Cookie law - links

Last revised 30 June 2013
In the UK, the EU cookie law will be enforced fully from 25 May 2012, under the revised Privacy and Electronic Communications Regulations (implementing the EU E-Privacy Directive 2002/58).
Here are some key links, which I'll add to over time - not necessarily comprehensive! Dates of items indicate their chronology.
Suggestions of further links are welcome.

Introduction / tutorial

Those new to this topic may wish to see my EU e-Privacy Directive cookie law introduction / tutorial.
Survey of top London tech law firms' cookie law compliance - table, with analysis in blog post (and article).

Some free tools that may assist compliance

These examples are listed for illustrative purposes only; you need to consult a suitably-qualified expert to check your own compliance, as everyone's situation is different.

1. Cookie audit tools

To check cookies on your site there's some tools (though I've not tested them all - on my list!) - but NB you may still get the Google's self-resurrecting PREF cookie whatever you do!. Some examples:

• Cookies Manager+ Firefox extension - best one in my view as I can use hotkeys (remember to clear all existing cookies in Firefox first before viewing your site and using the add-on)
• a free Chrome extension by Attacat (no registration required, unlike some)
• a general View Cookies Firefox extension, again delete existing cookies first
• Cookiecert have a free audit service - enter the site you want to audit in their search form, check again in a day or two if it's not already in their database.

2. Notice / consent tools

For getting consent (again just as examples of free tools I've found so far, but none of them do what I would like for this blog as regards analytics etc without requiring modification, and I haven't tested all of them) -

• Silktide's open source Javascript tool - may even work for AdSense though I've not tried it yet!
• OpenGlobal's Javascript tool - produces a small grey box in the top right hand corner, has some customisable features (scroll down beyond the code) including wrapping the code for setting cookies so it won't run unless and until the user chooses to consent, and a countdown option that assumes consent and sets the cookies after a chosen number of seconds
• cookie-warning, Javascript by Scott A Herbert - the cookie notice covers most of the page, and if the user clicks "I don't agree" to cookies, they are automatically redirected away from the site, so again a strict approach. There's no wrapper for cookie-setting scripts though.
• PHP/JQuery package, or alternatively .NET package, by Wolf Software; also, jConsent jQuery plugin, and separately jQuery plugin for Google Analytics, and jQuery plugin for Piwik - they've clearly been busy! WordPress package too. They also sell a Javascript solution.
• Ollie Phillips' cookiedirectives.js - seems a flexible free solution for strict compliance, with detailed instructions - you can "wrap" cookie scripts so that they won't run and set cookies until the user explicitly consents, but there's no implied consent JQuery plugin for Facebook Like - 2 clicks for more privacy, 1 Sept 2011, by Heise (info in German; English translation via Google) - see the project page (German; English translation via Google) for downloads
• Cookiecert provide a free, slightly customisable Javascript tool (or tag as they call it) to show a bar across the top of your site - but no "wrapper" to stop cookies from being set until consent is given
• CivicUK have a nice-looking, very customisable Javascript tool producing a clickable icon in the corner - although again, it doesn't do what I personally want
• CookieQ button - looks customisable but I'm not clear how they handle stopping third party cookies until consent is given

3. Cookie notices - samples

Example privacy notices - International Chamber of Commerce's UK cookie guide, updated Nov 2012, has sample notices, tool tips etc; see also the ICC's blog 2 April 2012 and article about the guide. (Of historical interest - their original April 2012 edition with clarification note - now only available (2nd edition) here).
BT's website has been mentioned by many  - it pops up a notice in the bottom right hand corner for 10 seconds saying if you continue without changing cookie settings, you consent. Settings are changeable via a "Change cookie settings" link at the bottom of webpages.

4. Miscellaneous

Google's "privacy troubleshooter" form - to quiz them about what they're doing on Analytics, Adsense etc to help sites comply! And more info on Google Analytics cookies.

ICO (UK data protection regulator)

The main documents are -

• Guidance on the rules on use of cookies and similar technologies - detailed guide, v3, May 2012, PDF - adds guidance on implied consent for cookies which the ICO now recognise as possible
• Advice about cookies and how to complain and a form to report your cookie concerns to the ICO about organisations' cookie law compliance, May 2012. "Rather than reply to each person individually, we will publish information about numbers and types of concerns reported, and let you know what we're doing about them."
• Taking action: data protection and privacy and electronic communications - outline of enforcement options
• Enforcing the revised Privacy and Electronic Communications Regulations (PECR) - v1, 25 May 2011, PDF

Other ICO info:

• Enforcement - activity report - cookies, 18 Dec 2012, with list of organisations the ICO had written to since May 2012
• Education key to cookie law progress, ICO blog (Dave Evans), 10 Sept 2012
• New EU cookie law (e-Privacy Directive) - summary including video FAQs (and PDF transcript of the video), May 2012
• ICO blog: updated advice and guidance on changes to the EU cookie law, Dave Evans, May 2012
• Cookies - advice for members of the public on the new rules, May 2012
• ICO form of letter to organisations asking about their cookie law compliance, and list of organisations contacted by the ICO (links were given on this page), May 2012
• Cookies and New PECR rules – what do they mean for me?, 2011
• Changes to the rules on using cookies and similar technologies for storing information - v1, 9 May 2011, PDF - initial guidance including 3 point action plan
• Half term report on cookies compliance, 13 December 2011, with news release ‘Must try harder’ on cookies compliance, says ICO
• ICO gives website owners one year to comply with cookies law - news release, 25 May 2011, PDF
• Correspondence between ICO and DCMS on the delay in implementing the cookie law in the UK

And about the ICO's own site and cookies -

• Changes to cookies on our website, 31 Jan 2013, changing how the ICO handles cookies on its own site, to 'implied consent'
• ICO's own privacy statement linking to their separate cookies page
• Costs to ICO of complying; and info about the cookies they couldn't remove originally
• ICO stats after introduction of their banner! (image of graph) - via Chinwag - and ICO official FOI reply, 22 June 2011

More general ICO info, broader than cookies but including some coverage of cookies -

• PECR info webpage
• The Guide to Privacy and electronic communications - v 1, 7 Sept 2011, PDF
• Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998 - undated, but file properties indicate Dec 2011, PDF

On RFID under the Data Protection Act 1998 -

• Data Protection Technical Guidance - Radio Frequency Identification, v1, 9 Aug 2006, PDF

Article 29 Working Party (EU regulators collectively)

These papers are particularly relevant to the cookie law -

• Opinion 04/2012 on Cookie Consent Exemption, 7 June 2012 with press release 12 June 2012
• Letter to browser providers, 29 October 2010 (and letter to ad networks)
• Opinion 15/2011 on consent, WP187, 13 July 2011
• Report on meeting with IAB Europe and EASA, 14 Sept 2011
• Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising, WP188, 8 Dec 2011 - again despite the name, there's a lot on the cookie law and what's acceptable or not
• Letter to Commissioner Kroes on e-Privacy Directive, 9 Dec 2011
• Opinion 2/2010 on online behavioural advertising, WP171, 22 June 2010 - including on cookies and the E-Privacy Directive; and IABUK response 
• Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive), WP159, 10 Feb 2009
• Opinion 1/2008 on data protection issues related to search engines, WP148, 4 April 2008

EU

Implementation of the revised Framework– Article 5(3) of the ePrivacy Directive - Commission guidance to EU Member States on implementing the cookie law, 20 Oct 2010
Answers to EU Parliamentary questions on cookies, tracking etc given by Ms Kroes on behalf of the Commission (links to the questions are in the top right corner): 18 Jan 2012, 10 Oct 2011, 31 Aug 2011, 26 Aug 2011,
Speeches by Commissioner Neelie Kroes:

