Perhaps Your Site Isn’t Illegal in Europe?

Contributing Editor

Here we go again. In May I reported Why Your Site is Now Illegal in Europe. The EU E-Privacy Directive became law on May 26 2012; if you are using cookies or other tracking technologies for non-essential functionality, you must:

  1. Tell users that tracking technologies are used.
  2. Explain the reasons for using those technologies.
  3. Obtain the user’s consent prior to tracking them and allow them to withdraw permission at any time.

The only exceptions are sites where tracking is strictly necessary for the provision of a service such as a shopping basket or web application. Systems such as analytics and advertising need to comply and the law. It applies to all EU companies and those trading in Europe.

Did Anyone Care?

While the legislation applies to all 27 member states, very few countries appeared to do anything. In the UK, the Information Commissioner’s Office (ICO) issued a guidance document and revealed that non-compliance could result in a £500,000 fine. They then revised the document at the eleventh hour to confuse developers further.

In the past few months, cookie warnings have been (literally) popping up on major UK websites including the BBC, Channel4.com, BT.com, Nationwide Bank, John Lewis, The Guardian and the ICO’s own site. My personal favorite is The Daily Mash which provides the warning:

We’ve updated our privacy policy, not that you care. You can read it or click to get rid of this annoying box and carry on as before. [Whatever]

Clearly Unclear

The problems are clearer than the legislation:

  1. It’s difficult for business owners and developers to identify compliance problems and provide a solution. Generic advice cannot be applied to an infinite variety of situations.
  2. Few users understand the implications or particularly care. All warnings are worded differently and appear in different ways.
  3. If users can opt-out, features such as Analytics become redundant.
  4. Few government organizations adhere with the legislation.
  5. Companies based outside Europe can ignore the regulations without risk.
  6. The law is not being enforced.

This last point has been tested by UK software company Silktide. They’ve been vocal opponents of the cookie law although they offered their own free cookie consent tool.

The company recently introduced nocookielaw.com. It was a great publicity stunt which invited the ICO to take action against the company:

We’re sick of you and this ridiculous cookie law. So here’s an ultimatum.

We’ve taken all our cookies solutions off all our websites. The evil cookies are back, and the pointless slidey warning messages are no more.

We tried. We even wrote an open source solution to the cookie law used by 5,000 sites. But the truth is it’s a tragic waste of time.

Presumably we now fly in the face of the law you are sworn to uphold. Please, please do your worst. Send in a team of balaclava-clad ninjas in black hawk helicopters to tickle us to death with feather dusters. Just do something.

The page helpfully links to the ICO cookie complaint system.

Bizarrely, the ICO responded with a tweet:

@nocookielaw You know what cookies you’re using & you told people you’re using them. They’re the 1st steps on road to compliance. Well done

The message is spectacularly non-committal, but it’s evident that a privacy policy may be enough on some websites. In November, the ICO will release a review every website complaint which will include nocookielaw.com. Perhaps there are additional ‘steps’ but, until you receive an explanation of what those steps are, there’s little point trying to guess.

I see no reason to implement confusing pop-ups or other technical solutions for a law which is ambiguous, unenforceable and mostly ignored. Until the situation is clarified, I still recommend:

  1. You have a “privacy policy” link — probably in the footer of every page.
  2. Explain your use of cookies and, where necessary, link to the privacy policies of third-party systems such as Google Analytics (google.com/analytics/learn/privacy.html).
  3. If necessary, link to cookie resource sites such as aboutcookies.org which explain how to block, control and delete cookies.

Then forget about it. Unless you’re contacted by a regulatory body with a genuine complaint, there are far better things you can do with your time.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.netcentrics.co.uk Pete Wright

    Excellent summary, Craig – thanks! Not sure if the tweet is a *verified* channel, but if not, then it would seem that they haven’t responded at all. Either way, they aren’t signalling much enthusiasm for enforcing this nonsense – after all, they have better things to do with their time, too.

  • http://www.idea15webdesign.com Heather Burns

    Where the UK is concerned, the threats of “punishments and fines” must be seen in perspective. While it’s true that ICO have been increasing the frequency and cash amounts of fines for all forms of data protection violations (and none so far for the cookie law), these fines are two things:

    1) The last stage in an exhaustive four-stage process where the organisation is given every chance to work with ICO and to rectify their mistakes. If an organisation or business has received a fine, it has either outwardly scorned ICO’s advice or committed a data breach so blatant and unexcuseable that no discussion process is possible. And
    2) Fines tend to be issued only in cases where data breaches were so grave as to put the lives and safety of the public at risk. It is easy to see how sending an at-risk child’s social work records to the abusive parent could have resulted in a multiple homicide. It is not easy to prove how setting an advertising cookie without giving the user an option to read a cookies policy will result in bodily harm or death.

    When it does come time to issue fines ICO will face a tremendous burden of proof to show that actual harm – not theoretical harm – did come about because of a site’s cookie policy or lack of one. And with the exception of ad-hominem deployments of spyware or malware – which are already covered under other statutes – can anyone really think of an example where someone’s offline life, limb, and safety will be compromised by a cookie?

    More on ICO’s case history of punisments and fines in my blog post here
    http://idea15.wordpress.com/2012/04/19/eu-cookie-law-punishment-violations/

  • ??? Rej visschers

    I live in the EU and find this article somewhat exaggerated.
    a site here. just need to tell the visitor that they use cookies.
    and why. but that does not make them immediately Illegal.
    this law is to protect individuals for personal data theft
    and is certainly not bad.en make your site not criminal.
    you’d better worry about your own country with mandatory laws like ACTA.
    America thinks other countries to construct their stupid rules that is really a crime

  • http://philipgledhill.co.uk/ Philip Gledhill

    Information commissioners office official video

    http://youtu.be/V0M8MYiGkQw

    Pay attention at 3 minutes 10 seconds in to the video where he says “It’s difficult to imagine that non-compliance with the cookies rule is ever going to trigger a situation in which we would be able to issue a monetary penalty”.