Since May 25, 2018 a new European law on data protection has been in place. However, despite it being relevant to day-to-day business, many companies and website operators are still unattuned to the General Data Protection Regulation (GDPR). On top of this, high fines are imposed on those violating the regulations. Here we summarize everything worth knowing on the new EU GDPR for entrepreneurs and...
In March 2018 the new General Data Protection Regulation came into force, and changed the way many regulations work in terms of storing sensitive user data within the EU. It also applies to US businesses, because it applies to the location of the person browsing your site, rather than the location of your site itself. In fact, the new e-privacy regulation, the draft of which the EU officially presented on 10 January 2017, was to become legally binding at the same time. In the area of application of cookies in particular, it is regarded as a detailed supplement to the GDPR. At present, however, the draft new e-privacy regulation is still passing through the European Parliament. It is not expected to become law before May 2020 at the earliest, thus replacing the EU Cookie Directive and supplementing new regulations. But what is the current state of this law? In this article we will look at the general matter of what cookies are, as well as taking a look ahead to what the new e-Privacy regulations mean for cookie usage for EU visitors browsing your website.
ECJ ruling – Opt-in is mandatory!
As a result of a recent court case in Germany that eventually made it to the European Court of Justice, the ECJ ruled in favor of data protection, stating that an opt-in in the case of cookie-settings must take place. The user must be able to check a box to provide consent. Additionally, the court found that users need to be informed about the cookies being used. Website operators should provide information on how long the files are valid for and which purpose they are being stored for.
- ECJ ruling – Opt-in is mandatory!
- What are cookies?
- What do the EU cookie laws mean?
- Opt in or opt out?
- This is what will change through the new e-Privacy regulation
- The current status of the e-Privacy Regulation
- What does the EU cookie law look like in everyday life?
- EU cookie laws: what does it mean for the US?
- The Cookie Law: know where you stand
What are cookies?
Cookies are text files that are stored by your browser on your computer when you load a web page. The text file consists of data from your website visit and the idea behind this is to improve user friendliness: your browser will notice login data and language settings, speeding up and streamlining your browsing experience. A typical cookie contains a statement about the life of the text file and a randomly generated number that’s unique to your computer. Cookie data is normally stored anonymously, and the data stored in the text file can only be read on the web server that issued the cookie. Cookies tend to avoid personal data too, usually only requiring it for login information. Their main responsibility is creating this personalized, interactive online world as we know it today.
But despite this user-friendly aspect to cookies, many critics see them an invasion of privacy. Cookies can be used to create what’s known as ‘behavioral profiles’, which use your online habits in order to display certain ads or particular targeted content. They do so because it’s useful for companies to be able to display tailored content depending on whether a user is visiting a website for the first time or the 100th time.
In some cases, cookies stay on your computer between page visits, gathering more information to build up a clearer picture of other interests you might have. In these circumstances, companies can target ads at you when you visit external pages, often displaying tailored images (like the pair of shoes you were viewing on their website, or the new kitchen appliance you’ve been searching for). This is an integral tactic for online businesses battling in the dense e-commerce market, but there are concerns that cookies may sometimes be misused to supply information about personal internet use to unknown companies.
The truth about cookies for users is that you don’t really know how your data is being used without an explanation by the website you’re visiting. And this is the fundamental reason for the EU’s revolutionary regulations from 2011.
What do the EU cookie laws mean?
In 2002, the European Union initiated their ‘Directive on Privacy and Electronic Communications’, with further ammendments to cookie usage made in 2009. Despite coming under criticism for its structuring and difficult interpretation, the EU set a deadline for their directive to be adopted by all member states by May 2011. Becoming known as simply ‘The Cookie Law’, the EU directive recognizes the need for cookies in order to create the personalized online universe we enjoy today, but also makes it clear that cookies could be considered an invasion of privacy and that users deserve the right to be made aware of the presence of cookies and their usage. Certain cookies that are considered ‘strictly necessary for the delivery of a service requested by the user’ don’t have to be declared, because they are of far higher benefit to the user than the company. This includes cookies used to track shopping carts in e-commerce and to store important login information that the user requires.
For the use of most cookies, website operators in the EU now require permission from the user. This covers all cookies that don’t meet the requirement mentioned above of being ‘necessary’. This means that advertising cookies for retargeting, analysis, and social media cookies now require permission from the user. But the main issue that many companies have with these EU regulations is that the guidelines don’t clarify exactly how they should be implemented. There’s particular uncertainty when it comes to obtaining authorization from site visitors.
Opt in or opt out?
The new ECJ ruling has upset this clear distinction: according to the ECJ, the opt-in obligation also applies to non-personal cookies. Whether technically relevant cookies must be approved is still a topic under discussion.
