Responding to the EU e-Privacy Directive

Posted by Zack Morgan in April 2012

The deadline for compliance with the EU e-Privacy Directive is fast approaching. For those not familiar with the ‘EU Cookie Law’, here’s a brief, non-technical introduction:

A more complete explanation is available from the Information Commissioner’s Office: ‘Guidance on the rules on use of cookies and similar technologies’ (PDF). The ICO acknowledges that compliance will not be straightforward, and in fact their own site has been criticised both for its lack of compliance, and the clunkiness of its attempted ‘cookie consent’ solution. So although most websites will strictly speaking be illegal after 25 May, there is no need to panic, unless (perhaps) your site is flagrantly abusing the privacy of its users.

For now, the common-sense approach seems to be, update your privacy policy to make sure it explains what cookies you use and what they are for — and work towards full compliance, i.e. not setting cookies at all until visitors have understood the implications and explicitly accepted their use on your site. For us, and most of our web design clients, this will mean upgrading to the next version of our favoured content management system, ExpressionEngine, which will allow visitors to opt in and out of cookies, as the e-Privacy Directive requires.

If you are updating your privacy policy on an ExpressionEngine-based website, you'll want to let your visitors know about the following cookies.

exp_tracker: this cookie temporarily keeps track of the last 5 pages you visited on the site. This information allows the site to redirect you to the page you were on before activities such as submitting a comment or sending an email through the contact form. It is a ‘session’ cookie, meaning it expires as soon as you close your browser.

exp_last_activity and exp_last_visit: these cookies store the dates of your last activity on the site. exp_last_visit is only relevant to registered users — if you’re browsing the site as a guest, this cookie will be set to a date in the past. These are ‘persistent’ cookies, which do not automatically expire when you close your browser.

exp_css_skin: if you have made any display choices (for example to select a high-visibility layout for visually impaired visitors) this persistent cookie is used to remember your choice next time you visit.

If you are allowing a third-party site to set cookies, which will be the case if your website uses Google Analytics, YouTube videos, or sharing/bookmarking services such as AddThis, then a link to their privacy policies would probably be a good idea, too. Ironically there is so far no sign of the Internet’s big data collectors updating their policies or practices to conform to the Directive, despite the fact that they are likely to be amongst its primary targets.

If you have any concerns about your website’s compliance with the EU e-Privacy Directive, please feel free to get in touch.

Update

The Information Commissioner's Office introduced a last-minute clarification of their guidance, and are now advising that explicit consent is not required after all, “Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.”

This looks like good news. It means that your site can continue to use cookies, and you may not need to make any technical changes. However, the ICO also say, “If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.” 

So, to stay on the right side of the law, you need to: 

1. Make clear to site visitors that you use cookies. 
2. Explain the purpose of each cookie. 
3. Inform visitors that their use of the site indicates their consent to your use of cookies.  This will probably mean updating your privacy policy, and adding a prominent link from each page of your site to its cookie-related information.

 Please note that this is professional advice, not legal advice. For legal advice you should of course contact your legal adviser.