Friday, 4 May 2012

EU cookie law essentials - 20 questions

The cookies law (under the EU e-Privacy Directive 2002/58) will hit websites and mobile apps etc very soon - and already has, in many countries.

Here's an overview and introduction, by way of 20 FAQs, covering the key important points that websites (including personal sites and blogs) and smartphone apps developers etc need to know about the so-called EU cookie law, following my CloudCamp and GirlGeekMeetup talks.

20 cookie law questions & answers

  1. Law from 25 May 2011? No, in the UK, there's an informal grace period till 25 May 2012, to give people time to come up with compliance solutions. 26 May is not far off at all, though. See Wolf Software's cookie law countdown!
  2. Cookies? Not just about "cookies". "Cookie law" is a convenient misnomer. (I'll still use "cookies" as shorthand.) It also includes Flash cookies/(Local Shared Objects / LSOs), HTML 5 web storage, DOM storage, web bugs or web beacons, etc. And malware - spyware, trojans, viruses etc - planted on users' equipment. And, in my view, eTags.
  3. Organisations? Not limited to business use. No commercial purpose necessary. Individual app developers, SMEs. personal websites, message boards & forums, bloggers etc, everyone has to comply with the cookie law.
  4. Computers? Not just computers - it's phones, iPads and other tablets, games consoles, internet-enabled TVs, etc. And, I'd argue, Kindles and other ebook readers, iPods etc too. The cookie law applies to any "terminal equipment" of a "subscriber" or "user" - whatever "terminal equipment" may mean.
  5. "Personal data"? Not just "personal data" - it covers any "information". Separate laws deal with personal data, under the 1995 EU Data Protection Directive (implemented in the UK by the Data Protection Act 1998). Related but different laws. Both sets of laws apply, regulators say.
  6. Storing information? Not just storage - gaining access to info on terminal equipment is covered too, even if someone else (eg users or third parties) stored the information. Cough cough Path
  7. Internet? Not just about storing or accessing information over the internet or other network. No network necessary, under the EU and UK law (though it is in Ireland...)  - spyware delivered on USB sticks or a virus on a CD could be included. And, while the boundaries aren't clear, perhaps via RFID or even NFC too.
  8. Browsers/websites? It doesn't just affect websites setting or accessing cookies via browsers (like Internet Explorer, Safari, Firefox, Chrome). The law also applies to any other applications, programs, scripts, software etc that store or access data on computers, mobile phones (eg iPhone, Android and other smartphone apps), etc. It's not how you store or access information, it's the act of storing or accessing information on terminal equipment that's covered.
  9. Just the UK or EU? It was meant to come in from May 2011 in all EU countries, but most are behind in passing the required laws (as of mid-March, 12 hadn't).
    The cookie law applies to websites, services or apps of people or organisations based in an EU country (wherever the site or app is hosted) which store or access information in terminal equipment of those using EU public communications networks.
    Even for those based outside the EU, eg in the US, if their site/app is accessible in an EU country over EU comms networks, then the cookie law may still apply to them - indeed, in every such country. And, again, separate EU data protection laws may also apply to any storage or access of "personal data" on EU users' equipment.
  10. What exactly does the law cover, then? Behavioural tracking cookies, innit? 'Fraid not. While the law might have been triggered by concerns about wide-scale tracking and profile of consumers without their knowledge or consent, particularly behavioural targeting by the advertising industry (online behavioral advertising or OBA), the law is very wide - most think, too wide. It bans all storage of or access to info on terminal equipment, unless the user or subscriber -
    (i) is provided with clear and comprehensive information about the purposes of the storage or access, and
    (ii) has given consent.
    So, basically, consent is king. Or "notice + choice", as the US might put it.
  11. Aren't there any exceptions? There's 2 exceptions when info can be stored/accessed without consent etc, but they're narrow.
    Ignoring a limited exception that's essentially confined to enabling network transmissions, the main exception is where it's "strictly necessary" for providing an "information society" service (effectively, online ecommerce service) requested by the user.
    Classic example - cookies for remembering items added to users' shopping baskets on e-commerce online sales websites. Or, cookies for services with secure login, to recognise users, and other security cookies.
    Tidbit: the ICO doesn't think cookies for saving language/accessibility etc preferences are strictly necessary; the French regulator does! More on this in a future blog post.
  12. Can't consent be opt-out, or given afterwards, or must it be prior consent? Cue big arguments, which are still raging.
    Wider view: consent can be implied from user actions, and isn't always necessary in advance. The UK government considered that the relevant Directive doesn't say "prior" consent ("prior" was deleted from a previous draft), stressing that what's important is informed consent; but still acknowledging that consent must be "any freely given specific and informed indication of" user wishes. While consent normally means prior consent, it argued "This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing."
    Indeed, the ICO themselves had to set a cookie for all visitors automatically, although needed for just one form, and they managed to get rid of it only in the last week of March 2012 (I checked regularly!).
    (Added) Just before 25 May 2012, the ICO updated their guidance to allow for implied consent.
    Strict, narrow view: consent must be express and explicit, eg by users actively clicking a button or ticking a box, and must be given before the info storage/access. This is the view of continental regulators, although the ICO apparently accept that implied consent is possible if there's enough consumer awareness about cookies; and they even said that, when using a pop up or splash page, where no cookies are turned on until the user agrees, if the user just clicks through to another part of the site their consent might be inferred (but a reminder elsewhere that you're setting cookies would help).
