More on the EU Cookie Law – from WAW London

Over 150 people turned out for WAW London recently to listen to and question Dave Evans of the ICO on the E-Privacy Directive, aka EU Cookie Law.  It’s Dave’s office that’ll receive and investigate complaints.  Thanks to Steve Dalgleish at Lynchpin for organising (and the beers) –  you can read Lynchpin’s review of the evening  here.

It’s good to see this issue finally filtering through to businesses with many sending senior members of their marketing, e-commerce and content teams to the event.  Here at Webtrends we view privacy as importantly as our clients do, so our CEO Alex Yoder came along too.

I have to applaud the regulator Dave Evans for his candour both during his presentation and throughout what was possibly the longest Q&A session for a WAW.  He admitted that a technical review of the legislation was only done after the UK Government adopted the legislation and that the ICO has limited resources to investigate complaints.  In debunking the FUD surrounding the directive, Dave frequently made reference to the ICO guidelines published in Dec 2011:

“Provided clear information is given about their activities, we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

That first part of the statement is very important at it refers to implied consent.  The ICO now expects website owners to take the lead in educating users on the how, what and why of the data they collect.  So, if you are a website owner using first party cookies for analytic purposes only, then you can expect the ICO to leave you alone, but only if you have taken positive steps to inform and educate your users, e.g.:

• Conduct a cookie review and remove any unnecessary cookies from your site
• Updated your cookie policy stating name of each cookie and what it does
• Make it easy for your users to find and understand your cookie policy (implied consent), e.g.
  • Link at the top every page
  • No legalese, no jargon, no inflammatory terms (e.g. use ‘measure’ not ‘track’)
  • Explain why cookies benefit their experience

Remember the legislation came into force in May 2011 so by now you should have already completed the above.  If you have done so but are still unlucky enough to have a complaint made against you then the ICO may well reject it on the grounds of implied consent.

One last thought, in Jan 2012, the EU commissioner for Justice, Viviane Reding, announced that she intends to overhaul data protection legislation across Europe.  This could well mean that the E-Privacy Directive is amended or scrapped completely, but we live in the here and now and implied consent seems to be the solution at the moment for analytic first party cookies.

More info is found here in our Knowledge Base and in a recent blog by our Director of Privacy and Security, Xavier Le Hericy.

Expect further updates from this blog as the ICO issues further guidance  - 36 days to go to comply!