Photo credit: http://deucecreative.co.uk/wp-content/uploads/2012/05/eu-cookie-law.jpg
The European Union Cookie Disclosure law
The European Union's Communication Privacy Directive was passed on the 25th of November, 2009, and immediately became the most ambitious attempt ever to regulate the use of cookies. Cookie regulation is only a minor part of this expansive directive, which aims to protect a fundamental right to privacy that all European Union citizens hold. Even though the law regulates many different forms of communication, the clause affecting internet cookies has gained the most attention.
History
In 2003, the European Union enacted 2003 European Directive - 2002/58/EC - which aimed to protect internet privacy, but did not include any regulation for cookies. The purpose of this privacy directive was to provide security for citizens' personal information. In 2009 the EU passed Directive 2009/136/EC, an expansion to the 2003 law. One of the central changes in the new law was an amendment to Article 5(3) of the E-Privacy Directive, which required websites to gain consent to place cookies on a user's computer and to obtain user information. The cookie law officially took effect on May 25th, 2011.
The European Union recognizes private data protection as a fundamental right. Since websites can use internet cookies to gather information about users, the EU argues that cookies violate this right. The privacy directive tries to protect this right by allowing users to decide when they want to share cookie information with a website. Concerns about spyware were also a factor in creating the new law, although cookies alone cannot install spyware, nor can they actively spy on users without external software.
According to the IOC, Britain's online regulatory agency, the purpose of the privacy directive is to "protect the privacy of internet users – even where the information being collected about them is not directly personally identifiable. The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognize them via the device they are using, without their knowledge and agreement. "
The European Union recognizes private data protection as a fundamental right. Since websites can use internet cookies to gather information about users, the EU argues that cookies violate this right. The privacy directive tries to protect this right by allowing users to decide when they want to share cookie information with a website. Concerns about spyware were also a factor in creating the new law, although cookies alone cannot install spyware, nor can they actively spy on users without external software.
According to the IOC, Britain's online regulatory agency, the purpose of the privacy directive is to "protect the privacy of internet users – even where the information being collected about them is not directly personally identifiable. The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognize them via the device they are using, without their knowledge and agreement. "
Requirements
Article 5(3) states:
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
The core provision of the cookie law requires websites in the EU to receive consent for using non-essential cookies. What constitutes a non-essential cookies is up to the regulatory bodies in each member state. The only general requirements are as follows:
1. A website will clearly state its use of cookies to its user. The website must tell its users what cookies are, what types of cookies it places on the user's computer, and what data the website gathers from the cookies. This information does not have to be obtrusive, but it does have to be easily accessible when the user first accesses a website.
2. A website must ask for a user's consent before placing cookies on the user's computer, unless the cookie is essential to the website's operation. The procedure for requesting consent is not defined, nor is the definition of essential.
An important distinction about this law is that it does not just regulate internet cookies. The directive also applies to any technology that gathers user information, regardless of the design. Most people refer to the law as "cookie regulation" because there are no widely used replacements for cookies today. In the future, any technology functionally similar to cookies will fall under these requirements.
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
The core provision of the cookie law requires websites in the EU to receive consent for using non-essential cookies. What constitutes a non-essential cookies is up to the regulatory bodies in each member state. The only general requirements are as follows:
1. A website will clearly state its use of cookies to its user. The website must tell its users what cookies are, what types of cookies it places on the user's computer, and what data the website gathers from the cookies. This information does not have to be obtrusive, but it does have to be easily accessible when the user first accesses a website.
2. A website must ask for a user's consent before placing cookies on the user's computer, unless the cookie is essential to the website's operation. The procedure for requesting consent is not defined, nor is the definition of essential.
An important distinction about this law is that it does not just regulate internet cookies. The directive also applies to any technology that gathers user information, regardless of the design. Most people refer to the law as "cookie regulation" because there are no widely used replacements for cookies today. In the future, any technology functionally similar to cookies will fall under these requirements.
Is it effective?
Although the cookie directive is a European Union law, each member state is responsible for implementing and enforcing the regulation individually. Most states have encountered problems with enforcement, since it is difficult to track the multitude of small websites on the internet. In general, enforcement efforts have been targeted at high profile websites run by large companies.
Since every state has different interpretations of the directive, it is difficult to assess net performance across the EU. Great Britain's implementation has been the popular benchmark so far.
Originally, the UK's Information Commissioner's Office required websites to clearly ask for consent every time a user entered a website. In order to collect data on efficacy, the IOC created its own mandatory cookie consent form for its website and experienced a 90% drop in traffic. In February 2013, the UK Information Commissioner's Office changed its consent policy from informed consent to implied consent, arguing that the public had received enough of an education about cookies to understand the risks. This change was controversial, with many legal experts arguing that implied consent was legally too low of a standard to be consistent with the law. However, the level of compliance in the UK had been low. According to auditing firm KPMG, fewer than 1 in 5 websites in the UK comply with the UK's cookie regulations. Compounded with the IOC's difficulty in enforcing the law, a nationwide informed consent law proved to be unmanageable.
