Some cookies can be very helpful – they let you sleep on those impulse purchases and keep them from disappearing out of your shopping cart, or log into social media sites with just one click. But not all cookies make surfing the web easier, and some may even forward unwanted information to third parties. It is a good idea to learn how to clear cookies, and this guide will show you how to clear...
In March 2018 the new General Data Protection Regulation came into force, and changed the way many regulations work in terms of storing sensitive user data within the EU. In fact, the new e-privacy regulation, the draft of which the EU officially presented on January 10th 2017, was to become legally binding at the same time. In the area of application of cookies in particular, it is regarded as a detailed supplement to the GDPR, however, its development has stalled.. The European Parliament has not yet been able to agree on a draft, which means the law will not come into force in the foreseeable future. For this reason, the EU Cookie Directive will remain in place. But what is the current state of this law? In this article we will look at the general matter of what cookies are, as well as taking a look ahead to what the new e-Privacy regulations mean for cookie usage for EU visitors browsing your website.
ECJ ruling – Non-technical cookies are subject to consent
As a result of a recent court case in Germany that eventually made it to the European Court of Justice, the ECJ ruled in favour of data protection, stating that an opt-in in the case of cookie-settings must take place. The user must be able to check a box to provide consent. Additionally, the court found that users need to be informed about the cookies being used. Website operators should provide information on how long the files are valid for and which purpose they are being stored for.
The original court case in Germany was appealed, and their federal courts have delivered another guilty verdict on the website operator:
The court ruling demonstrates that user consent must be active, voluntary, and must take place from an informed position. This means that visitors to a website must be required to check the approve cookies box themselves (active). At the same time, a lack of consent must not prevent the user from being able to visit the site (voluntarily). Finally, visitors must be able to understand what they are agreeing to by display information using clear language, not hiding options, or adding long legal texts (informed). The German judiciary is also taking action against Dark Patterns, whereby a website is designed to be as unclear as possible in order to impose a condition on the user (such as consent to advertising cookies).
As of yet, it remains unclear what the ramifications of these legal questions are to UK website operators with German visitors, but anyone operating a website with international users is well-advised to keep abreast of the current legal situation regarding data protection within the EU.
- ECJ ruling – Non-technical cookies are subject to consent
- What are cookies?
- What do the EU cookie laws mean?
- What changes will the e-Privacy regulation bring?
- What does the EU cookie law look like in everyday life?
- What do EU cookie laws mean for UK businesses?
- The Cookie Law: know where you stand
What are cookies?
Cookies are text files that are stored by your browser on your computer when you load a web page. The text file consists of data from your website visit and the idea behind this is to improve user friendliness: your browser will notice login data and language settings, speeding up and streamlining your browsing experience. Typical cookie data contains a statement about the life of the text file and a randomly generated number that’s unique to your computer. Cookie data is normally stored anonymously, and the data stored in the text file can only be read on the web server that issued the cookie. Cookies tend to avoid personal data too, usually only requiring it for login information. Their main responsibility is creating this personalised, interactive online world as we know it today.
But despite this user-friendly aspect to cookies, many critics see them an invasion of privacy. Cookies can be used to create what’s known as ‘behavioural profiles’, which use your online habits in order to display certain ads or particular targeted content. They do so because it’s useful for companies to be able to display tailored content depending on whether a user is visiting a website for the first time or the 100th time.
In some cases, cookies stay on your computer between page visits, gathering more information to build up a clearer picture of other interests you might have. In these circumstances, companies can target ads at you when you visit external pages, often displaying tailored images (like the pair of shoes you were viewing on their website, or the new kitchen appliance you’ve been searching for). This is an integral tactic for online businesses battling in the dense e-commerce market, but there are concerns that cookies may sometimes be misused to supply information about personal internet use to unknown companies.
The truth about cookies for users is that you don’t really know how your data is being used without an explanation by the website you’re visiting. And this is the fundamental reason for the EU’s revolutionary regulations from 2011.
What do the EU cookie laws mean?
In 2002, the European Union initiated their ‘Directive on Privacy and Electronic Communications’, with further amendments to cookie usage made in 2009. Despite coming under criticism for its structuring and difficult interpretation, the EU set a deadline for their directive to be adopted by all member states by May 2011. Becoming known as simply ‘The Cookie Law’, the EU directive recognises the need for cookies in order to create the personalised online universe we enjoy today, but also makes it clear that cookies could be considered an invasion of privacy and that users deserve the right to be made aware of the presence of cookies and their usage. Certain cookies that are considered ‘strictly necessary for the delivery of a service requested by the user’ don’t have to be declared, because they are of far higher benefit to the user than the company. This includes cookies used to track shopping baskets in e-commerce and to store important login information that the user requires.
For the use of most cookies, website operators in the EU now require permission from the user. This covers all cookies that don’t meet the requirement mentioned above of being ‘necessary’. This means that advertising cookies for retargeting, analysis, and social media cookies now require permission from the user. But the main issue that many companies have with these EU regulations is that the guidelines don’t clarify exactly how they should be implemented. There’s particular uncertainty when it comes to obtaining authorisation from site visitors.
What changes will the e-Privacy regulation bring?