This is what will change through the new e-Privacy regulation
The final regulation of the new e-privacy regulation will entail the following: The current draft generally forbids cookies which are not necessary for the technical operation of a site, with the exception that users agree to their use in advance. The first draft only mentioned web applications. The updated version of March 22nd2018 includes all types of machine-based communication, such as apps, e-mail, and collecting metadata for VoIP calls. This also applies to communication between two machines, so-called M2M communication.
The e-Privacy Regulation is relevant to international communication service providers. The regulation stipulates that it applies to a terminal device used within the EU borders. Where the data of a controlled service is processed is not relevant to the application of this regulation.
Data protection is not as strictly regulated in the USA. In the so-called Microsoft-Ireland case an American district court wanted to force Microsoft to make customer-related data of EU citizens available in the USA.
However, Microsoft stores the data of its European customers in Germany as part of Deutsche Telekom, T-Systems. On the principle that American law only applies on American soil, data gathered and stored in Europe should only be subject to EU laws. But the process is still ongoing. To what extent European and American law will potentially interact in the future remains unclear.
The current status of the e-Privacy Regulation
The first draft of the e-Privacy Regulation required that browser settings should generally be set to the highest privacy level. In these settings, browsers do not accept cookies from third parties. This would eliminate the currently widely used cookie banners, as users would have to actively decide to accept cookies. This requirement was based on the “privacy by design” principle already set out in the GDPR. However, a more recent draft relaxes the regulations for browser settings. This allows users to decide from domain to domain whether or not to accept cookies.
What does the EU cookie law look like in everyday life?
The body responsible for interpreting and enforcing The Cookie Law in the UK is the Information Commissioners’ Office (ICO). The ICO has chosen a general opt out strategy for UK website operators, meaning that site visitors just have to be informed that the cookies are being used. Many of these cookie notifications appear in the form of banners at either the top or bottom of a website’s homepage, and some require no direct interaction. Here are some examples of how certain well-known websites have displayed their cookie notifications:
Channel 4 give a comprehensive explanation of what cookies are and how they use them. This appears in a display bar at the top of the homepage, accompanied by a link to cookie management and an ‘Accept & Close’ box. This box stays in its place until you click ‘Accept & Close’, but it doesn’t follow the page, disappearing if you scroll down.
Hotel Chocolat take a humorous approach to their cookie usage, displaying a small box in the bottom left corner of the screen with a joke playing on the double meaning of ‘cookie’. They also offer a link to their cookie usage guide and an X in the corner of the box to close it, although it disappears as soon as the user clicks elsewhere on the screen too.
EU cookie laws: what does it mean for the US?
The extent to which the EU privacy directive will affect your business in the US is slightly unclear and open to interpretation. The simple legal answer is that these laws won’t have much impact, because the US isn’t part of the European Union, so it has different restrictions and guidelines when it comes to online privacy. If you’re operating a website or online shop in the United States with content aimed at American citizens, you don’t need to worry about the EU cookie restrictions. But there’s a grey area for US website operators featuring content aimed at people in the EU. For example, if you’re running a website about the Six Nations rugby tournament, played between England, Scotland, Ireland, Wales, France, and Italy, then you’re likely to get some website visitors from these countries. It’s possible that you could be violating EU law by not actively disclosing cookie information. And even if you’re not, it’s important to remember that EU citizens wishing to visit your site will now have an increased understanding and awareness of cookies and what they mean. So it makes sense to notify site visitors using the same methods we’ve suggested above. If you offer an alternate website for EU citizens, for example a UK version of your online store, then you must follow the EU cookie law – and you must adhere to the guidelines set out in the EU GDPR anyway for all your sites, in case these want to be accessed by EU visitors.
For a full overview of cookie restrictions and other data protection laws in the US, you can refer to the usa.gov privacy, security, and accessibility policies page.
The Cookie Law: know where you stand
Cookies are becoming more and more integral to everyday internet use. Without them, website operators wouldn’t be able to offer users the stylized and personalized content that we’ve all grown accustomed to. This has even been recognized by the EU privacy directive, which has conceded that some cookies are now essential for user experience, for example login information and online shopping carts. But other cookies that are useful for retargeting and other forms of display advertising may frustrate and annoy the user, and so The Cookie Law is designed to increase user awareness of cookies and give them the option to opt out and not have their website browsing tracked.
Website operators should keep a close eye on further developments concerning how the EU Cookie Directive will develop- because the legal situation will definitely change with the new e-privacy regulation, even if it is not yet quite clear how. The GDPR in the EU contains further guidelines for the security of personal user data. As long as the e-privacy regulation is not yet legally binding, cookies will be considered to be related to personal data defined in Chapter 1 of the GDPR - as they collect data which make a user identifiable (identification numbers, user profile etc.).
With the introduction of the GDPR, stricter rules will also apply in this country and for your online business for processing and collecting the personal data of visitors from EU websites. Implementing these regulations precisely will also save website operators a good deal of work if the “new cookie directive” in the form of the e-privacy regulation comes into action in the next few years.
In the following video, you can see how to delete cookies form the Chrome browser: