EU Directive Cookie Compliance Act – businesses unlikely to be better prepared in 12 months time

By Ryan Siddle | 02 Jun 2011

On the day of the new legislative EU Directive cookie compliance act coming into effect, 25 May 2011, were businesses and individual website owners in Europe prepared for possibly one of the biggest changes in the digital era? By the looks of things, not really, which is why the Information Commissioner's Office has given an additional 12 months for the changes to take place. Going forward, the new directive could potentially lead to a rise in companies basing their headquarters outside the EU jurisdiction. The new legislation may also trigger  consumers to become more cautious online in terms of their behaviour and the information they part with.

What are cookies?

Cookies are small pieces of information that are stored on the user's machine. They provide a vast array of information to websites such as generic settings or a history of URLs visited, but most importantly personal form data, e.g. name, address, what products are in a shopping basket at any given time, etc.

Currently, internet browsers automatically accept these (based upon privacy settings). However, the new cookie compliance law insists all users should be notified whenever a website wishes to drop a cookie on a user's machine. One viable option would be to serve a pop up window each time a new cookie is dropped on to the user's machine which would limit the user's web experience. The Internet Advertising Bureau (IAB) has also suggested the use of an icon on adverts which when clicked, reveals information about the data being gathered.

Is it really necessary for the user to accept every single cookie a website attempts to store on their computer? If the cookie is crucial to the correct functioning of the website then most certainly yes. However, if that cookie is only used to store a preference such as the colour scheme or gadgets to show in a tool bar then it's probably not essential.

A number of officials have been working with the EU regulators to help provide definition as to how the legislation should be implemented, but also consider what type of cookies should be subject to the legislation.

Why the cookie compliance?

The use of cookies in advertising seems to be of most concern. When a user visits a website, a cookie may be dropped on their machine. As such, when they visit other websites, they may find advertisements start "following" them. This cookie information can be collected and sold to third parties meaning the data is no longer private.

Since the explosion of the Internet and web 2.0 in 2005, the number of domains, stand alone websites and blogs has increased dramatically - approximately 300%, according to data from Netcraft. Furthermore, the release of open source blogging software and social media has made it possible for anyone with little or no web development experience to get online and start advertising to the world.  Plug-ins and various influences allow bloggers to advertise products on their own websites without actually knowing the full implications of whether their content, facts and imagery are compliant.

As per the new Advertising Standards Authority (ASA) regulations covering all online marketing and advertising, cookies are an essential method of campaign tracking and affiliate management. Now, businesses and individuals with an online presence will need to rethink how they will operate going forward. 

Source: Netcraft

International implications of the overseas law

Companies domiciled within the EU will be required to abide by the EU regulations, controlled by the respective country's body/bodies; however those domiciled under different jurisdiction outside the EU will not be required to comply nor can they enforce the directives on those that serve consumers within the EU due to the complexities of international law. For best practice and company image, it will likely be the case that firms spanning multiple jurisdictions will conform to the EU regulations by ensuring their entire website, digital advertisements and online marketing strategies meet the criteria.

However, this new law could also lead to a rise in businesses basing their headquarters outside the EU jurisdiction so they don't have to comply with the cookie compliance law, similar to those that strategically base themselves outside of specific jurisdictions for tax purposes. Any company or individual breaching the EU cookie act could face a £500,000 fine.

Will the cookie compliance be enforceable on such a large scale?

Simple logic tells us it would not be possible for the ASA to serve enforcement upon every single individual business and individual who breaks the cookie compliance (with or without intent). Instead it seems the ASA will most likely target businesses that are creating false or misleading cookies to the wider audience and storing information without a user's official consent.

So what are the pitfalls?

Not everyone was ready for May's cookie regulation deadline and they probably won't be even in 2012. Even though the current legal framework is a mess and needs tidying up and there's the possibility of all legacy sites potentially taking years to change and website owners still to fully understand the implications of cookies, businesses and individual webmasters should use the 12 month grace period to find out exactly what cookies are being used on their own sites along with advertising from media.

It will be interesting to see if, and how, the cookie act will help educate users about privacy on the internet, and whether it will spur them to become more tech savvy in order to shield themselves from disclosing sensitive/personal information.