Any changes will be explicitly outlined in the new e-Privacy Regulation. Previous drafts provided for a general ban on technically unnecessary cookies, with the exception that users may agree to their use in advance. The initial draft of this regulation was solely concerned with web applications. The draft released on March 22nd, 2018 covers all kinds of machine-based communication like apps, email, and metadata collection for VoIP calls. It also covers inter-machine communication, like M2M communication.
The e-Privacy Regulation should also be of interest to international communication service providers, including those from the UK and the USA. The regulation stipulates that the rules apply as soon as a terminal is located within EU borders. It is irrelevant where data processing for a controlled service takes place.
The first draft of the e-Privacy Regulation stipulated that the manufacturer should generally have the highest privacy settings pre-set in browsers. When operating with this setting checked, the browsers would not accept third-party cookies. As a result, cookie banners which are extremely popular would disappear, since users would have to actively choose to accept cookies with each software installation. This requirement was based on the principle of "Privacy by Design", as described in the GDPR. However, a more recent design has relaxed the rules for browser settings somewhat. Users can now choose whether to allow cookies according to the website again.
What does the EU cookie law look like in everyday life?
The body responsible for interpreting and enforcing The Cookie Law in the UK is the Information Commissioners’ Office (ICO). The ICO has chosen a general opt out strategy for UK website operators, meaning that site visitors just have to be informed that the cookies are being used. Many of these cookie notifications appear in the form of banners at either the top or bottom of a website’s homepage, and some require no direct interaction. Here are some examples of how certain well-known websites have displayed their cookie notifications:
Channel 4 give a comprehensive explanation of what cookies are and how they use them. This appears in a display bar at the top of the homepage, accompanied by a link to cookie management and an ‘Accept & Close’ box. This box stays in its place until you click ‘Accept & Close’, but it doesn’t follow the page, disappearing if you scroll down.
Hotel Chocolat take a humorous approach to their cookie usage, displaying a small box in the bottom left corner of the screen with a joke playing on the double meaning of ‘cookie’. They also offer a link to their cookie usage guide and an X in the corner of the box to close it, although it disappears as soon as the user clicks elsewhere on the screen too.
What do EU cookie laws mean for UK businesses?
Judging the success of The Cookie Law in the UK is a difficult thing to do. The ICO has registered very few complaints about cookies from users, which suggests that either the law is working and UK citizens are happy with the improved transparency over cookie usage, or that they simply aren’t so concerned about cookies anyway. The main concern for website operators in the UK is ensuring cookie alerts don’t annoy the user, especially after the introduction of the GDPR. On the whole, this isn’t so difficult for desktop displays – the examples we’ve compiled above show just how flexible you can be with cookie notifications. But these can become more intrusive when you visit a mobile site, simply because the screen is smaller but the same number of words are required to explain about cookies. Given the global trend towards mobile browsing, we recommend that you try to find a solution that isn’t intrusive or disruptive to the user’s browsing experience.
The ICO enforcement of The Cookie Law hasn’t been as tough as was first expected. Initial suggestions of fines of up to £500,000 for not following procedure haven’t come to fruition thus far, but this is probably due to the relative lack of complaints about cookie misuse. But website operators who fail to follow ICO regulations can at the very least expect a formal warning. And since users are now becoming more and more aware of what cookies do and how they can be used, you’re likely to see a drop in site visitors if you earn a reputation for not following ICO regulations.
If you’re a website operator in the United Kingdom, the ICO offers simple, straightforward guidance on cookies on their ‘Cookies and similar technologies’ advice page, and also offer a more wordy, comprehensive guide to cookies in PDF format.
The Cookie Law: know where you stand
Cookies are becoming more and more integral to everyday internet use. Without them, website operators wouldn’t be able to offer users the stylised and personalised content that we’ve all grown accustomed to. This has even been recognised by the EU privacy directive, which has conceded that some cookies are now essential for user experience, for example login information and online shopping carts. But other cookies that are useful for retargeting and other forms of display advertising may frustrate and annoy the user, and so EU cookie law is designed to increase user awareness of cookies and give them the option to opt out and not have their website browsing tracked.
Website operators should keep a close eye on further developments concerning how the EU Cookie Directive will develop- because the legal situation will definitely change with the new e-privacy regulation, even if it is not yet quite clear how. The GDPR in the EU contains further guidelines for the security of personal user data. As long as the e-privacy regulation is not yet legally binding, cookies will be considered to be related to personal data defined in Chapter 1 of the GDPR- as they collect data which make a user identifiable (identification numbers, user profile etc.).
With the introduction of the GDPR stricter rules will also apply in this country for processing and collecting the personal data of visitors from EU websites. Implementing these regulations precisely will also save website operators a good deal of work if the ‘new cookie directive’ in the form of the e-privacy regulation comes into action in the next few years.
In the UK, website operators have to comply with EU regulations for the time being, though this may change once Brexit is finalised. In most cases, site visitors are happy to accept cookie tracking in exchange for an enhanced browsing experience. And if your site visitors are happy, then your retargeting and customer journey mapping techniques in online marketing are more likely to be successful in the long run.
In the following video, you can see how to delete cookies form the Chrome browser: