The Ultimate EU Cookie Legislation Guide
I don’t think any one of us would have predicted that when we saw cookie monster in Sesame Street cookies would have such a big impact on our lives. We might have thought we needed to protect our cookies, but we probably all thought cookie monster was after the ones in our mothers cookie basket. Never ones which made sure we did our jobs right.
Now the cookie monster has changed into a governmental creature. And instead of eating all our cookies, he is simply telling us we have to ask permission. Hmm it does sound a lot like my mother back then if you think about it…
Ever since the EU decided on the new cookie regulations the online industry has been in distress: what is really happening? what are we supposed to do? What are the implications? Nobody really seems to know, not even those who made the regulations in the first place.
We have seen a few post around the web explaining some of it and I think the one Jon Quinton wrote digesting the cookie legislation right here is a great post which dives in to the matter, and there are some ‘official cookie sites‘ out there but still many are confused.
The Dutch DMA is the institute in the Netherlands which is closest to subject, it tries to lobby for better regulations and it tries to help advertisers and others involved understand what is going on and how to handle on it. They now have released a practical how-to-guide into the new cookie legislation. The guide has a primarily focus on the Dutch market but has many things in it which are usable for anyone in Europe who is affected by the new regulations.
Below I will extract some of the important parts of the guide which are applicable for everyone in Europe. At the bottom of this post you will also find some information on differences between different countries in Europe, which is taken from another document of the DMA, a table which shows all the countries. Some of the text is taken from the guide.
What are the cookies?
The guide starts off with an extensive explanation of what cookies actually are. The guide gives an example of what cookies usually contain:
Description: The domain name of the website server that
generated the cookie.
Expiration Date: How long your browser can use the cookie
information to access the website (until end of browsing session
or a speciﬁc date)
Name: User Id
Value: Unique information, usually a randomly generated number:
There are two different types of cookies:
First party cookies
A first party cookie is cookie that is issued by the web site that you are visiting. This cookie can only be read by those operating the site and usually have several different functions like remembering a user name, password or items remaining in a shopping cart prior to an online sale for example. They are also used for ‘internal advertising’ like for example showing what others have bought who have a similar profile as you have.
Third party cookies
A third party cookie is a cookie is issued by a site that is different than the one you are currently surfing. These are for example cookies from advertising networks who place ads on the site. Third party cookies track users behaviour over time and across different websites.
The new Legislation
The guide takes an extensive look at the legislation, trying to clarify it. The most basic explanation of the new legislation probably is:
“Before a cookie may be stored, the issuing website has to provide the user with clear and comprehensive information and ask for his or her consent.”
Important to note is that this is not just for pc’s, but also for for example phones, TV’s or tablets for example. In other words: we are talking more than just cookies here. As the guide says, it also includes for example “browser ﬁngerprinting, as well as discrete set top boxes such as those used by cable and satellite companies for digital television.”
The exact requirements
So what are the exact requirements from the EU?
The legislation says:
“The user shall be provided with clear and comprehensive information consistent with the Data Protection Act including, in each case, the purpose for the storage of, or access to, that information”
This simply said is about informing the visitors of a website: the website must clearly inform the user that it wants to store data about the user in a cookie. Also the website is obliged to give an explanation about the purpose the cookie will be used and what data it contains.
Next to that a user must be informed, the user then must consent to the fact that the cookie and the data is indeed stored. They have to opt in, say “I do” if you wish.
The regulations as described above apply to all cookies, including those from tools like Google Analytics. The only exception is for what is termed as “essential cookies”.
The legislation has two kinds of “essential cookies”:
- For the sole purpose of carrying out the transmission of communication over an electronic communications network.
- For those cookies that deemed as necessary for the user (making a website run, login details etcetera caching etcetera).
The guide then has a specific piece about the Dutch amendments on the legislation and the consequences of that. One thing which is important to note for those in other countries as well, is that it is not sufficient to get the consent on a browser level in the Netherlands, but it is in some other countries. The Dutch don’t approve of this, but neither do for example the Danes, Lithuania and Latvia. In the UK consent can be gained via the browser “but only when a user has actively changed the default settings”
The Guide offers website owners a nine-step-route to how you can comply to the new regulations:
Step 1 – Take stock: This means, try to understand what is going on
Step 2 – Identify Your Cookies Yourself
Step 3 – Identify Cookies with Website Developers: identify what kind of cookies your website uses
Step 4 – How will you gain consent: Decide on the method you will use to gain user consent for cookies. They also give some examples like: Pop-up consent window, Full page overlay, Extended toolbar, Registration, Banners or Splash Pages
Step 6 – Update Online Privacy Statements
Step 7- Check Third Party Agreements
Step 8 – Train & Inform Everyone
Step 9 – Keep Following Developments
Even if you understand what is going on and you know the steps you have to take, there are some complications you might run into, both legal and technical. Legal could for example be “Who is actually granting their consent”. Technical issues could for example be “What if a user gives consent for the storage of third party cookie “X” on website A and does not give this consent on website B where the same cookie is used? “
There are no real answers to be given (yet) about these possible complications, but it is smart to at least take notice of them and be aware of the fact they might happen.
The above is an extract of the guide and the most important parts for international purposes, but the guide contains more information, like for example an explanation of how to find and delete cookies in browsers Chrome, IE and Firefox.
Differences between countries
As you might be aware of, the EU has many countries. And all these countries in one way or another have agreed to follow the regulations. And not all countries have the regulations in order yet.
The DMA also has an overview of when and how the different countries have their implementation in order.
Countries which do NOT have the legislation in force yet are: Belgium, Germany, Greece, Austria, Poland, Portugal, Romania and Slovenia.
The other countries should have gotten things in order already, but even there we can see some exceptions. Hungary for example has the regulations in force since August 2011, but “Has not implemented the exception on the consent requirement for “functional cookies””.
The table shows differences between countries. We’ve extracted the few most prominent countries of that table here.
|Belgium||Not yet in force||No guidance for gaining legal consent||The responsible Minister has indicated that he prefers a broad interpretation of the consent requirement. Infringement proceedings are initiated by the EU because Belgium hasn’t implemented the Directive within the compliance deadline.|
|Denmark||14 December 2011||Consent via web browser is insufficient. The user must be provided with clear and comprehensive information, including the specific purposes for which cookies are used.|
|Germany||Not yet in force||Probably explicit consent via web browser.||The legal consent requirement will likely be elaborated in self-regulation.|
|France||26 August 2011||Consent can be gained via web browser.||The French Data Protection Authority (CNIL) stated that tracking cookies require explicit consent, but it remains unclear how this should be obtained.|
|Italy||End of May 2012||Consent can be gained via web browser.|
|Netherlands_||5 June 2012||Consent via web browser is insufficient. Websites provide the user with clear and comprehensive information when storing cookies and gaining user consent. Implied consent is not allowed.||The Dutch law was amended stating that tracking cookies are presumed to be personal data, making the Data Protection Act applicable. The burden of proof lies with the industry. This amendment will come into force January 1st 2013.|
|UK||25 May 2011||Consent can be gained via web browser, but only when a user has actively changed the default settings||ICO (Data Protection Authority) has indicated that implied consent is sufficient. Websites have to mention that cookies are stored and indicate how a user can adjust this, either on the website or via the browser.|
What to expect
Is the cookie jar now empty? Is this it? Probably not. Many countries are still struggling and we’ll need to wait and see what the actual impact is and if there is going to be a follow up on this. It might trigger some smart people to think of different ways than cookies to ‘track’ user behavior.