How to comply with cookie legislation and respect your website visitors’ privacy

If you own a website that primarily serves any of the European Union or European Economic Area countries, the following words may send a few chills down your spine: “Cookie Law”. If you have no idea what that even means, you may want to educate yourself a little bit before making your site go live to EU customers and viewers.

What is the Cookie Law?

First codified as part of an EU directive in 2009, and then more greatly enforced in 2011-2012, the notorious “Cookie Law” is only now going into full effect across EU member states. In Directive 2002/58/EC, Article 5(c), the European Parliament and Council write:

“Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”

There’s one part of this law that is fairly straightforward: You cannot store any user’s information without their consent. This has, of course, created no small amount of consternation among website owners and web tech companies as the wording, in general terms, appears to target cookies in particular. The entire law has been heavily criticized as being overly vague while causing many website owners to be left with more questions than answers.

Even still, websites that serve both EU and non-EU customers have found themselves in a bit of a middle ground, wondering whether they must comply with the law in whole, in part, or not at all. Website owners that have their servers based in the EU, but do not primarily serve EU customers, may have more questions still.

While there are no easy answers to the many questions and problems that the “Cookie Law” creates, there are some ways a website can stay on the right side of this law, with some notable examples of how to do this. UK site owners may also choose to join the fight against the Cookie Law, much in the way British software company Silktide has done.

Silktide comply with the cookie law

Given that the Information Commissioner’s Office (ICO), the UK government agency responsible for “Cookie Law” enforcement, doesn’t display cookie notifications in pop-up form on its own website, UK site owners may also choose to follow their lead in how to stay compliant. That said, the law still exists, and ignoring it outright a la Silktide is probably not your best option.

 

How to stay compliant with cookie legislation

Positively (or frustratingly), there really is no one way to stay compliant with cookie legislation. However, if you’re hoping to remain compliant in a sort of “catch-all” fashion, e.g., your website is compliant across the EU, including in the UK, here are a few tips and some notable examples.

1. Have a web page that explains what cookies are and how your website uses them

For UK websites, in particular, this is perhaps the best way to stay compliant. This is also the method the Information Commissioner’s Office uses for their own website. Although ICO explains that this is probably not the best or most effective method to stay compliant (as far as UK websites go), it also states that this is a fully acceptable method in the UK, and likely for websites catering to other countries.

ICO’s website has a link to their page on cookies at the bottom of the homepage. On their cookies information page, they list the name of each cookie the site uses as well as the purpose those cookies serve.

ICO cookie examples

You’ll also notice that ICO places information on the bottom of the page regarding how to change your cookie settings, including information on how to opt-out of Google Analytics tracking across all websites.

2. Optional: Have a pop-up message or banner providing cookie information

This option has been utilized by a large number of websites. A good example of this can be found on the UK betting website Betfair:

Betfair cookie law compliance

Betfair’s cookie policy page is rather extensive as the site uses a good number of cookies for a large variety of reasons. Unlike ICO, Betfair does not name every cookie that it uses. Instead, it names a few by name but opts to focus on providing explanations for different categories of cookies.

Related: How to access Betfair from abroad with a VPN

There are, of course, some difficulties that come with this method. Pop-ups can be annoying to site visitors, especially if they appear in an intrusive and aggressive manner. Furthermore, many people are now using pop-up blockers that will prevent your message from actually being seen in the first place. That said, a pop-up message itself would not be a good enough solution as you also need a detailed page explaining what cookies are, how your website uses them, and how users can disable them.

To make matters more complicated, if you rely solely on the pop-up method, you may run into an issue when dealing with computers that have multiple users. The “Cookie Law” requires that you give every individual user the right to deny cookies. That means you’ll have to have a pop-up that appears every time that IP address registers on your website, and not just the first time.

Related: What’s the best popup blocker? We put 12 to the test

3. Include information on how to disable cookies

Alongside providing information on what cookies are and how your website uses them, make sure you provide information on how users can disable cookies. You can do this one of two ways. First, and perhaps the easiest way, is to include a link within a pop-up that takes users to their browser settings to easily disable the cookies, or to a web page explaining how to do so on different browsers. This is something many, but not all, UK websites are currently doing, including the Royal Family’s official website and on the BBC’s website:

BBC cookie compliance

4. Outsource your cookie notifications and compliance to a third party

Several software companies now provide tools (both free and paid) that will help you achieve cookie notification compliance across your entire website. Given that you will need to provide access to this information on every web page you publish, you’ll need to ensure a smooth and immediate roll-out. Companies and governmental organizations that provide these services include:

Your website’s size may play a role in which third-party service you decide to utilize. If you operate a website with individual posting rights for all of your content writers, you may want to set a site-wide policy that requires posters to attach a common script before posting. If your website uses WordPress, you can make this a requirement for content writers before they hit publish.

Are US sites required to comply with the Cookie Law?

As confusing as compliance is for EU countries and websites, the picture is even more blurry for US website owners.

For example, websites like Facebook serve people across the world, including the EU. However, Facebook’s primary audience is not UK and EU residents, despite a large number of users from there who access the website. Does Facebook have to comply with the law?

Facebook is a known user-tracking behemoth, even tracking individuals who never actually sign on or sign up to the website. Specifically, Facebook uses what’s known was the “datr” cookie to track anyone that comes to its site. That cookie has a 2-year life span, meaning even someone who never actually creates an account on Facebook can be tracked by the site for up to 2 years. Belgium attempted to fine Facebook $265,000 (€250,000) per day because of it, using the EU “Cookie Law” as a supporting legislation.

Although a court initially sided with Belgium and ordered Facebook to stop tracking non-users, The Guardian reported that a Brussels appeals court overturned that ruling “on the grounds that Belgium does not have the authority to regulate the social network because its European base of operations is in Dublin, Ireland.” Although Ireland is also a member of the EU, the ruling cemented the fact that enforcement must occur on a state-by-state basis.

What does this mean for US websites?

This ruling established two potential interpretations of the law:

  • Any website with its servers based in the US may be free from EU privacy laws in general
  • Any US-based site with servers in the EU may be subject to the law in the country where those servers are located

This is only our interpretation of this court ruling, and should not be taken as professional legal advice.

If your servers are in the US:

It would appear that US sites with servers based in the US, but that primarily serve an EU audience, will likely be free from cookie law enforcement. Given that enforcement happens at the state level and server location appears to be the deciding factor in jurisdiction US sites may be sitting “out of bounds”, so to speak.

That said, the Privacy Shield agreement signed between the US and the EU may result in the US government allowing such lawsuits to move forward. In plain terms, Privacy Shield is the agreement worked about between the US and EU that creates privacy compliance agreements on companies operating across the Atlantic. So while on the surface US websites without servers in the EU may be free from fines, this may not hold true if an individual or government in the EU files a complaint under Privacy Shield regulations. As it appears this has yet to actually occur, the jury is still out on that one.

If your servers are in the EU:

As for US sites with servers located in the EU, Facebook’s successful appeal also appears to cement the idea that a website is bound to EU privacy law enforcement based on its server location. Facebook’s successful appeal hinged on the fact that its servers were not located in Belgium. By consequence, this means that, should Ireland’s Data Protection Commissioner decide to file a lawsuit on Facebook’s use of tracking cookies, it could be successful.

That said, some EU countries, such as Ireland, have been known to avoid prosecuting businesses in order to better attract international companies. This has resulted in fights between some countries and the EU, highlighted by the EU forcing Ireland to collect $15 billion (€13 billion) in back taxes from Apple.

What this does reveal is that some EU countries are far less likely to enforce the “Cookie Law” than others as a way to better compete for international business, while EU regulators may take it upon themselves to force countries to fine website owners that fail to follow the law. For a US website owner with EU-based servers, enforcement could be erratic, to say the least.

Nevertheless, if your servers are located in the EU, and your site caters primarily to EU residents, you’ll be subject to EU e-privacy laws. In that case, it’s likely in your best interest to follow the suggestions above on how to stay compliant.

Related: What is Privacy Shield and how does it impact consumers and businesses?

How websites use cookies

A primary cause of the confusion surrounding the “Cookie Law” relates specifically to how websites actually use cookies. It may be more appropriate to say that part of the issue is found in a lack of understanding regarding what cookies actually do. On its web page dedicated to the issue, the EU provides an explanation for the kind of cookies a website might use:

  • Session cookies
  • Persistent cookies

And between those two:

  • First-party cookies
  • Third-party cookies

Before considering how you can properly comply with the law, it’s a good idea to consider how your website uses cookies.

Session (transient) cookies

These are temporary cookies that your website creates and places on a user’s computer during the period that user is connected to your site. Session cookies delete after the user closes their web browser. Session cookies do not generally collect personal information from the user, although they can serve this purpose based on what type of activity the site allows. Session cookies essentially allow websites to record which pages a user has visited on your site and help prevent that user from receiving the same information on different pages (for example, preventing repeat “Cookie Law” pop-ups).

Session cookies are particularly important to websites such as online banks to help prevent users from having to re-authenticate their session on every page or online shopping websites that need to know what items you have in your cart while browsing from page to page. For the most part, session cookies are not a huge concern under the EU or UK e-privacy laws.

Persistent (tracking) cookies

These cookies are placed on a user’s computer when they first log on to a website and remain on that computer even after the user moves away from the site and closes the browser. These cookies have taken on the name “tracking cookies”, as they are often used by advertisers to track a site user’s movement across a multitude of web pages and create targeted advertisements based on user browsing and search patterns.

Persistent, or “tracking” cookies have an expiration date set by the creator and at times have been set to expire as far in the future as the year 9999(!). A 2015 ICO study found that UK websites as a whole were the biggest users (and abusers) of tracking cookies among other EU nation states. The use of tracking cookies, particularly those that so closely monitor user behavior, are one of the primary reasons behind the “Cookie Law”.

There is no small amount of concern with tracking cookies, as these are more likely to be misused. Indeed, Yahoo recently revealed that the previously reported hacks of its servers included stolen and forged cookies that allowed the hackers to access users accounts without the need of a password. This means hackers were able to copy the persistent cookies located on Yahoo’s servers, create forged versions of them, and then access user accounts with little effort. No brute force needed.

First-party cookies

First-party cookies are any of the cookies your website generates on a user’s computer. The information gathered on these cookies goes directly to you, regardless of what type of information is stored in that cookie.

Where the e-privacy laws are concerned, first-party cookies are mostly fine as long as they serve a legitimate purpose, and as long as you obtain user consent for cookies that are not essential to the user’s experience. For cookies that are essential to the type of service your website provides, there is some wiggle room for “implied consent”, meaning you do not need to ask for permission if the nature of the website itself would seem to indicate the use of certain cookies. Where some sites get into trouble, and where the cookie law is most concerned, is when this information is sold to third parties who may try to capitalize on the data within those cookies, when your website misuses that data obtained by the cookie, or when your website generates cookies that serve no actual purpose beyond simply gathering data on users (even if it’s not personal data).

Third party cookies

Third party cookies are those that other sites place on website users’ machines. Third party cookies on your site might come from plugins, such as Youtube, or more commonly from advertisements you place on your website.

Third party cookies are among the biggest concerns behind the e-privacy law as these cookies are at times malicious, used not just to track a user but to steal information. The nature and process of being tracked by these third parties create a conflict of interest between users and website owners, particularly when third party cookies from on-site ads are involved. If your site uses third party cookies or allows their use, you expose yourself to more consequences under the cookie law.

How is the Cookie Law enforced?

As with most EU directives, enforcement happens at the state level. Each EU member state was required to pass a law to enforce the e-privacy rules and create or task a governmental body with enforcement of that law. Any country that fails to transpose the directive into its local state laws may incur EU “infringement proceedings”, wherein the European Court of Justice may impose fines on those countries that fail to implement the law.

