How did you like the article?
0
How did you like the article?
0

EU cookie laws and how they affect your business

‘This website uses cookies’ – an expression that most internet users are very familiar with. Cookies have been around for some time, but some website users and operators alike are still confused by exactly what they do and what the data protection and privacy laws are regarding them. The EU recently clarified the issue, bringing out comprehensive guidelines in 2009 declaring that all EU member states should give individuals living in the EU the right to refuse the use of cookies in order to protect their online privacy. So what does this mean for businesses operating in the UK, and how might it also affect US businesses online? In our guide to cookies, we’ll look at this new EU regulation, explore the standard practices in the UK, and compare rules in Europe to the laws in the USA, so that you can be sure you know where you stand.

What are cookies?

Cookies are text files that are stored by your browser on your computer when you load a web page. The text file consists of data from your website visit and the idea behind this is to improve user friendliness: your browser will notice login data and language settings, speeding up and streamlining your browsing experience. A typical cookie contains a statement about the life of the text file and a randomly generated number that’s unique to your computer. Cookie data is normally stored anonymously, and the data stored in the text file can only be read on the web server that issued the cookie. Cookies tend to avoid personal data too, usually only requiring it for login information. Their main responsibility is creating this personalized, interactive online world as we know it today.

But despite this user-friendly aspect to cookies, many critics see them an invasion of privacy. Cookies can be used to create what’s known as ‘behavioral profiles’, which use your online habits in order to display certain ads or particular targeted content. They do so because it’s useful for companies to be able to display tailored content depending on whether a user is visiting a website for the first time or the 100th time.

In some cases, cookies stay on your computer between page visits, gathering more information to build up a clearer picture of other interests you might have. In these circumstances, companies can target ads at you when you visit external pages, often displaying tailored images (like the pair of shoes you were viewing on their website, or the new kitchen appliance you’ve been searching for). This is an integral tactic for online businesses battling in the dense e-commerce market, but there are concerns that cookies may sometimes be misused to supply information about personal internet use to unknown companies.

The truth about cookies for users is that you don’t really know how your data is being used without an explanation by the website you’re visiting. And this is the fundamental reason for the EU’s revolutionary regulations from 2011.

What do the EU cookie laws mean?

In 2002, the European Union initiated their ‘Directive on Privacy and Electronic Communications’, with further ammendments to cookie usage made in 2009. Despite coming under criticism for its structuring and difficult interpretation, the EU set a deadline for their directive to be adopted by all member states by May 2011. Becoming known as simply ‘The Cookie Law’, the EU directive recognizes the need for cookies in order to create the personalized online universe we enjoy today, but also makes it clear that cookies could be considered an invasion of privacy and that users deserve the right to be made aware of the presence of cookies and their usage. Certain cookies that are considered ‘strictly necessary for the delivery of a service requested by the user’ don’t have to be declared, because they are of far higher benefit to the user than the company. This includes cookies used to track shopping carts in e-commerce and to store important login information that the user requires.

For the use of most cookies, website operators in the EU now require permission from the user. This covers all cookies that don’t meet the requirement mentioned above of being ‘necessary’. This means that advertising cookies for retargeting, analysis, and social media cookies now require permission from the user. But the main issue that many companies have with these EU regulations is that the guidelines don’t clarify exactly how they should be implemented. There’s particular uncertainty when it comes to obtaining authorization from site visitors.

Opt in or opt out?

The biggest concern that most website operators have raised with regards to The Cookie Law is whether users have to first agree to the cookies before the text file is created, or whether they can use the cookie right from the get go, and only delete it if the user chooses to object. The first of these is known as ‘opt in’ and the second ‘opt out’. Opt in cookie usage means that data storage can only be used if the user gives clear permission, by clicking on an accept box or similar. Opt out means that website operators just have to inform site visitors of their cookie usage, with the user having to choose to turn off the cookie policy.

How have EU cookie laws affected the UK?

The body responsible for interpreting and enforcing The Cookie Law in the UK is the Information Commissioners’ Office (ICO). The ICO has chosen a general opt out strategy for UK website operators, meaning that site visitors just have to be informed that the cookies are being used. Many of these cookie notifications appear in the form of banners at either the top or bottom of a website’s homepage, and some require no direct interaction. Here are some examples of how certain famous websites have displayed their cookie notifications:

Channel 4

Channel 4 give a comprehensive explanation of what cookies are and how they use them. This appears in a display bar at the top of the homepage, accompanied by a link to cookie management and an ‘Accept & Close’ box. This box stays in its place until you click ‘Accept & Close’, but it doesn’t follow the page, disappearing if you scroll down.

The F.A.

The Football Association’s homepage features a banner display at the bottom of the screen, explaining the type of cookie used and when it will expire. The banner follows the page as you scroll, but as soon as you click any link on the website, it will disappear, taking your click to be an acceptance of the cookie policy.

Rolls Royce

Rolls Royce offer little information about their cookie policy, besides a link to a separate web page. They don’t feature an accept button, opting for a simple X instead. Their banner appears at the top of their homepage, moving with the page as you scroll up and down and staying on display until closed, no matter how many different pages of their website you go through.

Hotel Chocolat

Hotel Chocolat take a humorous approach to their cookie usage, displaying a small box in the bottom left corner of the screen with a joke playing on the double meaning of ‘cookie’. They also offer a link to their cookie usage guide and an X in the corner of the box to close it, although it disappears as soon as the user clicks elsewhere on the screen too.

What do EU cookie laws mean for UK businesses?

Judging the success of The Cookie Law in the UK is a difficult thing to do. The ICO has registered very few complaints about cookies from users, which suggests that either the law is working and UK citizens are happy with the improved transparency over cookie usage, or that they simply aren’t so concerned about cookies anyway. The main concern for website operators in the UK is ensuring cookie alerts don’t annoy the user. On the whole, this isn’t so difficult for desktop displays – the examples we’ve compiled above show just how flexible you can be with cookie notifications. But these can become more intrusive when you visit a mobile site, simply because the screen is smaller but the same number of words are required to explain about cookies. Given the global trend towards mobile browsing, we recommend that you try to find a solution that isn’t intrusive or disruptive to the user’s browsing experience.

The ICO enforcement of The Cookie Law hasn’t been as tough as was first expected. Initial suggestions of fines of up to £500,000 for not following procedure haven’t come to fruition thus far, but this is probably due to the relative lack of complaints about cookie misuse. But website operators who fail to follow ICO regulations can at the very least expect a formal warning. And since users are now becoming more and more aware of what cookies do and how they can be used, you’re likely to see a drop in site visitors if you earn a reputation for not following ICO regulations.

If you’re a website operator in the United Kingdom, the ICO offers simple, straightforward guidance on cookies on their ‘Cookies and similar technologies’ advice page, and also offer a more wordy, comprehensive guide to cookies in PDF format.

EU cookie laws: what does it mean for the US?

The extent to which the EU privacy directive will affect your business in the US is slightly unclear and open to interpretation. The simple legal answer is that these laws won’t have much impact, because the US isn’t part of the European Union, so it has different restrictions and guidelines when it comes to online privacy. If you’re operating a website or online shop in the United States with content aimed at American citizens, you don’t need to worry about the EU cookie restrictions. But there’s a grey area for US website operators featuring content aimed at people in the EU. For example, if you’re running a website about the Six Nations rugby tournament, played between England, Scotland, Ireland, Wales, France, and Italy, then you’re likely to get some website visitors from these countries. It’s possible that you could be violating EU law by not actively disclosing cookie information. And even if you’re not, it’s important to remember that EU citizens wishing to visit your site will now have an increased understanding and awareness of cookies and what they mean. So it makes sense to notify site visitors using the same methods we’ve suggested above. If you offer an alternate website for EU citizens, for example a UK version of your online store, then you must follow The Cookie Law.

For a full overview of cookie restrictions and other data protection laws in the US, you can refer to the usa.gov privacy, security, and accessibility policies page.

The Cookie Law: know where you stand

Cookies are becoming more and more integral to everyday internet use. Without them, website operators wouldn’t be able to offer users the stylized and personalized content that we’ve all grown accustomed to. This has even been recognized by the EU privacy directive, which has conceded that some cookies are now essential for user experience, for example login information and online shopping carts. But other cookies that are useful for retargeting and other forms of display advertising may frustrate and annoy the user, and so The Cookie Law is designed to increase user awareness of cookies and give them the option to opt out and not have their website browsing tracked.

In the UK, website operators have to comply with EU regulations for the time being, though this may change once Brexit is finalized. But companies in the US who operate EU stores or feature European content on their websites are also at risk of breaching EU legislation and so should also pay attention to these laws. In most cases, site visitors are happy to accept cookie tracking in exchange for an enhanced browsing experience. And if your site visitors are happy, then your retargeting and customer journey mapping techniques in online marketing are more likely to be successful in the long run.

Browser Data Protection