Critics of the EU cookie law argue it is ineffective and too burdensome for website owners. Some website features cannot function without cookies, so a user who has opted out of a website's cookies may not be able to use a website in its entirety. In a worst case scenario, a website would not be able to provide any content for an end-user if the user did not give consent for even a single cookie. The cleanest websites have links to pages describing cookie useage, which has benefits and disadvantages. This style is unobtrusive, but it also allows a website operator to de-emphasize its tracking tendencies and can make it hard for consumers to understand how the website uses cookies.
The EU's cookie regulations have not destroyed the internet as some industry advocates predicted, but they have not made it more secure either. The UK's move towards implied consent suggests the direction the rest of Europe might follow. Requiring implied consent does not change the internet from its status before cookie regulations, since users were essentially giving websites implied consent by accessing those sites. If the law were implemented as originally intended, it might damage e-commerce significantly.
Since every state has different interpretations of the directive, it is difficult to assess net performance across the EU. Great Britain's implementation has been the popular benchmark so far.
Originally, the UK's Information Commissioner's Office required websites to clearly ask for consent every time a user entered a website. In order to collect data on efficacy, the IOC created its own mandatory cookie consent form for its website and experienced a 90% drop in traffic. In February 2013, the UK Information Commissioner's Office changed its consent policy from informed consent to implied consent, arguing that the public had received enough of an education about cookies to understand the risks. This change was controversial, with many legal experts arguing that implied consent was legally too low of a standard to be consistent with the law. However, the level of compliance in the UK had been low. According to auditing firm KPMG, fewer than 1 in 5 websites in the UK comply with the UK's cookie regulations. Compounded with the IOC's difficulty in enforcing the law, a nationwide informed consent law proved to be unmanageable.
Critics of the EU cookie law argue it is ineffective and too burdensome for website owners. Some website features cannot function without cookies, so a user who has opted out of a website's cookies may not be able to use a website in its entirety. In a worst case scenario, a website would not be able to provide any content for an end-user if the user did not give consent for even a single cookie. The cleanest websites have links to pages describing cookie useage, which has benefits and disadvantages. This style is unobtrusive, but it also allows a website operator to de-emphasize its tracking tendencies and can make it hard for consumers to understand how the website uses cookies.
The EU's cookie regulations have not destroyed the internet as some industry advocates predicted, but they have not made it more secure either. The UK's move towards implied consent suggests the direction the rest of Europe might follow. Requiring implied consent does not change the internet from its status before cookie regulations, since users were essentially giving websites implied consent by accessing those sites. If the law were implemented as originally intended, it might damage e-commerce significantly.
References
Boone, Shaina. "EU Cookie Law Could Be the Death of Digital." Advertising Age. http://adage.com/article/digitalnext/online-privacy-eu-cookie-law-death-digital/234950/ (accessed March 17, 2014).
Information Commissioner's Office. "Cookies." Regulations and the New EU Cookie Law. http://ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies (accessed March 17, 2014).
The European Parliament. "DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL." Official Journal of the European Union. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF (accessed March 16, 2014).
The Cookie Collective. "Frequently Asked Questions." Cookie Law. http://www.cookielaw.org/faq/#Whatbusinessdonthavetocomply/ (accessed March 17, 2014).
Kirwan, Peter. "EU cookie law: stop whining and just get on with it." Wired UK. http://www.wired.co.uk/news/archive/2012-05/24/eu-cookie-law-moaning (accessed March 17, 2014).
Sharwood, Simon. "UK cookies cop changes own policy to 'implied consent'." The Register. http://www.theregister.co.uk/2013/02/01/ico_cookie_policy_change/ (accessed March 17, 2014).
Solon, Olivia. "Compliance with EU cookie law could cost the UK £10 billion." Wired UK. http://www.wired.co.uk/news/archive/2012-04/24/eu-cookie-law-compliance-%C2%A310bn (accessed March 16, 2014).
Information Commissioner's Office. "Cookies." Regulations and the New EU Cookie Law. http://ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies (accessed March 17, 2014).
The European Parliament. "DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL." Official Journal of the European Union. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF (accessed March 16, 2014).
The Cookie Collective. "Frequently Asked Questions." Cookie Law. http://www.cookielaw.org/faq/#Whatbusinessdonthavetocomply/ (accessed March 17, 2014).
Kirwan, Peter. "EU cookie law: stop whining and just get on with it." Wired UK. http://www.wired.co.uk/news/archive/2012-05/24/eu-cookie-law-moaning (accessed March 17, 2014).
Sharwood, Simon. "UK cookies cop changes own policy to 'implied consent'." The Register. http://www.theregister.co.uk/2013/02/01/ico_cookie_policy_change/ (accessed March 17, 2014).
Solon, Olivia. "Compliance with EU cookie law could cost the UK £10 billion." Wired UK. http://www.wired.co.uk/news/archive/2012-04/24/eu-cookie-law-compliance-%C2%A310bn (accessed March 16, 2014).