EU cookie laws and how they affect your business

‘This website uses cookies’ – an expression that most internet users are very familiar with. Cookies have been around for some time, but some website users and operators alike are still confused by exactly what they do and what the data protection and privacy laws are regarding them. The EU recently clarified the issue, bringing out comprehensive guidelines in 2009 declaring that all EU member states should give individuals living in the EU the right to refuse the use of cookies in order to protect their online privacy. So what does this mean for businesses operating in the UK, and how might it also affect US businesses online? In our guide to cookies, we’ll look at this new EU regulation, explore the standard practices in the UK, and compare rules in Europe to the laws in the USA, so that you can be sure you know where you stand.

In March 2018 the new General Data Protection Regulation came into force, and with it the way in which companies treat data changed drastically. It also applies to US businesses, because it applies to the location of the person browsing your site, rather than the location of your site itself. In fact, the new e-privacy regulation, the draft of which the EU officially presented on 10 January 2017, was to become legally binding at the same time. In the area of application of cookies in particular, it is regarded as a detailed supplement to the GDPR. At present, however, the draft new e-privacy regulation is still passing through the European Parliament. It is not expected to become law before May 2019 at the earliest, thus replacing the EU Cookie Directive and supplementing new regulations. But what is the current state of this law? In this article we will look at the general matter of what cookies are, as well as taking a look ahead to what the new e-Privacy regulations mean for cookie usage for EU visitors browsing your website.

What are cookies?

Cookies are text files that are stored by your browser on your computer when you load a web page. The text file consists of data from your website visit and the idea behind this is to improve user friendliness: your browser will notice login data and language settings, speeding up and streamlining your browsing experience. A typical cookie contains a statement about the life of the text file and a randomly generated number that’s unique to your computer. Cookie data is normally stored anonymously, and the data stored in the text file can only be read on the web server that issued the cookie. Cookies tend to avoid personal data too, usually only requiring it for login information. Their main responsibility is creating this personalized, interactive online world as we know it today.

But despite this user-friendly aspect to cookies, many critics see them an invasion of privacy. Cookies can be used to create what’s known as ‘behavioral profiles’, which use your online habits in order to display certain ads or particular targeted content. They do so because it’s useful for companies to be able to display tailored content depending on whether a user is visiting a website for the first time or the 100th time.

In some cases, cookies stay on your computer between page visits, gathering more information to build up a clearer picture of other interests you might have. In these circumstances, companies can target ads at you when you visit external pages, often displaying tailored images (like the pair of shoes you were viewing on their website, or the new kitchen appliance you’ve been searching for). This is an integral tactic for online businesses battling in the dense e-commerce market, but there are concerns that cookies may sometimes be misused to supply information about personal internet use to unknown companies.

The truth about cookies for users is that you don’t really know how your data is being used without an explanation by the website you’re visiting. And this is the fundamental reason for the EU’s revolutionary regulations from 2011.

What do the EU cookie laws mean?

In 2002, the European Union initiated their ‘Directive on Privacy and Electronic Communications’, with further ammendments to cookie usage made in 2009. Despite coming under criticism for its structuring and difficult interpretation, the EU set a deadline for their directive to be adopted by all member states by May 2011. Becoming known as simply ‘The Cookie Law’, the EU directive recognizes the need for cookies in order to create the personalized online universe we enjoy today, but also makes it clear that cookies could be considered an invasion of privacy and that users deserve the right to be made aware of the presence of cookies and their usage. Certain cookies that are considered ‘strictly necessary for the delivery of a service requested by the user’ don’t have to be declared, because they are of far higher benefit to the user than the company. This includes cookies used to track shopping carts in e-commerce and to store important login information that the user requires.

For the use of most cookies, website operators in the EU now require permission from the user. This covers all cookies that don’t meet the requirement mentioned above of being ‘necessary’. This means that advertising cookies for retargeting, analysis, and social media cookies now require permission from the user. But the main issue that many companies have with these EU regulations is that the guidelines don’t clarify exactly how they should be implemented. There’s particular uncertainty when it comes to obtaining authorization from site visitors.

Opt in or opt out?

The biggest concern that most website operators have raised with regards to The Cookie Law is whether users have to first agree to the cookies before the text file is created, or whether they can use the cookie right from the get go, and only delete it if the user chooses to object. The first of these is known as ‘opt in’ and the second ‘opt out’. Opt in cookie usage means that data storage can only be used if the user gives clear permission, by clicking on an accept box or similar. Opt out means that website operators just have to inform site visitors of their cookie usage, with the user having to choose to turn off the cookie policy.

This is what will change through the new e-Privacy regulation

The final regulation of the new e-privacy regulation will entail the following: The current draft generally forbids cookies which are not necessary for the technical operation of a site, with the exception that users agree to their use in advance. The first draft only mentioned web applications. The updated version of March 22nd2018 includes all types of machine-based communication, such as apps, e-mail, and collecting metadata for VoIP calls. This also applies to communication between two machines, so-called M2M communication.

The e-Privacy Regulation is relevant to international communication service providers. The regulation stipulates that it applies to a terminal device used within the EU borders. Where the data of a controlled service is processed is not relevant to the application of this regulation.

Data protection is not as strictly regulated in the USA. In the so-called Microsoft-Ireland case an American district court wanted to force Microsoft to make customer-related data of EU citizens available in the USA.

However, Microsoft stores the data of its European customers in Germany as part of Deutsche Telekom, T-Systems. On the principle that American law only applies on American soil, data gathered and stored in Europe should only be subject to EU laws. But the process is still ongoing. To what extent European and American law will potentially interact in the future remains unclear.

The current status of the e-Privacy Regulation

The first draft of the e-privacy regulation required that browser settings should generally be set to the highest privacy level. In these settings, browser’s do not accept cookies from third parties. This would eliminate the currently widely used cookie banners, as users would have to actively decide to accept cookies. This requirement was based on the “privacy by design” principle already set out in the GDPR. However, a more recent draft relaxes the regulations for browser settings. This allows users to decide from domain to domain whether or not to accept cookies.

There are legitimate reasons for websites to require the use of cookies. For example, if a user needs to identify themselves online for their banking or wants to save a shopping basket in an online shop, cookies are often required. If website operators are transparent in their intention for the usage of the data collected by cookies, user consent and practical cookie application can go hand in hand.

How have EU cookie laws affected the UK?

The body responsible for interpreting and enforcing The Cookie Law in the UK is the Information Commissioners’ Office (ICO). The ICO has chosen a general opt out strategy for UK website operators, meaning that site visitors just have to be informed that the cookies are being used. Many of these cookie notifications appear in the form of banners at either the top or bottom of a website’s homepage, and some require no direct interaction. Here are some examples of how certain famous websites have displayed their cookie notifications:

Channel 4

Channel 4 give a comprehensive explanation of what cookies are and how they use them. This appears in a display bar at the top of the homepage, accompanied by a link to cookie management and an ‘Accept & Close’ box. This box stays in its place until you click ‘Accept & Close’, but it doesn’t follow the page, disappearing if you scroll down.

The F.A.

The Football Association’s homepage features a banner display at the bottom of the screen, explaining the type of cookie used and when it will expire. The banner follows the page as you scroll, but as soon as you click any link on the website, it will disappear, taking your click to be an acceptance of the cookie policy.

Rolls Royce

Rolls Royce offer little information about their cookie policy, besides a link to a separate web page. They don’t feature an accept button, opting for a simple X instead. Their banner appears at the top of their homepage, moving with the page as you scroll up and down and staying on display until closed, no matter how many different pages of their website you go through.

Hotel Chocolat

Hotel Chocolat take a humorous approach to their cookie usage, displaying a small box in the bottom left corner of the screen with a joke playing on the double meaning of ‘cookie’. They also offer a link to their cookie usage guide and an X in the corner of the box to close it, although it disappears as soon as the user clicks elsewhere on the screen too.

EU cookie laws: what does it mean for the US?

The extent to which the EU privacy directive will affect your business in the US is slightly unclear and open to interpretation. The simple legal answer is that these laws won’t have much impact, because the US isn’t part of the European Union, so it has different restrictions and guidelines when it comes to online privacy. If you’re operating a website or online shop in the United States with content aimed at American citizens, you don’t need to worry about the EU cookie restrictions. But there’s a grey area for US website operators featuring content aimed at people in the EU. For example, if you’re running a website about the Six Nations rugby tournament, played between England, Scotland, Ireland, Wales, France, and Italy, then you’re likely to get some website visitors from these countries. It’s possible that you could be violating EU law by not actively disclosing cookie information. And even if you’re not, it’s important to remember that EU citizens wishing to visit your site will now have an increased understanding and awareness of cookies and what they mean. So it makes sense to notify site visitors using the same methods we’ve suggested above. If you offer an alternate website for EU citizens, for example a UK version of your online store, then you must follow the EU cookie law – and you must adhere to the guidelines set out in the EU GDPR anyway for all your sites, in case these want to be accessed by EU visitors..

For a full overview of cookie restrictions and other data protection laws in the US, you can refer to the usa.gov privacy, security, and accessibility policies page.

The Cookie Law: know where you stand

Cookies are becoming more and more integral to everyday internet use. Without them, website operators wouldn’t be able to offer users the stylized and personalized content that we’ve all grown accustomed to. This has even been recognized by the EU privacy directive, which has conceded that some cookies are now essential for user experience, for example login information and online shopping carts. But other cookies that are useful for retargeting and other forms of display advertising may frustrate and annoy the user, and so The Cookie Law is designed to increase user awareness of cookies and give them the option to opt out and not have their website browsing tracked.

Website operators should keep a close eye on further developments concerning how the EU Cookie Directive will develop- because the legal situation will definitely change with the new e-privacy regulation, even if it is not yet quite clear how. The GDPR in the EU contains further guidelines for the security of personal user data. As long as the e-privacy regulation is not yet legally binding, cookies will be considered to be related to personal data defined in Chapter 1 of the GDPR - as they collect data which make a user identifiable (identification numbers, user profile etc.).

With the introduction of the GDPR, stricter rules will also apply in this country and for your online business for processing and collecting the personal data of visitors from EU websites. Implementing these regulations precisely will also save website operators a good deal of work if the “new cookie directive” in the form of the e-privacy regulation comes into action in the next few years.

Click here for important legal disclaimers.