Tuesday, June 28, 2011

European Union requires websites to make users 'opt-in' to website cookies

The EU Government's 2009 Directive banning "unnecessary" cookies in websites (if the site doesn't ask users to accept the cookie first) has just begun coming into effect - causing havoc and distress amongst European webmasters.

Cookies are small text files that websites store on a user's computer in order to reduce the need for users to enter information again and again. They are used in ecommerce sites to 'remember' what is in your shopping trolley, in social media sites to remember that you're logged in, to personalise content or advertisements based on your preferences and by many sites to provide anonymous website reports.

It is estimated that around 92% of websites use cookies. In fact it is hard to imagine the modern web without them.

However in 2009 the European Union decided as part of a 2009 amendment to their Privacy and Electronic Communications Directive that even though all modern web browsers allow users to choose to accept or refuse cookies, cookies may pose a privacy threat to individuals.

While the Directive doesn't explain why they may pose a threat, it states that cookies can be a useful tool and,
their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.

In other words, when cookies are used for a legitimate purpose (though 'legitimate' is not clearly defined in the Directive), they can be used by websites provided that users are provided with an up-front method to view what each cookie is for and 'opt-out' of each cookie.

This directive was to be interpreted into law by European states by May 2011. So far only three countries have complied, Denmark, Estonia and the United Kingdom. The UK has also given webmasters twelve months to introduce appropriate opt-out controls on their websites, recognising the impact of their law. Other countries in the EU will introduce their cookie laws soon.

So OK, European websites using cookies now must have an opt-out provision for UK, Denmark and Estonian users and soon for all Europeans in the EU.

So where is the sting in the tail?

Firstly, these laws may apply to all websites that are viewable in European countries, as existing European privacy laws already require. This would mean that Google, Facebook, Twitter and other social media sites hosted in the UK, Asia or anywhere else in the world would need to change how they functioned due to European-only laws.

Under this interpretation (yet to be tested in court), all (hundred million plus) websites, whether ecommerce, news, information or government would have to comply.

That includes Australian government websites using cookies, including any using Google Analytics, 'share' tools, shopping carts or otherwise using cookies to store (even non-identifiable) information on users - even for a single session.

There is an alternative. Non-European websites could simply block Europeans from viewing their sites and therefore would not need to comply with the European law. That would present a very interesting geographic freedom-of-information ban, as well as damaging the businesses of many organisations and governments who want Europeans to access their websites.

The second concern is around how the opt-in approach to cookies must work.

There's no clear approach in the Directive and plenty of confusion on how the opt-in control should work. The suggested approaches in the UK are to use pop-ups (which most modern browsers automatically block) or to use an 'accordion' that appears at the top of all webpages, as is used by the UK's Information Commissioner's Office (ICO) - the ugly block of text at the top of the website.

A more humorous implementation of a pop-up opt-in control is used on David Naylor's website - read the text.

The BBC has introduced an opt-in approach that accidentally managed to break the law while implementing it - by using a cookie to hide the message asking you to opt-in for cookies. Oops - they needed to have an opt-in for that too.

The third issue with this European directive is the impact on useful things websites do. It will become much harder to personalise content for users or report on websites. Indeed the impact of people opting out of cookies, therefore rendering all cookie-based reporting significantly more inaccurate, is already being tracked. The ICO's website has itself seen a 90% fall in recorded (tracked) traffic. This indicates that the ICO will no longer know what site users are doing and cannot as effectively optimise and improve their website. Magnify this across millions of websites.

For those who wish to learn more about European Cookie Laws, check out the short video below or read the The definitive guide to the Cookie law.

And, as always, I'd appreciate your thoughts - particularly on the questions below.

Has Europe become the Cookie Monster? Or is this a reasonable and appropriate step to improve user privacy?

Should Europe have the right to impose laws in their jurisdiction on the rest of the world? If not, should the rest of the world stop Europeans visiting our sites?

No comments:

Post a Comment