Jul. 11, 2011 | by Andrew Ball
This article is an update / reminder on the topic following the recent introduction of the law in Ireland.
What’s happened / what’s changed
In 2009 the EU e-Privacy Directive was issued, one part of which required all the member states of the EU to create a law to limit the files that a website could install on a user’s computer without their express permission.
The majority of files this affected are ‘cookies’ – small text files that are used to store small pieces of information. This information can be used for such purposes as storing preferences or tracking browsing history.
According to W3Techs.com, cookies are used by 46.6% of all websites, with 17.2% of sites using persistent cookies, that do not disappear when the user closes their browser.
This whole area can be quite confusing, and videos to simplify the topic can be found on YouTube – search for “EU privacy law”
In the UK, this law was brought into effect on the 26th of May 2011, though as this made virtually every website in the UK now illegal, the ICO (Information Commissioner’s Office) made provision for this by stating that website owners had a lead in period of a year to implement the rules.
“…allow a lead in period of 12 months for organisations to develop ways of meeting the cookie related requirements of the 2011 Regulations…” – ICO ‘Enforcing the revised Privacy and Electronic Communications Regulations (PECR)’
The Irish Government brought the Directive into law on the 1st July 2011, with the Data Protection Commissioner (DPC) issuing guidance on how to comply. In the same way as in the UK, this has made all Irish sites illegal. Crucially, however, they have not added a lead-in period to allow the changes to be made, meaning that they could choose to fine website owners immediately.
That said, it’s unlikely they will fine anyone until all the government sites comply with the law.
Which they don’t.
A quick test on www.gov.ie gives the following breakdown of the cookies used across a sample of 10 pages:
- qtrans_cookie_test is a session cookie, so allowed, if it is ‘strictly necessary’
- AddThis sets a number of cookies which are used to enable sharing via social media
What it means for you
If you own and operate a UK website, the situation is unchanged – you have till the 26th May 2012 to finalise your changes to meet the new law.
If you own and operate an Irish website, the changes must (by law) be made as soon as possible, to mitigate the potential of being fined
Is my site affected by this?
An interesting question here is to do with which country’s laws your site falls under.
Having spoken to an ICO representative based in the UK, the feedback from them is that if a company operates a website that sells to UK consumers and the company has a physical presence within the UK, that website needs to comply with the new law. However, there are no hard and fast rules, so each site will be taken on a case-by-case basis according to this representative.
It is expected that the Irish DPC will use a similar approach of deciding if their law covers your site. As with the UK, this means that if you have a physical presence in Ireland, such as a subsidiary, then the website that Irish consumers use must adhere to the new law.
As to the rest of the EU – most member states have not yet decided how they will implement the directive, though it is likely to either be along the same lines as the UK, or potentially even stricter – currently Google Analytics (a common tracking tool) is banned in Germany due to privacy issues.
What steps to take next
Whether you operate a site in the UK or Ireland, the advice is the same – start the process to bring your site into compliance.
The ICO have produced clear and sensible recommendations which we would suggest are followed as a first step in deciding how best to interpret and deal with this change for your business:
- Audit the use of all cookies on your website (identify what cookies are dropped, by whom and when)
- Assess and rank the privacy implications of these (clarify the use and purpose of each cookie, and assess what the implications for user privacy are)
- Decide on an appropriate solution with which to gain user consent
Whilst steps 1 and 2 can be done with relative ease, the contention is around step 3.
The ICO have demonstrated an example of how this can be done on their website
Analysis of the way this affected their ability to track users on their site showed that 90% of users declined to accept the cookies, meaning that now, 90% of visitors to their site were invisible to their analytics package. This invisibility will impact the ability to tailor a site to how it is used by visitors, as well as potentially reducing income if the site uses advertising.
Whilst these figures are alarming, it is important to note that this is only a single example website, and criticism has been made as to the design choice implemented by the ICO. The method of implementation will almost certainly be slightly different on each site; at least until a common approach can be agreed on, and it is important to ensure that the method you choose is best for both your business and the user’s needs.
Another interesting point to note is that the law only calls for one acceptance per site. This means that an opt-in can cover user settings, preferences, analytics and browsing history tracking cookies, in a one-for-all policy.
One possible way the law can be complied with is by using browser settings, though as current browser settings are not considered sufficient, there are on-going discussions with the major browser companies as to how this can be met in the future.
If new versions are released before next May, this means companies in the UK may not have to make any changes, though it is by no means guaranteed.
Alternatives for Analytics
If a user chooses not to accept cookies, there are other methods of tracking available, including log file tracking, where the user is tracked via their IP address. This is not always as reliable as cookies, partly due to user’s often having non-fixed (dynamic) IP addresses.
The important thing to remember when looking at alternatives is that this may drastically change the quality and quantity of data you receive, so ensure you know the implications first.
This topic is highly contentious, and I’m sure we have not seen the last of it. As before, the next steps should be to check the type of cookies your site serves to your visitors. If their purpose is benign tracking for analytics, or user settings, you are more likely to avoid attention than if you install third party browsing history cookies.
It is important to note that any advice in the above post is not to be construed as legal advice and you are advised to seek your own counsel on how to approach this matter.
Post a comment
Sign up for email notifications of Connect blog posts.
- Connect – iCrossing U.K.
- Conecta2 – iCrossing LATAM & Spain
- Greatfinds – iCrossing U.S.
- Talblick – iCrossing Germany