EU Cookie Law – Requirements and Consequences

8 September 2012

What could be so alarming about the innocuous text files that almost every other site nonchalantly deposits on the visitors’ computers? Well, it’s the users’ privacy that these files can compromise.

Cookies, or small text files, are routinely used by the websites to collect non-personal data, like the number of times the user visit specific web pages, clicking behaviour of the visitor, tracking the efficacy of advertising campaign by recording the number of clicks, preventing repeat login when the user visits different web pages in the same session, collecting demographic data, etc. The collection and use of cookies is generally disclosed by the websites in their privacy policy.

The European Union (EU), through Directive 2009/136/EC, which came into force on May 25, 2012, made some revolutionary changes in the way the websites use cookies on their websites.

Requirements of EU Cookie Law

The EU cookie law is applicable on the websites using cookies and which satisfy any of the following conditions:

1. The website is based in any of the EU countries.

2. The website targets visitors/customers/clients in any of the EU countries, irrespective of the place of hosting of the website.

3. Ecommerce websites selling goods/services in any of the EU countries.

In short, the website must fall within the legal jurisdiction of EU. The place of hosting is not relevant for the application of new EU cookie law.

Consequences of EU Cookie Law

The rules of the game have changed. Now, the era of freedom of using cookies is over. With EU cookie law in effect, the website owners need to seek permission of the visitors to use the cookies. The intention is to protect the online privacy of the internet users.

An overwhelming 92% of the websites use cookies. With the new regulation in place, they only have two options – don’t use the cookies or use them in accordance with law.

So, how can the websites seek permission from the users to deposit cookies on their computer systems? One way is by interrupting their use with a pop-up seeking their consent to use cookies. This pop-up can have two options – OK and NO!

The law, however, exempts the use of cookies that are strictly necessary, like login cookies or shopping cart cookies, etc. These are the cookies, which the users expect the website to deposit on their computer system.

In fact, the law is wide in its ambit and includes every technology that can store information in the computer.

So, what could be the implications of not following the law? To start with, there will be monetary implications in the form of penalty. However, even this is applicable only in the most serious forms of breaches, like in cases where the number of affected individuals is very large.

The EU nations are slowly getting the hang of the changed legal regime, and many countries, like UK, Estonia, Denmark, etc. have already brought in their national legislations in conformance with the EU Directive on cookies.

The necessary implication of the EU cookie law is the prohibition of third party cookies as well as the cookies used for targeted advertising, as very few users are expected to give permission to deposit these cookies on their computer systems.

Essentially, the new EU cookie law has turned the cookie practices of websites 360-degrees. From an opt-out regime, where the users were given an option to manage browser preferences if they don’t want to accept cookies, the new law has ushered in an era of opt-in, where the website owners need to seek users’ consent to use cookies.

If you have concerns about how you are using, or want to use, cookies – why not give us a call today to discuss?