Thursday, February 20, 2014

Changes to EU Cookie Law

This post originally appeared on the Algonquin Studios blog.

Information Commissioner's Office logo. I was recently asked by a client whether or not the cookie law will apply to its overseas business. As a reference, he provided a link to the Computer Weekly article “How to comply with the EU cookie law.”

It's a handy article, but as with most reference material on the web there is no date on the article to give an indication how recent it is. Rules have changed a bit since the law was passed and so the requirements aren't quite so clear anymore.

It is still a regulation, though watered down. Instead of asking explicit permission, you can now get by under implied consent by linking to a cookie policy page from every page on your site. The content of that policy page is still informed by the law. More information on implied consent is available in this PDF.

Enforcement is a different story. My understanding is that enforcement is arbitrary and based on end-user complaints, at which point I think a slap on the wrist and request to make the cookie policy link more prominent may be all that is demanded (I haven't found any verified examples yet).

Obviously I am not an EU citizen nor an expert in international law, but I think you'll find feedback from appropriate counsel would be similar (though probably a bit more risk averse).

For more detail, you can read up on current language of the law at the ICO page (the folks who came up with the law) which includes this clarifying content (dated January 31, 2013):

We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies. We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for. We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners. Since then, many more people are aware of cookies — both because of what we’ve been doing, and other websites taking their own steps to comply. We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.

No comments:

Post a Comment