• Internet and filtering applications: a tale of choice and revenues, 17 Jan 2013
• Online privacy and online business: An update on Do Not Track The Centre for European Policy Studies (CEPS)/Brussels, 11 October 2012
• The Digital Agenda: Europe's key driver of growth and innovation, 4 Oct 2011 - online privacy & tracking etc
• Online privacy – reinforcing trust and confidence, 22 June 2011
• Towards more confidence and more value for European Digital Citizens European Roundtable on the Benefits of Online Advertising for Consumers, 17 Sept 2010

Do not track or right on track? – The privacy implications of online behavioural advertising - speech by European Data Protection Supervisor Peter Hustinx, 7 July 2011
Commission presses 16 Member States to implement new EU telecoms rules, 24 Nov 2011
Commission starts legal action against 20 Member States on late implementation of telecoms rules, 19 July 2011
Consultation on internet of things (not strictly on the E-Privacy Directive) -

• press release, 12 April 2012
• consultation (ends 12 July 2012)

Other UK government links

Speeches by Ed Vaizey, Minister for Culture, Media and Sport (DCMS) -

• Implementing the e-privacy directive: the story so far, Joint DCMS/ICO stakeholder event on e-privacy, 2 Apr 2012
• To the Internet Advertising Bureau, 3 Nov 2011
• Internet speech at the OECD conference, 29 June 2011 (general, including a bit on e-privacy)
• To browser manufacturers, 29 Mar 2011
• CBI forum on e-privacy and the digital economy, 29 Mar 2011

Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies - Ed Vaizey, 24 May 2011, PDF. Taking the view, on consent, that "This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing."
Government Digital Service -

• It’s not about cookies, it’s about privacy, 19 March 2012 and
• GDS cookies implementers guide
• cookies and beta.gov.uk

News etc

The European Commission’s chaotic cookie compliance culture (non-compliance by EU institutions), Data Protector blog, June 2013 (original news item)
Center for Internet and Society Launches “Cookie Clearinghouse” to Enable User Choice for Online Tracking (US), June 2013:

• report on IAB's objections, 26 June 2013

Half of UK institutions continue to ignore EU Cookie Law one year on, KPMG study May 2013: analysis of 55 major UK organisations across private and public sectors has found that 51 percent have failed to comply with the legislation
Businesses must engage in EU law consultations if they want to avoid repeat of cookies law mess, says expert, Out-law (Luke Scanlon), Sept 2012.
ICO disputes Freedom of Information Act findings on cookie reporting, SC Magazine (Dan Raywood), Aug 2012 -

• of 75 websites ICO wrote to (link above) - 45 have been analysed, of which 27 have clearly taken action to increase cookies information visibility; only 3 don't mention cookies on their home page; 'these, along with the six sites that failed to respond to our letter, will be set a deadline to take steps towards compliance, with formal enforcement action likely for the organisations that fail to meet this deadline'
• of 331 websites reported to ICO - ICO has reviewed them, it will write to them; 'a significant number of the responses do not provide any intelligence that can be analysed, while a proportion also highlight websites that rely on implied consent, which is in line with the EU law'
• progress report from ICO is due in Nov 2012, including list of sites contacted.

ICO "not ready" to probe cookie complaints, PC Pro report of freedom of information request (Nicole Kobie), Aug 2012.
The way the cookie crumbles - '90% of people haven’t bothered to read it', Forms and Functions, Aug 2012.
Sweet irony: EU imposes cookie law, ignores own rules, ZDNet (Zack Whittaker), May 2012.
ICO on enforcement of cookie law regarding analytics cookies, The Register (Kelly Fiveash), April 2012 - "highly unlikely to prioritise first party cookies used only for analytical purposes"
Guardian article about the cookie law, 13 April 2012 - they have a project to track the trackers

Other cookie or cookie law links - research, papers, sites etc

Bird & Bird's map of cookies law implementation
Silktide - amusing blog & graphics about the cookie law, Jan 2013
TRUSTe:

• EU cookie compliance index, Oct 2012  & press release
• Privacy Index (UK), Sept 2012 - showing UK compliance stats; and blog post - nearly 2/3 of top UK sites have 'taken steps' to be compliant.

Nocookielaw protest site - with the now well known "Dear ICO, Sue Us"
Top London tech law firms' cookie law compliance mechanisms - my own research, June 2012
Consent rates for different consent mechanisms - Qubit research, June 2012
AboutCookies, info site on cookies generally, by law firm Pinsent Masons
FTC Settles with Google over Cookie Control Override - how Google overrode Safari's cookie settings, Ed Felten updated Aug 2012
EU Cookie Law: The conundrum in numbers, Econsultancy May 2012 with infographics eg what consumers think about cookies.
Details on cookies used by Google Analytics; and how does Google use cookies for analytics? (in Google's advertising privacy FAQ)
New UK Cookie Laws: Practical Guidance, by law firm Linklaters, May 2012
89% of consumers feel that new EU cookie directive is a positive step, eDigitalResearch, May 2012 (also reported by EConsultancy)
Just 23% of web users would say yes to cookies, EConsultancy research April 2012
Could the EU cookie law be harming web accessibility? Pretty Simple, Apr 2012
KPMG news release, 10 April 2012 - on their analysis of 55 major UK organisations across UK private and public sectors which found 95% (!) were not in compliance, "with only one asking specifically for opt-in which is the key requirement of the directive. Surprisingly, two sites did not use any cookies at all."
How the EU has implemented the new law on cookies, by law firm DLA Piper, March 2012
82% of digital marketers think the EU cookie law is bad for the web, EConsultancy research, March 2012
Cookie ‘consent’ rule: EU implementation - table, by law firm Field Fisher Waterhouse, Feb 2012 (updated 4 Feb 2013)
EU - Three hurdles to Europe-wide cookie compliance, by law firm Linklaters, 20 Sept 2011 - outlining a risk-based approach to cookie compliance
Response by consumer organisation Which? on UK implementation of the cookie law, April 2011, including the results of their consumer research
Research into consumer understanding and management of internet cookies and the potential impact of the EU Electronic Communications Framework, report by PwC for DCMS, April 2011
Personal views of Peter Fleischer on the cookie law, Google's Global Privacy Counsel, 26 Nov 2010
Trained to Accept? A Field Experiment on Consent Dialogs, Böhme & Köpsell, 2010

Background legislation

Extracts from EU e-Privacy Directive and UK PECR legislation's cookie law wording showing changes from previous law, with EU and UK wording side by side.

UK implementation - The Privacy and Electronic Communications (EC Directive) Regulations 2003 (2003/2426) as amended by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (2011/1208)
EU:

• E-Privacy Directive (Directive on privacy and electronic communications) 2002/58 - consolidated version; original Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
• Amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (PDF)
• Legislative history to the 2009 amending Directive (and legislative history to original 2002 Directive)

Denmark - Speechly Bircham's cookie guidance for Denmark
France implementation - explanation of French regulator CNIL's Dec 2011 cookie law guidance. The CNIL suggested in April 2012 (English translation) that "strictly necessary" cookies included preferences cookies, and 6-month analytics cookies would also be exempt on certain conditions eg clear notice, easy opt-out.
Ireland implementation - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 SI 2011/336, and guidance note on the cookie law

Netherlands - amendment proposed to allow implied consent and exempt analytics cookies - FFW blog, May 2013 (previous)

Spain (AEPD) - guide on use of cookies, April 2013 (DataGuidance summary; Bird & Bird)

12 Cs of Cloud Computing

The 12 C's of Cloud Computing: a Culinary Confection on the Society for Computers & Law website - my attempt to explain and discuss some fundamental issues in cloud computing, by way of culinary analogies (!), for the benefit of those who aren't technical and/or aren't lawyers.