EU Directive and Cookie Law Q&A

The deadline has passed and we’re not anywhere closer to understanding the EU nations’ regulatory framework for cookies.  Besides frustrations, this uncertainty provides a silver lining: businesses now have more time (the UK ICO gives website owners one year to comply with cookies law) to figure out what’s expected from them and come up with solutions.  Here are some bits and pieces to get you started.

Q: What are the “cookie laws”?

The term “cookie laws” refers to legislation that EU countries must pass before May 25th 2011 to implement the EU Directive 2009/136/EC.  It is now May 26th, and we’ve heard from only 3 countries: UK, Denmark and Estonia (5/27 – only two of them, Estonia and Denmark, have provided the EC with full notification).

Q: Where can I find information about these laws, and guidance on implementation?

• Most laws haven’t been published yet (as of May 26th 2011).
• The new UK regulations are available at http://www.legislation.gov.uk/uksi/2011/1208/contents/made
• The only official European documents are the directive, and the Article 29 Working Party Opinion 171.
• The UK Information Commissioner’s Office (ICO) published a set of advice on implementation.

Q: What are the key elements of the new directive for online visit tracking?

• EU Directive 2009/136/EC requires prior consent for “storing of information, or the gaining of access to information already stored” (Articles 5(3) and 6(3))
• Article 29 WP Opinion 171 states that all data read from a device is protected (3.2.1.): “Article 5(3) requires obtaining informed consent to lawfully store information or to gain access to information stored in the terminal equipment of a subscriber or user.”

Q: When will these new laws take effect?

• The new laws must be in place by May 25th 2011.  However, for the UK at least, the ICO gives website owners one year to comply with cookies law.
• With information still missing from most countries, other than the UK, Denmark and Estonia, enforcement is unlikely anytime soon.

Q: Which law must I comply with?

• Each EU country must pass laws that implement the directive.
• With many businesses involved internationally it may be difficult to determine which specific law apply, and you should consult your legal counsel.
• While all laws must follow the common directive, various countries may take different approaches; the difficulty will be in finding a solution that satisfies all the countries where you do business.
• Fortunately, with the delay in many countries and the grace period provided in the UK, you now have more time.

Q: How can I prepare for these new laws?

• Read this FAQ thoroughly
• Read the Article 2 of the directive, the opinion of the Article 29 Working Party, and the advice of the UK ICO
• Get your legal counsel involved
• Monitor reliable privacy law blogs and online resources:
  • International Association of Privacy Professional (IAPP)
  • Field Fisher Waterhouse
  • Hunton & Williams
  • Hogan Lowells
• Gather information about all cookies, both 1st and 3rd party served from your web site.
• Determine which cookies are likely to fall under the new legislation.
• Evaluate consent mechanisms, and select what best fits your business.
• Engage with all 3rd party providers that set cookies or collect information from your visitors.

Q: Can I rely on the browser settings to obtain consent for the use of cookies?

In a nutshell, No.  While various EU governments are working with browser manufacturers toward browser-based solutions, online content providers and data controllers must implement solutions that work with older browsers, as well as with devices that interact with the content without a browser, such as mobile apps.

Q: What techniques can I use to obtain prior consent?

• The UK ICO Advice document describes some techniques that may work for your online presence. See its own implementation on its web site: http://www.ico.gov.uk/
• For web sites, a temporary panel embedded high up in your pages (see for example allthingsd.com – you may need to delete your cookies to see the feature) can provide the necessary information and provide the means to obtain the necessary consent.
• For mobile apps, the time to obtain consent is during installation.  You can even provide information as part of your app description so users will know prior to downloading your app how you will protect their information.

Q: What is Webtrends doing to help me with the “cookie law”?

Webtrends is evaluating the various laws, directives and advice from the EU commission, Article 29 Working Party, ICO, etc. and investigating solutions that may allow web site owners to keep optimizing their visitors experience and managing their web presence investment while respecting the data protection intent of the directive and the laws that will be promulgated.  Webtrends will provide more information as a consensus emerges on practical implementation.

Other thoughts or questions about privacy? I’d encourage you to comment below or join in the conversation in our customer forums.