Cookie Crunch: Complying with the EU ePrivacy Directive in the UK

privacy-image-sewWhile U.S. digital industry commentators were debating the “Do Not Track” initiative in May, the UK industry was rushing to meet the deadline for it’s own privacy D-Day: May 26, 2012. This was the date on which the EU Privacy Directive, which had become UK law the previous year, started to be enforced by the UK regulator, the ICO.

What is The EU Privacy Directive?

The bureaucracy and mangled legalese the EU pumps out is legendary. Suffice to say there is a long Directive which, distilled down, requires brands to get “consent” – that’s a word that will keep cropping up – before tracking consumers. How it’s interpreted and has been written into law varies by EU country. This article focuses on the UK.

More Than Cookies

Cookies have been the focus of coverage of the Directive – the crumbly bad boys consumer should fear if you believe some – but other technologies are covered too, including Flash objects (aka “Flash cookies”). Broadly speaking, if a piece of technology tracks consumers, you need their consent to do so.

Consent Doesn’t Mean an Explicit “Yes”

There’s that word again. “Consent.” When the UK regulator first announced the date for the Privacy Directive to become law, a flurry of articles debated what “consent” meant. Over time consensus grew – consent meant a drop-down message, pop up or similar mechanism that actively asked consumers to explicitly say “yes” to tracking. Debate followed around whether this had be done for every site visit – it didn’t – and whether this applied to cookies required for the site to function – it didn’t. The ICO issued guidelines and industry bodies lobbied and debated.

In the weeks leading up to the 26th the ICO stated that analytics cookies would not be a focus of enforcement – and that they were writing to 50 high-volume websites to suggest how they should comply.

Then on the Thursday before the deadline the ICO announced that explicit consent wasn’t necessarily required – so all of the pop-ups, drop downs, overlays and other clever mechanisms web designers and marketers had been working on, trying to walk the line between compliance and not damaging conversion rates suddenly looked like they might not have been necessary.

Post-Directive: The Reality

Where does this leave brands today? If your UK site isn’t compliant yet, you’ve probably got a breathing space (unless your traffic levels are high and the ICO’s noticed you). So how do you comply?

1. Audit Your Tracking Technologies

The first thing to do is audit the cookies, tags and tracking technologies used on site – including those set through tag containers. Browser extensions like Firecookie for Firebug and Ghostery can help with this alongside the knowledge of developers and webmasters.

It’s useful to categorise what you find – what’s required for site functionality, what’s used for analytics, what’s used for tracking advertising etc.

2. Is Implied Consent Enough?

You need to decide if your site’s use of tracking requires you to gain explicit consent. The ICO guidance states that if your visitors “understand that their actions will result in cookies being set” and you aren’t relying “on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand”, then implied consent is enough – you don’t need to go down the route of putting a message in front of them asking their explicit permission to use tracking technologies.

However, if the data your site collects is sensitive (e.g., health information), then explicit consent could be required (and other data protection laws might apply too).

3. Update Your Privacy Policy With a Tracking Section

Your policy should have a section explaining what tracking technologies are used on the site – or a separate page, which is what many UK websites have done. This should detail what cookies and tracking technologies are used – ideally arranged by category with links to sites offering more information about cookies and any opt-out links from the providers of the technology, like the one Google provides and the industry NAI site.

4. Decide How to Tell Consumers

Even if implied consent is enough, you still need to ensure consumers understand the site uses cookies without wading through a privacy policy. Many sites have done this by adding an information bar across the top of the page or a link in the footer to a “cookie policy”. Below are some examples:




5. Keep Your Policy up to Date

As your site changes, the list of tracking technologies in the policy needs updating – so you need to make sure you have the right internal process in place to make sure this happens.

Do Not Track?

You might be wondering at this point if the “Do Not Track” initiative will mean that via browsers offering an easier way of managing (read: blocking) cookies, compliance can be achieved. The ICO’s thought of this too, and the answer is “No”. The need to comply with the Directive on UK websites – and across the EU – won’t go away as browser publishers address privacy concerns at a software level.

Image Credit: Alan Cleaver/Flickr

Related reading

Google Sandbox Is it still affecting new sites in 2019
A guide to implementing Google’s “How-to” schema
How progressive web apps positively impact your SEO
Improving your site's SEO by checking duplicate content