    The conflict between UK government and other views certainly doesn't help clarify matters.
  13. Can browser settings be taken to indicate consent? Err. No easy answer here! The law does envisage that "Where it is technically possible and effective, in accordance with [data protection laws], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application." This seems the most sensible solution for user choice, rather than placing the onus on site owners and app developers.
    Currently, browsers are generally set by default to accept all cookies automatically, including third party cookies. Only the tech-savvy tailor browser settings, use NoScript etc, or periodically delete cookies. Can browser's default settings, to accept cookies, be taken to signify the user's consent to cookies?
    UK government: users could indicate consent by choosing not to change default browser settings, if provided with adequate info on cookies and what those settings mean for them. It thinks this approach would enable industry work on third party cookies in online behavioural advertising. But note that "adequate information" must still be provided first, even on this view.
    Regulators: the ICO, who enforces the law in practice, considers that currently, as most browsers aren't sophisticated enough, services can't assume consent from browser settings, and "for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."
    The authorities have asked browser manufacturers to come up with something (it's interesting in itself that browser providers are being asked to bear the costs of changing their browsers when that law doesn't necessarily apply to them as browser makers, nor would they necessarily benefit from it! Although longer-term, this makes overall sense). No news on this front yet… We'll see if eg Do Not Track (DNT) will be good enough; it's certainly seems to be gaining traction.
  14. Break the cookie law, just get a warning? Not necessarily… The UK data protection regulator, the ICO, will consider how seriously a breach affects privacy and others' rights, in deciding what enforcement action to take, if there's a complaint. Worst case scenario, serious breaches could mean a penalty of up to £500k, and non-compliance with any enforcement notice is a criminal offence. But it seems the ICO won't consider formal action about analytics cookies to be high priority, if you "take what steps you can" (?) to seek consent after explaining them, and "we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action." (What about third party analytics cookies…?)
    However, it might not be safe for non-compliant sites to assume they'll escape scot-free, and don't forget other EU countries may take a stricter view and theoretically they could go after eg US services. Not sure if they'd go as far as arresting people travelling in their country yet, as with the EU online gambling executives in transit in the US, but you never know…
  15. What can be done to comply? Another tough one. It depends on how strict or relaxed an approach you take to compliance and consent. I plan to blog more on this soon, looking in detail at some of the free tools out there - watch this space!
    Meanwhile, the main guidance to read is the ICO's Guidance on the rules on use of cookies and similar technologies and shorter ICO's Changes to the rules on using cookies and similar technologies for storing information, which outline a 3-point action plan -
    1. Cookie audit - what type of cookies and similar technologies do you use, how do you use them?
    2. How intrusive is your use of cookies?
      [Note: the all-encompassing cookie law doesn't actually distinguish between cookies based on how privacy-invasive they are. It's the ICO who has introduced this notion of assessing intrusiveness.]
    3. Decide what solution will be best in your circumstances, and deploy it: get rid of all cookies that you can, work out cookie-less solutions as much as possible, for the rest figure out how best to obtain consent before storage/access. The more intrusive the use, the harder you'll have to try to inform users and seek meaningful consent.
    It's probably easier with mobile apps, as users are used to automatically OK'ing all sorts of things when they first install an app, so consent can be included there (if the info is clearly given).
    For websites…the ICO initially seemed clear in their own view that sites need to provide information about cookies and obtain consent before a cookie is set for the first time, while recognising that gaining consent will often "be a challenge", and also "Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options."
    (Added) However, just before the grace period expired, the ICO updated their guidance to allow for implied consent.
    Changing t's & c's or privacy policy to stipulate user consent is not good enough in itself, without drawing the cookie point specifically to users' attention and getting them to take positive action to agree, regulators say. And they're the ones enforcing the law. But consent in TOS might work for new sign ups to services require login, if it's made clear enough.
    Popups or splash pages (better still, lightboxes that aren't blocked by popup blockers) could work to provide info and get consent, although regulators note the "annoyance" factor.
    The ICO's own site has a banner across the top with tick box. Guess how few people have bothered to tick it…!
    Good news: it's OK to use the same cookie for the same person (and same purpose) in future, without having to ask on every visit, ie cookies once accepted may be maintained across multiple visits without seeking consent again on each visit.
    ICC UK have produced their own guide on cookie categorisation, sample privacy notices and tool tips, etc.
  16. What about third party cookies? Also caught. To me, one of the most problematic issues is, who's responsible for compliance, with third party cookies? Facebook, AddThis, Google etc? Or the user who added a Facebook or AddThis widget to their blog, or Google Analytics, Adsense code or other Javascript tags to their personal website, without necessarily realising how much info that sends to Facebook etc about the user's visitors? Similarly, if you use Google's Blogger and Blogspot, as I do for this blog, you can't control what cookies Google chooses to use (though of course you could choose not to use Blogger/Blogspot altogether).
