9 Jun 11
A tasty new treat from Europe
The new EU cookie directive and what it means to you
Hands up who likes pop-ups appearing on their screen when browsing the internet? Anyone? Well with the new EU cookie directive implemented on the 25th of May this year, this could be something we will all have to put up with.
So just what are cookies? They are much more than a tasty snack to eat between meals; in the virtual world they are very small pieces of software which are loaded onto a user’s computer (usually without that user’s knowledge) when visiting a website. This piece of software remembers various things about that user, such as log in details and other preferences, thus speeding up the process the next time that user logs onto the website.
“But surely that’s a good thing,” I hear you say, as we are all busy and time saving devices are always welcome. Well, the issue arises from the fact that cookies have, more and more, been used as a marketing tool by companies to provide targeted advertising based on the user’s browsing history. One only needs to look at Gmail for an example of this – Gmail uses cookies to show users various adverts that are linked to the emails they may be looking at (an email in a user’s inbox from a lawyer would generally show adverts for lawyers on the same page). This is the type of cookie that seems to have got stuck in the throat of the EU.
So what have the EU decided needs to be done? In a nutshell, they have passed a directive that requires users to give their express consent to websites to store and retrieve information on that user’s computer. So this is not just “silent” agreement we are talking about (where a user would inform the website that they are unhappy with these practices, otherwise it is assumed they are happy with it), but it is express consent which users have to give. And how do you get express consent from users in the digital age? You guessed it: pop-ups asking users to accept terms and conditions.
This does not only apply to new users of the website but, to satisfy the new rules, companies will have to make existing users aware of changes to their terms and conditions specifically relating to cookies. They will also have to gain a positive indication from the user that they understand and agree to the changes.
And don’t think that these rules don't take under consideration companies that may rely on users’ ignorance to comply with the rules – anyone caught relying on users’ ignorance would be in breach of the rules.
However, it’s not all bad for businesses with a web presence as there is one area where consent is not necessarily required. This would be where storing cookies is “strictly necessary” for a service which has been requested by the user. Whilst this is a narrow exception, it could apply to a cookie (for instance) to remember what a user has put in their basket on a retail website. Furthermore, there is an option on the browser settings which would allow users to automatically accept cookies in all instances rather than each website having to secure consent individually.
I’m sure at this point some of you will be thinking something along the lines of, “Well, I only get a third party to set cookies via my site, so it will be up to them to sort out this problem." Whilst this is common practice for internet advertisers, unfortunately this only serves to muddy the waters where this particular directive is concerned. Getting consent for these cookies is a much more complex matter and, whilst there has been no firm ruling on this, the general consensus is that everybody is responsible to some degree in making sure the user is aware of what is being collected and by whom.
The penalties for breach of these rules are harsh as well. Whilst there is a short amnesty to comply with the new regulations, any website which is found guilty of being in breach of the rules could be liable for a fine of up to £500,000. This would be levied by the Information Commissioners’ Office (ICO) to punish unwanted marketing and the powers have been granted to the ICO by an amendment to the UK Privacy and Electronic Communications Regulations (PECR).
The EU certainly has good intentions. Ensuring that everyone knows what is happening to their information and allowing users to more easily avoid getting unwanted marketing materials is indeed important. How websites go about implementing it, however, is what will count in the end. If this is going to cause frustration for the public, due to them constantly having to agree to terms and conditions every time they log onto a new website, then this directive could end up causing more problems than it solves.
Like many ideas that begin with good intentions, there is the possibility that this one could end up backfiring. But then that’s sometimes how the cookie crumbles.
Stefano Spagnoli
Technology Underwriter