A look at the new EU e-Privacy legislation all about and how will it affect our customer websites and others in the UK.

You may have seen news articles recently discussing the new EU legislation which will require companies to obtain ‘explicit consent’ from web users before they make use of cookies (small files placed in a user’s browser containing details of their web use). The legislation is due to come into force on the 25th May 2011.

The new law states that a cookie can be stored on a user’s computer, or accessed from that computer, only if the user “has given his or her consent, having been provided with clear and comprehensive information”. The only exception being where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user. An example of this would be a shopping basket, where the user has asked for products to be stored.

I can understand the reasoning behind this law. The number of websites showing adverts that spookily reflect products I have recently looked at is certainly on the increase, and you have to worry about the privacy concerns of this “re-marketing” practice. What I disagree with is the way the law-makers have gone about it – targeting all cookies rather than specific ones – which could potentially ruin a visitors browsing experience.

Currently the UK Government is looking into ways that browsers could help companies comply, and this may be a better solution. A spokesman for the Department of Culture, Media and Sport (DCMS) recently told OUT-LAW.COM that it was working on a browser-based solution.

“We are working with browser manufacturers to find a way to enhance browser settings so that they can obtain the necessary consent to meet the Directive’s standards,” said the spokesman.

The DCMS spokesman also said that the regulations would be in place by the 25th May but that the technical solutions it was working with browser makers on would not be ready by that time.

It said that the Government would be advising the Information Commissioner’s Office (ICO) not to take enforcement action against any company that was not in compliance with the law because of the delay to what the spokesman called the “technical solutions”. As long as organisations were working towards compliance they should not be punished, he said.

At Refractiv we have been working on ensuring that our client websites comply with the new regulations. Currently the cookies we use fall into three types:

  • those that remember visitor log in details – we plan to alter this cookie so that a visitor has to select “remember me” to add the cookie;
  • those that track visitor data (Google Analytics) – it could be that we will need to add a notice telling visitors we are tracking them;
  • and those that we use in our eCommerce (shop) module – these cookies will be exempt from the law as they fall into the “strictly necessary” category – the shopping basket wouldn’t function properly without them.

As it stands it looks like all websites will need to require visitors to “opt-in” when they first arrive, although we are hopeful the Government will implement a browser solution. We will also be re-writing our standard “privacy pages” and advising customers about their own content.

Whatever the outcome, we will be watching the developments and will ensure that all our customer websites are complying with the new law by the deadline.