An insight into the new legislation – the so-called ‘Cookie Law’ – and existing requirements relating to online privacy and data collection on websites. : Nov 2012
The EU instigated a new privacy law in May 2011 that puts into question the use of most of the current techniques used to store information on website visitors. Almost every single website uses some form of data collection stored in a small text file known as a cookie. This may store everything from the user’s login details and shopping basket contents to a host of other preferences. We can say it definitely affects your web site and your company.
The legislation has been adopted into UK law and organisations that “seriously breach” the law could be liable to fines of up to £500,000. Well, we hope that got your attention! But don’t panic. The important thing is to be aware of the law and to begin acting on it.
Although the law came into effect in May 2011, its enforcement was delayed until May 2012. It means you must be seen to be acting on it now. It is not the most clearly drafted piece of legislation – and so is likely to be contested and go through many revisions - but you wouldn’t want your company to be involved in one of the first test cases, so take time to read our essential guide. We will follow up with you individually on how the law may impact your particular website and company, but it is down to you to be aware of your responsibilities under the law.
Every company or individual in the UK that operates a website that uses any form of data collection of visitor preferences. The new law requires that websites specifically ask visitors for their consent before collecting most kinds of data about them.
Data is usually stored in simple text files known as ‘cookies’. These cookies store data such as login details, shopping activity and website pages visited. Some are only for use within the one website (such as login usernames), while others can track a visitor from website to website and use that information to suggest things you might like when visiting another site, for example.
Cookies are not the only way to store this data. Some of the alternative methods such as so-called Flash cookies (Locally Stored Objects) appear to be even more strongly discouraged by the new law as they are more difficult to opt out of (most web browsers do at least allow the user to deny all conventional cookies from being stored on their computer).
No, it is very unlikely you can ignore the new law. Even if you do not operate an online store or require visitors to log in to your pages for any reason, there is a good chance that cookies are being used on your website for something. For example:
Google Analytics – this is a statistics tool probably embedded within your website, facilitating the collection of visitor data that is then stored within Google’s system and accessible to the website administrator. It’s a powerful tool that allows analysis of how well your website is doing. It relies on storing information in a cookie.
Social media plugins such as the Facebook Like button stores information in a cookie.
User preferences on how they like to view the pages of your site will be stored in a cookie.
Even if the cookie does not store personal information in the sense of a name or other such details, the fact that it stores a visitor’s preferences and may then use that information, for example, to target further advertising at the user, it is considered a potential invasion of the person’s privacy.
There are, however, certain exceptions. The law does allow cookies that are “strictly necessary for a service requested by a user”. This, for example, would appear to cover cookies that remember what a user has placed in their online shopping basket, and those where a visitor has been invited to sign up as a user and requested that their login information be saved.
But the law is not precise on what is considered to be “strictly necessary”. Certainly it appears that any cookie used for data analysis (analytics) or advertising tracking purposes must be opted-in by the user. Some (including so-called behavioural ads which build a profile over time) are explicitly prohibited by the law unless you have the prior consent of the user.
In the UK it is the Information Commissioner’s Office (ICO) who will enforce the new EU directive that has been brought into UK law.
This appears to be a requirement for all but those cookies that can confidently be shown to be “strictly necessary for a service requested by a user”. It raises technical issues regarding the implementation of the Accept/Deny message and what happens if the visitor says no.
Who is responsible for serving the cookie and collecting its data
The cookie file name as shown within the web browser’s privacy tools
Exactly what the cookie is for (its purpose)
How long the cookie will remain active
Whether the cookie stores any identifiable personal information about the user
We will be compiling wording for cookies typically found on our clients’ websites, for inclusion in existing website privacy policies, but each website will need to be audited to check the cookies being served from it. Please contact us if you need us to assist you on this.
In the case of third party organisations such as Google and Facebook, we as designers and you as a website owner can do little other than rely on them to make their cookies legal, remove them altogether or place a very clear request to the visitor to accept the use of the cookie, with a clearly accessible explanation of what each one is for.
While the EU inspired legislation regarding the use of data cookies is relatively new, existing UK law sets out several requirements that must be satisfied to ensure your website is legal. Your site should already conform to these requirements, so it’s a good time to remind ourselves of these.
If you run a registered company, your website must display your business name, place of registration and the company’s registered number and registered office address.
If you run an e-commerce website, you need to display Terms & Conditions, Delivery and Returns Policy pages to conform to the Consumer Protection (Distance Selling) Regulations and Electronic Commerce Regulations.
Where credit and debit card information is collected, you must conform to the PCI DSS (the Payment Card Industry’s Data Security Standard).
Your email database, if applicable, must contain only opt-in email addresses, and any marketing emails you send must include the choice to opt-out from receiving further emails.
Additionally, your website pages must adhere to certain web accessibility guidelines (known as Priority 1 of the W3C guidelines).
That is how it has been until now. Alas, it’s no longer enough. There have been conflicting statements from EU officials on this, but the ICO here in the UK has itself issued clarification on it:
The ICO have stated that they intend to enforce the legislation, though it is likely that test cases will involve the larger companies and institutions first – small to medium size businesses are unlikely to be taken to court any time soon.
But don’t ignore it, plan how you will update your website to comply with the regulations as currently stated (obviously we can help you on this) and work to apply those changes at the first opportunity – it seems clear that the ICO will treat companies sympathetically where they can see an effort is being made to comply.
At this stage, the consensus of opinion in the web industry is that while many websites will be ordered to change, particularly those with a higher profile, few will be fined for not fully complying. So, make plans but don’t panic!
This is a complex subject - we have purposely kept to the essentials here to provide a slightly easier read. This is provided as an introduction to the new legislation, very much a ‘heads up’ on a subject that should be taken seriously. You should not rely on the information here as being complete or to be relied on as the sole basis for your actions on this. Please contact us for advice tailored to your particular company/website.