Introduction to the EU Cookies LawAnd what it means for your organisation

Simon Lande, CEO, Magus

simon.lande@magus.co.uk

24th November 2011

A brief history of EU Cookies Law

• July 2002: EU passes a law (Directive 2002/58/EC) which states that anyone who wants to insert cookies into the browsers of users has to give notice of this and offer an opt-out

• December 2009: EU amends the Directive to state that users must provide their consent before websites can download non-essential cookies onto the user’s machine via the browser

• 25 May 2011: The date by which all EU countries are required to implement this change into their national legislation (most have not yet done so!)

• The amended Directive is likely to apply to all organisations who download cookies onto the machines of users based in the EU, whether those organisations are based in the EU or not

• In the UK, organisations could be subject to enforcement notices and actions, and potentially a fine of up to £500K for failing to comply

What are cookies?

• A piece of text stored on a user’s computer by their web browser

• They have a range of uses, including:

o Authentication

o Storing site preferences

o Storing shopping basket contents

However, cookies can also be used to track user activity, build up profiles and carry out other non-essential activities – this is what the fuss is all about

Cookies which are necessary to provide a service that the user has asked for, for example to fill a shopping trolley, are exempt from this legislation

Types of cookies

Cookies are categorised according to:• Their duration

• Who sets themSession cookies

Persistent /

Tracker cookies

First party

cookies

Third party

cookies

How’s the legislation being interpreted?

Sweden:

• Directive transposed into national law on 1 July 2011 requiring user consent for the use of cookies. The relevant Swedish authority has provided little guidance on the crucial question of how to obtain consent.

• In addition, the Swedish Internet Advertising Bureau has issued draft recommendations that:

(i) information on the use of cookies, and how consent may be denied and withdrawn, should be provided to users; and

(ii) user consent must be obtained by means appropriate to the circumstances (e.g. use through browser settings which allow cookies, following user’s receipt of sufficient information).

Denmark:

• Draft executive order is under consultation and Denmark have asked the European Commission to clarify certain aspects of the Directive.

• It is intended that the final version of the executive order will be agreed and come into effect by the end of December this year.

Norway:

• National law to implement the Directive is currently under consideration. It is expected to come into force in 2012.

How’s the legislation being interpreted?

France:

• Draft bill exists and is in the process of public consultation. If implemented, this would require organisations to obtain user consent. Such consent need not necessarily be expressed, as it may be implied from users’ browser settings.

Netherlands:

• Proposed national legislation is to be voted on by the Dutch Senate this year. If approved, it will likely come into effect early next year, setting out the obligation that organisations must obtain user consent before cookies can be installed or stored on users’ computers.

• They’ll also need to prove they have it! (This requirement goes beyond the provisions of the Directive.)

UK:

• Directive became law on the 25th May 2011, and the ICO has given organisations 1 year to comply, before enforcement action may be imposed

• But they must currently be able to show "they have a realistic plan to achieve compliance"

What’s everyone doing about cookies?

Example 1: The Information Commissioner’s Office

What’s everyone doing about cookies?

Example 2: British Airways

What’s everyone doing about cookies?

Example 3: BBC

What should you be doing about it?

• The perfect solution is not yet out there

• There’s no advantage to being an early adopter

o For example, some companies have already taken down their pop-up windows and warning layers due to negative impacts on usability

• Cookies law is on the move

o Majority of European counties have yet to implement the Directive

o Some of the European countries which have implemented the Directive have not provided clear guidance as to how organisations should comply

o There are different views on whether the UK has correctly implemented the Directive (e.g. the EU committee of national data protection regulators has issued an opinion that contradicts the UK’s implementation relating to the time at which user consent must be obtained)

• Technical (e.g. browser-based) solutions, may be around the corner

So, best to sit back and “Do nothing?”

A realistic plan

You need to be able to demonstrate that you have a “realistic plan to achieve compliance”…

Current best practice is for all companies to take the following three actions:

1. Check what type of cookies and similar technologies you use and how you use them

2. Assess how intrusive your use of cookies is

3. Decide what solution to obtain consent will be best in your circumstances

Compliance options

Option Regulatory Compliance

Usability Business impact

Comments

Remove all non-essential cookies

Very High Low High Possible to remove all cookies from a website other than those strictly necessary for the provision of services to the user. However, this is likely to require redesign work and could significantly degrade website functionality. It is also likely to impact the business model for the website e.g. by removing the ability to collect important information.

Pop Up Windows

High Low Medium/High Non-essential cookies are only used if the user clicks “Accept” on a pop-up window. This is an intrusive and annoying option (not least because those refusing cookies will get the pop-up again and again). Reduced usability/functionality will negatively affect traffic. Partial acceptance of cookies will make tracking information meaningless.

Banner Tick Box

High Medium Medium/High A banner is placed at the top of the page allowing users to click to accept cookies. This is the option selected by the UK Information Commissioner. In practice, very few people click to accept cookies. Partial acceptance of cookies will make tracking information meaningless.

Acceptance of T&C’s

Medium Medium Low Users give consent to cookies when they accept the terms of use of a website. This only works if users are expressly required to agree to those terms of use in order to use the website.

Website Notes

Low Low Low A prominent notice is provided indicating that cookies are used, linking to details of each cookie. This is the option taken by the UK Department of Culture, Media and Sport who are responsible for implementing the new cookies laws in the UK.

How Magus can help

Cookies briefing

• Overview of the relevant legislation and its implications for your website

Cookies audit

• Social media widgets known to set cookies

• Flash files which need to be checked for Flash cookies

• Third party domains and scripts known to set cookies

• JavaScript files likely to contain cookies

• Potential web beacons known to set cookies

• Pages not containing a link to a privacy / cookies policy

Report and recommendati

ons• Key findings• Advice (e.g. appropriate

action could be considered on an enforcement risk-based approach, and potentially an EU wide approach) and recommendations (see table above)

• What you need to do next

Audit in conjunction with Linklaters will enable you to address the recommendations and provides the basis for your implementation plan. It includes:

Thank you

Questions?