Skip to content

Taking the biscuit

Fri 11 Mar 2011

The EU Privacy and Electronic Communications Directive will come into force from 25th May 2011. You may have read some of the recent news articles that talk about ‘crumbling cookies’, websites full of annoying pop-ups and even the death of start-ups in the EU. You may be confused and wonder exactly what this directive will mean for you business and your website. Read on and I will try to shed some light:

What’s all the fuss about then?

It’s about the Directive 2009/136/EC of the European Parliament, which is an amendment of the 2002/58/EC Directive about the collection and processing of personal data and the protection of privacy in electronic communications. If you are having difficulties sleeping you can read the directive here.

The directive comes into effect on the 25th May this year. The reason for its popularity in the press recently is that it contains specific directives on the use of cookies within websites. In particular the directive states that users must be fully informed about the information being stored within cookies, how the information is used, and be able to opt-out of receiving the cookies.

The directive is primarily aimed at the user tracking commonly associated and used in online advertising which relies on cookies to track the behaviour of website visitors. Certain wording in the directive seems to suggest the session cookies, used to remember a user’s state and other functional uses of cookies (e.g. contents of a shopping basket) will be exempt from this:

Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.

That leaves a great deal of cookie usage, not related to advertising, which may come under the directive including:

  • Cookies used to remember user logins
  • Cookies used within website analytics code (e.g. Google Analytics)
  • Cookies used to provide content personalisation and user customisations
  • Cookies relating to content embedded from third-party sites (e.g. YouTube videos)

Will it affect me and my website?

If you are a business with a website based in the EU, the short answer is yes.  What is less clear at the moment is how it will affect you.  The directive has to be implemented in law in each of the EU countries and the UK government is currently considering how it should be implemented.  This process is being managed by the Department for Culture, Media and Sport (DCMS) and at the moment they seem to be considering three main options:

  1. Websites will need to provide users with information about each cookie and allow them to accept or reject that cookie.  Under this scenario users could be bombarded with pop-up windows explaining how the cookies are going to be used and how the information store in the cookie is used.  The user would then need to accept or reject the cookie.  This is the option being highlighted in the press because it would be very unpopular and annoying, both for the website owner and developer and the user. David Naylor’s blog illustrates this quite nicely.
  2. Websites or browsers would need to highlight to users where cookies are being used and enable them to find out more about the cookie usage including how to accept or reject the cookie.  This would be similar to the above approach but less intrusive; instead of pop-ups the information would be accessed through a link to privacy/cookie usage information.
  3. Another option is to enhance web browser settings in relation to cookies, making them more visible and providing clear and comprehensive information about cookies and how to opt-out of accepting them.

Option three would be the best outcome for website owners and developers as it puts the onus of responsibility on the developers of web browsers rather than websites and organisations who own websites.  In reality I suspect that responsibility will be shared between both of these camps, but until details of how the directive is to be implemented in the UK are released we can’t be sure what action needs to be taken.  The government recognises this and it is clear that they won’t be rushing to prosecute or fine organisations for non-conforming websites come midnight on the 25th May!

This directive will become law though, and action of some kind will be required before, on or after this date.  One thing we can expect is that the lawyers and opportunists will be grooming the directive and our websites and I wouldn’t be surprised if we see a wave of spam on or around the 25/05 highlighting non-compliance and either threatening legal action or selling services to ‘fix’ websites.

What do I need to do?

Until the DCMS publishes guidance into how they expect organisations and website to conform to the directive then it is unclear what action you may need to take to ensure compliance, and I will write again further further advice once this guidance has been published.  However, there are some steps I would recommend that you take now:

  1. Be aware of the directive and its potential impact on your website and business.  Hopefully this blog post has helped in this regard.
  2. Understand exactly what cookies your website uses, what information is stored in them, why they are used and how users can opt-out of accepting them.  Publish this in a Privacy Policy on your website and link to the policy from every page.

Ultimately, relax and don’t panic. I don’t think this is going to be the big issue that the press seem to make of it, nor the end of cookies or competitive websites in the EU.

Wayne Rowley

Wayne Rowley

Head of Development

I am the Head of Development at Redweb. I have spent nearly 10 years working as a software engineer specialising in the development of websites and web applications and a couple of years prior to that building Microsoft Windows desktop applications and services.

View full profile

Comments are closed.