Mastodon Kuan0: Cookie law - links

Tuesday, 17 April 2012

Cookie law - links

Last revised 30 June 2013
In the UK, the EU cookie law will be enforced fully from 25 May 2012, under the revised Privacy and Electronic Communications Regulations (implementing the EU E-Privacy Directive 2002/58).
Here are some key links, which I'll add to over time - not necessarily comprehensive! Dates of items indicate their chronology.
Suggestions of further links are welcome.

Introduction / tutorial

Those new to this topic may wish to see my EU e-Privacy Directive cookie law introduction / tutorial.
Survey of top London tech law firms' cookie law compliance - table, with analysis in blog post (and article).

Some free tools that may assist compliance

These examples are listed for illustrative purposes only; you need to consult a suitably-qualified expert to check your own compliance, as everyone's situation is different.

1. Cookie audit tools

To check cookies on your site there's some tools (though I've not tested them all - on my list!) - but NB you may still get the Google's self-resurrecting PREF cookie whatever you do!. Some examples:
  • Cookies Manager+ Firefox extension - best one in my view as I can use hotkeys (remember to clear all existing cookies in Firefox first before viewing your site and using the add-on)
  • a free Chrome extension by Attacat (no registration required, unlike some)
  • a general View Cookies Firefox extension, again delete existing cookies first
  • Cookiecert have a free audit service - enter the site you want to audit in their search form, check again in a day or two if it's not already in their database.

2. Notice / consent tools

For getting consent (again just as examples of free tools I've found so far, but none of them do what I would like for this blog as regards analytics etc without requiring modification, and I haven't tested all of them) -

3. Cookie notices - samples

Example privacy notices - International Chamber of Commerce's UK cookie guide, updated Nov 2012, has sample notices, tool tips etc; see also the ICC's blog 2 April 2012 and article about the guide. (Of historical interest - their original April 2012 edition with clarification note - now only available (2nd edition) here).
BT's website has been mentioned by many  - it pops up a notice in the bottom right hand corner for 10 seconds saying if you continue without changing cookie settings, you consent. Settings are changeable via a "Change cookie settings" link at the bottom of webpages.

4. Miscellaneous

Google's "privacy troubleshooter" form - to quiz them about what they're doing on Analytics, Adsense etc to help sites comply! And more info on Google Analytics cookies.

ICO (UK data protection regulator)

The main documents are -
Other ICO info:
And about the ICO's own site and cookies -
More general ICO info, broader than cookies but including some coverage of cookies -
On RFID under the Data Protection Act 1998 -

Article 29 Working Party (EU regulators collectively)

These papers are particularly relevant to the cookie law -

EU

Implementation of the revised Framework– Article 5(3) of the ePrivacy Directive - Commission guidance to EU Member States on implementing the cookie law, 20 Oct 2010
Answers to EU Parliamentary questions on cookies, tracking etc given by Ms Kroes on behalf of the Commission (links to the questions are in the top right corner): 18 Jan 2012, 10 Oct 2011, 31 Aug 2011, 26 Aug 2011,
Speeches by Commissioner Neelie Kroes:
Do not track or right on track? – The privacy implications of online behavioural advertising - speech by European Data Protection Supervisor Peter Hustinx, 7 July 2011
Commission presses 16 Member States to implement new EU telecoms rules, 24 Nov 2011
Commission starts legal action against 20 Member States on late implementation of telecoms rules, 19 July 2011
Consultation on internet of things (not strictly on the E-Privacy Directive) -

Other UK government links

Speeches by Ed Vaizey, Minister for Culture, Media and Sport (DCMS) -

Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies - Ed Vaizey, 24 May 2011, PDF. Taking the view, on consent, that "This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing."
Government Digital Service -

News etc

The European Commission’s chaotic cookie compliance culture (non-compliance by EU institutions), Data Protector blog, June 2013 (original news item)
Center for Internet and Society Launches “Cookie Clearinghouse” to Enable User Choice for Online Tracking (US), June 2013:
Half of UK institutions continue to ignore EU Cookie Law one year on, KPMG study May 2013: analysis of 55 major UK organisations across private and public sectors has found that 51 percent have failed to comply with the legislation
Businesses must engage in EU law consultations if they want to avoid repeat of cookies law mess, says expert, Out-law (Luke Scanlon), Sept 2012.
ICO disputes Freedom of Information Act findings on cookie reporting, SC Magazine (Dan Raywood), Aug 2012 -
  • of 75 websites ICO wrote to (link above) - 45 have been analysed, of which 27 have clearly taken action to increase cookies information visibility; only 3 don't mention cookies on their home page; 'these, along with the six sites that failed to respond to our letter, will be set a deadline to take steps towards compliance, with formal enforcement action likely for the organisations that fail to meet this deadline'
  • of 331 websites reported to ICO - ICO has reviewed them, it will write to them; 'a significant number of the responses do not provide any intelligence that can be analysed, while a proportion also highlight websites that rely on implied consent, which is in line with the EU law'
  • progress report from ICO is due in Nov 2012, including list of sites contacted.
ICO "not ready" to probe cookie complaints, PC Pro report of freedom of information request (Nicole Kobie), Aug 2012.
The way the cookie crumbles - '90% of people haven’t bothered to read it', Forms and Functions, Aug 2012.
Sweet irony: EU imposes cookie law, ignores own rules, ZDNet (Zack Whittaker), May 2012.
ICO on enforcement of cookie law regarding analytics cookies, The Register (Kelly Fiveash), April 2012 - "highly unlikely to prioritise first party cookies used only for analytical purposes"
Guardian article about the cookie law, 13 April 2012 - they have a project to track the trackers

Other cookie or cookie law links - research, papers, sites etc

Bird & Bird's map of cookies law implementation
Silktide - amusing blog & graphics about the cookie law, Jan 2013
TRUSTe:
Nocookielaw protest site - with the now well known "Dear ICO, Sue Us"
Top London tech law firms' cookie law compliance mechanisms - my own research, June 2012
Consent rates for different consent mechanisms - Qubit research, June 2012
AboutCookies, info site on cookies generally, by law firm Pinsent Masons
FTC Settles with Google over Cookie Control Override - how Google overrode Safari's cookie settings, Ed Felten updated Aug 2012
EU Cookie Law: The conundrum in numbers, Econsultancy May 2012 with infographics eg what consumers think about cookies.
Details on cookies used by Google Analytics; and how does Google use cookies for analytics? (in Google's advertising privacy FAQ)
New UK Cookie Laws: Practical Guidance, by law firm Linklaters, May 2012
89% of consumers feel that new EU cookie directive is a positive step, eDigitalResearch, May 2012 (also reported by EConsultancy)
Just 23% of web users would say yes to cookies, EConsultancy research April 2012
Could the EU cookie law be harming web accessibility? Pretty Simple, Apr 2012
KPMG news release, 10 April 2012 - on their analysis of 55 major UK organisations across UK private and public sectors which found 95% (!) were not in compliance, "with only one asking specifically for opt-in which is the key requirement of the directive. Surprisingly, two sites did not use any cookies at all."
How the EU has implemented the new law on cookies, by law firm DLA Piper, March 2012
82% of digital marketers think the EU cookie law is bad for the web, EConsultancy research, March 2012
Cookie ‘consent’ rule: EU implementation - table, by law firm Field Fisher Waterhouse, Feb 2012 (updated 4 Feb 2013)
EU - Three hurdles to Europe-wide cookie compliance, by law firm Linklaters, 20 Sept 2011 - outlining a risk-based approach to cookie compliance
Response by consumer organisation Which? on UK implementation of the cookie law, April 2011, including the results of their consumer research
Research into consumer understanding and management of internet cookies and the potential impact of the EU Electronic Communications Framework, report by PwC for DCMS, April 2011
Personal views of Peter Fleischer on the cookie law, Google's Global Privacy Counsel, 26 Nov 2010
Trained to Accept? A Field Experiment on Consent Dialogs, Böhme & Köpsell, 2010

Background legislation

Extracts from EU e-Privacy Directive and UK PECR legislation's cookie law wording showing changes from previous law, with EU and UK wording side by side.

UK implementation - The Privacy and Electronic Communications (EC Directive) Regulations 2003 (2003/2426) as amended by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (2011/1208)
EU:
Denmark - Speechly Bircham's cookie guidance for Denmark
France implementation - explanation of French regulator CNIL's Dec 2011 cookie law guidance. The CNIL suggested in April 2012 (English translation) that "strictly necessary" cookies included preferences cookies, and 6-month analytics cookies would also be exempt on certain conditions eg clear notice, easy opt-out.
Ireland implementation - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 SI 2011/336, and guidance note on the cookie law
Spain (AEPD) - guide on use of cookies, April 2013 (DataGuidance summary; Bird & Bird)