Perhaps Your Site Isn’t Illegal in Europe?

Share this article

Here we go again. In May I reported Why Your Site is Now Illegal in Europe. The EU E-Privacy Directive became law on May 26 2012; if you are using cookies or other tracking technologies for non-essential functionality, you must:

  1. Tell users that tracking technologies are used.
  2. Explain the reasons for using those technologies.
  3. Obtain the user’s consent prior to tracking them and allow them to withdraw permission at any time.

The only exceptions are sites where tracking is strictly necessary for the provision of a service such as a shopping basket or web application. Systems such as analytics and advertising need to comply and the law. It applies to all EU companies and those trading in Europe.

Did Anyone Care?

While the legislation applies to all 27 member states, very few countries appeared to do anything. In the UK, the Information Commissioner’s Office (ICO) issued a guidance document and revealed that non-compliance could result in a £500,000 fine. They then revised the document at the eleventh hour to confuse developers further.

In the past few months, cookie warnings have been (literally) popping up on major UK websites including the BBC, Channel4.com, BT.com, Nationwide Bank, John Lewis, The Guardian and the ICO’s own site. My personal favorite is The Daily Mash which provides the warning:

We’ve updated our privacy policy, not that you care. You can read it or click to get rid of this annoying box and carry on as before. [Whatever]

Clearly Unclear

The problems are clearer than the legislation:

  1. It’s difficult for business owners and developers to identify compliance problems and provide a solution. Generic advice cannot be applied to an infinite variety of situations.
  2. Few users understand the implications or particularly care. All warnings are worded differently and appear in different ways.
  3. If users can opt-out, features such as Analytics become redundant.
  4. Few government organizations adhere with the legislation.
  5. Companies based outside Europe can ignore the regulations without risk.
  6. The law is not being enforced.

This last point has been tested by UK software company Silktide. They’ve been vocal opponents of the cookie law although they offered their own free cookie consent tool.

The company recently introduced nocookielaw.com. It was a great publicity stunt which invited the ICO to take action against the company:

We’re sick of you and this ridiculous cookie law. So here’s an ultimatum.

We’ve taken all our cookies solutions off all our websites. The evil cookies are back, and the pointless slidey warning messages are no more.

We tried. We even wrote an open source solution to the cookie law used by 5,000 sites. But the truth is it’s a tragic waste of time.

Presumably we now fly in the face of the law you are sworn to uphold. Please, please do your worst. Send in a team of balaclava-clad ninjas in black hawk helicopters to tickle us to death with feather dusters. Just do something.

The page helpfully links to the ICO cookie complaint system.

Bizarrely, the ICO responded with a tweet:

@nocookielaw You know what cookies you’re using & you told people you’re using them. They’re the 1st steps on road to compliance. Well done

The message is spectacularly non-committal, but it’s evident that a privacy policy may be enough on some websites. In November, the ICO will release a review every website complaint which will include nocookielaw.com. Perhaps there are additional ‘steps’ but, until you receive an explanation of what those steps are, there’s little point trying to guess.

I see no reason to implement confusing pop-ups or other technical solutions for a law which is ambiguous, unenforceable and mostly ignored. Until the situation is clarified, I still recommend:

  1. You have a “privacy policy” link — probably in the footer of every page.
  2. Explain your use of cookies and, where necessary, link to the privacy policies of third-party systems such as Google Analytics (google.com/analytics/learn/privacy.html).
  3. If necessary, link to cookie resource sites such as aboutcookies.org which explain how to block, control and delete cookies.

Then forget about it. Unless you’re contacted by a regulatory body with a genuine complaint, there are far better things you can do with your time.

Craig BucklerCraig Buckler
View Author

Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.

cookieEuropeanlawlegallegislationprivacytracking
Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week