To date, only the Czech Republic and Estonia have failed to implement the directive amendment, while Germany has a partial implementation, arguing that their current law is sufficient.

In the UK, the relevant law is the Privacy and Electronic Communications Regulations. Originally passed in 2003, this law was amended in the UK to transpose the new EU directive associated with cookies, and in the UK is more colloquially known as the “Cookie Law”. The UK law is enforced by the Information Commissioner’s Office (ICO).

Although ICO began enforcing the “Cookie Law” in 2012, to date here have been no fines delivered as a result of the law’s enforcement in the UK. Indeed, in 2012, ICO explained that enforcement would not include fines at all, instead opting to conduct inquiries with websites that have had complaints filed against them.

ICO has published the level of complaints related to “Cookie Law” violations, revealing that consumer concern over the issue is fairly low:

ICO cookie law response

Regarding its “Cookie Law” enforcement, ICO places a low priority on this issue in comparison to other issues that the organization monitors. On its “Action we’ve taken” page for cookies, ICO states:

 

“Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. However, we have maintained a consumer threat level of ‘low’ in this area due to the very low levels of concerns reported by members of the public.”

 

What are the relevant laws in the UK and EU?

If your website primarily serves EU residents, compliance may change depending on which country gets the larger share of your business. Enforcement happens at the state level, so your compliance should generally follow the laws in place for the country from where most of your visitors are coming. Below, we list out the basic “Cookie Law” requirements for the UK and major EU member states.

United Kingdom

Law: Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

Law Language: Regulation 6

“6.—(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment— (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information— (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.”

Austria

Law: Telecommunication Act (2011)

Law Language: Section 96.3

“Operators of public communications services and providers of information society services as defined in Article 3 No. 1 E-Commerce Act [E-Commerce-Gesetz], Federal Law Gazette I No. 152/2001, are obliged to inform subscribers or users about the personal data which the operator or provider will collect, process and transmit, about the legal basis for those activities, about the purposes for which these activities will be carried out, and about the period of time for which these data will be stored. Collecting these data shall only be permissible given the consent of the subscriber or user. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over a communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. The subscriber shall also be informed of the usage possibilities based on search functions embedded in electronic versions of the directories. This information shall be given in an appropriate form, in particular within the framework of general terms and conditions and, at the latest, upon commencement of the legal relations. The right to information pursuant to the Data Protection Act shall remain unaffected.”

France

Law: Act of 6 January 1978

Law Language: Article 32-II, Amended by Ordinance No. 2011-1012 of 24 August 2011

“In accordance with the so-called “telecoms package”, Internet users must be informed and give their consent prior to the insertion of tracers. They must have an opportunity to choose not to be traced when they visit a site or use an application. Publishers are therefore obliged to seek the consent of users beforehand. This consent is valid for a maximum of 13 months. However, certain tracers are exempted from the collection of this consent.”

Germany

Law: German Telemedia Act

Law Language: Section 4, Subsection 14

“(1) The service provider may only collect and use the personal data of a user to the extent necessary to enable the use of telemedia and to account for the usage data. Usage data are in particular

1.

Features for identifying the user,

2.

Information on the beginning and the end, as well as the extent of the respective use and use

3.

Information about the telemedia used by the user.

(2) The service provider may combine user data about the use of different telemedia, as far as this is necessary for billing purposes with the user.

(3) The service provider may, for the purposes of advertising, market research or the appropriate design of the telemedia, create usage profiles when using pseudonyms unless the user does not contradict this. The service provider shall notify the user of his / her right of objection within the scope of the notification pursuant to § 13 (1). These usage profiles may not be combined with data on the bearer of the pseudonym.”

Spain

Law: E-Commerce and Information Society Services Act 34/2002

Law Language: Article 22.2

“When service providers employ devices for the storage and recovery of data from terminal equipment, they shall inform recipients of the use and finality of such devices in a clear and comprehensive manner, offering recipients the opportunity to refuse, by a simple means and free of charge, to allow their data to be processed. This shall not prevent any storage of or access to data for the purpose of carrying out or technically facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the recipient.”