    The UK ICO considers both parties are responsible: "Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this."
    I disagree. There is a direct interface with the third party, as its code is being run. Also, there's an expertise and knowledge imbalance: I feel that these third parties, who are much more technically sophisticated than many SMEs or individual site owners or bloggers, should take much more responsibility (it's their code, their cookies) for producing cookie-less solution, or for providing the required info/choice as part of their script. A site owner may install third party scripts marketed as allowing visitors to "Like" or tweet their site etc, without realising the full extent of what it does; it's the third party who truly controls that. More on this in a future blog post…
    Meanwhile, here's Google's privacy troubleshooter form and AdSense's support form for those who'd like to fill it in!
    (I'm not engaging in arguments about whether Google Analytics cookies are technically first or third party cookies. I use "third party" here when referring to code a site owner adds to their site, ie widgets and the like, that originates from and is controlled by a third party.)
  17. But third party analytics cookies and advertising cookies are very common, help?! Analytics cookies and advertising cookies are not "strictly necessary" to deliver the content to users, according to most regulators' interpretation, and the ICO recently confirmed this view. Even if you consider analytics essential to improve your site, or advertising essential to enable you to provide content to users for free. I think bloggers and site owners should be putting pressure on ad networks, analytics providers etc to provide solutions, but any queries I've seen have (with the honourable exception of ShareThis, though I've not seen a solution yet), mostly met with only a  continued resounding deafening silence from the providers, even EU ones, or criticisms of the cookie law from providers, rather than actual pro-active solutions. Though Google have said (ht) that they'll post something about analytics on their Analytics blog. I hope, AdSense too! I'll discuss all this in a future blog post.
    (Added) CNIL, France's regulator, has at least stated that in France 6 month analytics cookies are exempt on certain conditions, eg notice, easy opt-out mechanisms etc.
  18. But, at least all this is better for consumers, right?
    Not necessarily. While hopefully any efforts to comply should help raise consumer awareness about cookies, in my personal view the new laws unfortunately won't solve the underlying problems: tracking/targeting without informed consent, and insufficient granularity of user choice.
    Nor is the information being given to users necessarily clear or comprehensible enough to the average non-technical person - to be discussed further in a future blog post, but see eg the explanation of cookies by cookie name in the ICO's own privacy notice.
    I feel tracking will continue, but (for sites that take the trouble to get rid of cookies) tracking will just move server-side, eg to the cloud, log files-based, employing analytics systems that use IP address and user agent, and therefore tracking may become harder for users to detect. (I don't think device or browser fingerprinting will escape this law, though.)
    It'll cost money to comply (see below), especially as the law isn't fully harmonised across different EU countries, which may raise costs generally without necessarily providing any real benefits to consumers. Strict compliance all-round may even threaten the existence of free ad-funded services currently enjoyed by consumers. So, by focusing on process rather than purpose, the cookie law risks gumming up the workings of internet and mobile services while missing its intended target, and hitting law-abiding SMEs and individuals the hardest.
  19. So who's it better for, then? Well, it's certainly better for cookie auditors/consultants and lawyers! To get their website compliant, the UK data protection regulator had to pay nearly £4k (with further, unknown, costs for sorting out that single recalcitrant cookie mentioned in 13 above).
    It will cost law-abiding sites and apps providers time and money to try to produce compliant solutions, while the real underlying problems remain unaddressed. If all the money regulators and sites etc have had to spend on this were instead used to detect and enforce breaches of existing data protection law (including behavioural tracking without informed consent), we'd all be better off.
    And you can bet your bottom euro that lots of sites and apps aren't going to bother to try to comply, whether through lack of awareness, or a deliberate decision to take the risk, betting that no one will come after them or that, if they do, they won't be fined much. Typical approach, as per an email to me from a tech industry person: "I suspect that most would rather ignore it rather than hamstring their service."
    So all this will effectively penalise law-abiding services, while other services ignore the cookie law and may get away with it. It doesn't seem helpful to have laws that most people won't obey or that won't get enforced (whether for practical or other reasons); it brings the law into disrespute, without necessarily achieving its underlying aim.
  20. And what of the future, eg implications for the internet of things? As mentioned above, RFID and possibly (though less likely) NFC could be covered too - it's not clear enough yet. The European Commission are consulting on regulating the internet of things, so those who respond to the IoT consultation (ending 12 July 2012) could take the opportunity to comment eg on the impact of the cookie law on the internet of things. And the revision of the Data Protection Directive could also provide an opportunity to comment on the cookie law. There's a site protesting the law, as well as an e-petition against it!

See further links to primary sources, some possible free compliance tools,and other resources on the EU cookie law.

Note: this focuses mainly on the UK position. It's my first go at looking at these laws in detail, so any corrections or comments are welcome.

Obligatory weaselly lawyer's disclaimer: the above is just general information, not legal advice. You should consult suitably qualified lawyers about your own situation, as everyone's is different. And opinions are mine alone.