How will the new EU Directive on Internet Privacy affect your web site?

An EU Directive has recently come into force affecting the use of web site cookies to collect user information. Many companies in the past have used Privacy Policies in their web sites to cover the collection of information through the use of cookies. However, this new directive means that in future web site owners will need the explicit consent of the visitor to collect information about them and thus to place a cookie in their browser.

From 25 May, European law dictates that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies".

The directive demands that users be fully informed about the information being stored in cookies and told why they see particular adverts.  This will impact upon, for example, the automatic registration of visitors to sites or tracking to provide relevant marketing to visitors, both of which use either Session or Persistent Cookies to recognise visitors and simplify their experience. The Directive does, however, specifically exclude use of cookies that track items that are placed in shopping carts.  

However, all is not lost. The Directive says that it may be possible for a user's consent to be provided by their use of appropriate browser settings.

 “…Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”   

Directive page L 337/20, paragraph 66

This may appear good news, however not everyone will visit a web site through a browser that allows these settings to be adapted. For example, browsing using a mobile phone or older versions of browsers.

“At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.”

UK ICO

In an attempt to help businesses in the UK to prepare for and comply with the EU Directive the Information Commissioner’s Office (ICO) has issued guidance, aligning UK law with the EU Directive in the belief that a browser setting signifies consent. 

“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.” 

In addition, the ICO explains that those cookies that are “strictly necessary” to providing a service are exempt from the new rules. The ICO also adds;

“At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.” 

The BBC has recently reported; “The government has formed a working group with browser manufacturers to see if a browser-based solution to the issue can be found.   Microsoft’s IE9 and the latest version of Mozilla’s Firefox already offer a setting to protect users from services which collect and harvest browser data and Google is working at integrating so-called ‘Do Not Track’ technologies into their Chrome browser.   As part of its work to comply with the directive, the IAB has created a site that explains how behavioural advertising works and lets people opt out of it.”

So what does this mean for businesses that run web sites; well, if you use cookies to track your visitors you cannot assume that they have expressly agreed to the use of cookies through their browser settings.

In the short term additional 'opt ins' or information communicating the use of cookies may be required upon registration to a web site where the user agrees to the specific use of cookies.

In the medium to long-term it is hoped that a person's browser settings will provide the consent required to overcome this additional opt in by web site users and maintain the benefits provided to the user by the use of cookies.

The law is far from clear at present and The Think Tank is unable to offer legal advice however this is a topic that should be on the radar of web site owners and if you are worried about your web site and the use of cookies we advise that you speak with your legal representative to clarify your personal circumstances.

Disclaimer: The Think Tank is not a legal adviser and is only commenting upon this subject. We do not accept any liability for any actions taken upon the information contained in this article.