemented. There’s particular uncertainty when it comes to obtaining authorisation from site visitors.

Opt in or opt out?

The biggest concern that most website operators have raised with regards to The Cookie Law is whether users have to first agree to the cookies before the text file is created, or whether they can use the cookie right from the get go, and only delete it if the user chooses to object. The first of these is known as ‘opt in’ and the second ‘opt out’. Opt in cookie usage means that data storage can only be used if the user gives clear permission, by clicking on an accept box or similar. Opt out means that website operators just have to inform site visitors of their cookie usage, with the user having to choose to turn off the cookie policy.

This is what will change through the new e-Privacy regulation

The final regulation of the new e-privacy regulation will entail the following: the current draft generally forbids cookies which are not necessary for the technical operation of a site, with the exception that users agree to their use in advance. The first draft only mentioned web applications. The updated version of March 22nd2018 includes all types of machine-based communication, such as apps, e-mail, and collecting metadata for VoIP calls. This also applies to communication between two machines, so-called M2M communication.

The e-Privacy Regulation is relevant to international communication service providers. The regulation stipulates that it applies to a terminal device used within the EU borders. Where the data of a controlled service is processed is not relevant to the application of this regulation.

The current status of the e-Privacy Regulation

The first draft of the e-privacy regulation required that browser settings should generally be set to the highest privacy level. In these settings, browser’s do not accept cookies from third parties. This would eliminate the currently widely used cookie banners, as users would have to actively decide to accept cookies. This requirement was based on the ‘privacy by design’ principle already set out in the GDPR. However, a more recent draft relaxes the regulations for browser settings. This allows users to decide from domain to domain whether or not to accept cookies.

There are legitimate reasons for websites to require the use of cookies. For example, if a user needs to identify themselves online for their banking or wants to save a shopping basket in an online shop, cookies are often required. If website operators are transparent in their intention for the usage of the data collected by cookies, user consent and practical cookie application can go hand in hand.

What does the EU cookie law look like in everyday life?

The body responsible for interpreting and enforcing The Cookie Law in the UK is the Information Commissioners’ Office (ICO). The ICO has chosen a general opt out strategy for UK website operators, meaning that site visitors just have to be informed that the cookies are being used. Many of these cookie notifications appear in the form of banners at either the top or bottom of a website’s homepage, and some require no direct interaction. Here are some examples of how certain well-known websites have displayed their cookie notifications:

Channel 4

Channel 4 give a comprehensive explanation of what cookies are and how they use them. This appears in a display bar at the top of the homepage, accompanied by a link to cookie management and an ‘Accept & Close’ box. This box stays in its place until you click ‘Accept & Close’, but it doesn’t follow the page, disappearing if you scroll down.

The F.A.

The Football Association’s homepage features a banner display at the bottom of the screen, explaining the type of cookie used and when it will expire. The banner follows the page as you scroll, but as soon as you click any link on the website, it will disappear, taking your click to be an acceptance of the cookie policy.

Rolls Royce

Rolls Royce offer little information about their cookie policy, besides a link to a separate web page. They don’t feature an accept button, opting for a simple X instead. Their banner appears at the top of their homepage, moving with the page as you scroll up and down and staying on display until closed, no matter how many different pages of their website you go through.

Hotel Chocolat

Hotel Chocolat take a humorous approach to their cookie usage, displaying a small box in the bottom left corner of the screen with a joke playing on the double meaning of ‘cookie’. They also offer a link to their cookie usage guide and an X in the corner of the box to close it, although it disappears as soon as the user clicks elsewhere on the screen too.

What do EU cookie laws mean for UK businesses?

Judging the success of The Cookie Law in the UK is a difficult thing to do. The ICO has registered very few complaints about cookies from users, which suggests that either the law is working and UK citizens are happy with the improved transparency over cookie usage, or that they simply aren’t so concerned about cookies anyway. The main concern for website operators in the UK is ensuring cookie alerts don’t annoy the user, especially after the introduction of the GDPR. On the whole, this isn’t so difficult for desktop displays – the examples we’ve compiled above show just how flexible you can be with cookie notifications. But these can become more intrusive when you visit a mobile site, simply because the screen is smaller but the same number of words are required to explain about cookies. Given the global trend towards mobile browsing, we recommend that you try to find a solution that isn’t intrusive or disruptive to the user’s browsing experience.

The ICO enforcement of The Cookie Law hasn’t been as tough as was first expected. Initial suggestions of fines of up to £500,000 for not following procedure haven’t come to fruition thus far, but this is probably due to the relative lack of complaints about cookie misuse. But website operators who fail to follow ICO regulations can at the very least expect a formal warning. And since users are now becoming more and more aware of what cookies do and how they can be used, you’re likely to see a drop in site visitors if you earn a reputation for not following ICO regulations.

If you’re a website operator in the United Kingdom, the ICO offers simple, straightforward guidance on cookies on their ‘Cookies and similar technologies’ advice page, and also offer a more wordy, comprehensive guide to cookies in PDF format.

The Cookie Law: know where you stand

Cookies are becoming more and more integral to everyday internet use. Without them, website operators wouldn’t be able to offer users the stylizised and personalizised content that we’ve all grown accustomed to. This has even been recognizised by the EU privacy directive, which has conceded that some cookies are now essential for user experience, for example login information and online shopping carts. But other cookies that are useful for retargeting and other forms of display advertising may frustrate and annoy the user, and so EU cookie law is designed to increase user awareness of cookies and give them the option to opt out and not have their website browsing tracked.

Website operators should keep a close eye on further developments concerning how the EU Cookie Directive will develop- because the legal situation will definitely change with the new e-privacy regulation, even if it is not yet quite clear how. The GDPR in the EU contains further guidelines for the security of personal user data. As long as the e-privacy regulation is not yet legally binding, cookies will be considered to be related to personal data defined in Chapter 1 of the GDPR- as they collect data which make a user identifiable (identification numbers, user profile etc.).

With the introduction of the GDPR, stricter rules will also apply in this country for processing and collecting the personal data of visitors from EU websites. Implementing these regulations precisely will also save website operators a good deal of work if the “‘new cookie directive”’ in the form of the e-privacy regulation comes into action in the next few years.

In the UK, website operators have to comply with EU regulations for the time being, though this may change once Brexit is finalised. In most cases, site visitors are happy to accept cookie tracking in exchange for an enhanced browsing experience. And if your site visitors are happy, then your retargeting and customer journey mapping techniques in online marketing are more likely to be successful in the long run.

Please note the legal disclaimer relating to this article.