Blog

BLOG

How to comply with the EU Privacy Directive (Part I)

PUBLISHED ON 23 APRIL, 2012

Much has been said about the compliance requirements of the recent changes to the UK’s ePrivacy Regulations (for which a one-year moratory is due to end on May 26th).  Primarily, the new legal framework implies the necessity to request express permission by each user every time a cookie is served or read (and, yes, you are right in imagining this as a mini-banner at the top of the page, or a pop-up for each of your 10-20 cookies: Jakob Nielsen’s worst nightmare).

The reality is, great progress has been made in the course of the past few months. Namely:

• The Information Commisioner’s Office” has issued its own guidelines. Although they consider that “analytical cookies” are not covered by the technical exception included in the provision (“necessary for the provision of the service requested”), they make it clear that they will not be the objective of legal actions for their low level of “intrusion” (intrusiveness).
• The UK Government Digital Service (advising public bodies on the delivery of eGovernment services) has proposed a classification of cookies into three levels of “intrusiveness”, with analytical cookies categorized a level beneath third-party cookies for the managmenet of advertising spaces.
• With the exception of an isolated precedent set forth by the ICO itself, UK government websites are not sking for prior permission for serving analytical cookies, although they include a detailed list of all the cookies used in their new privacy policies,  and this policy is displayed more prominently than before.

Of course, there are more, but in this brief post we do not have space to explore them all- unlike in the Divisadero White Paper,which comprehensively covers them. So let´s get to the point of the recommendations that have great potential to abate our present concerns, for a few months at least:

1. Do an internal cookie audit

You will be surprised by the quantity of cookies that you use without knowing, arriving from different plugins (from content managers, search tools, social buttons…) or even small traces of deleted contents.

You could use one of many free tools for this (eg. Firecookies)

Draft a table with those that have to remain (eliminating the rest, of course) and specify: how long they last (expiry date), their purpose, and in the case that they are served by third parties for their own use, to whom do they belong.

Designate a person within the company responsible for regularly monitoring and updating this table.

2. Change your privacy policy (or legal notice)

 

Explain the different types of cookies that you use in a simple and comprehensive manner to your visitors. To this explanation, add a copy of your table (from your audit- as explained above).

Finally, explain that you will request explicit permission when you use third-party cookies, which are served with the intention of use outside of your site and within a site not specifically requested by the user. Why is this phrase so complex? Think about the Twitter button. If the user has logged in to Twitter, they do not have to re-log in again to share this article, but clicking the button will send information to Twitter (who will read the cookie). Here a third-party cookie is used, but it is the user who has previously requested this service.

And in the opposite case? Think about an ad network for a display ad (“banners”). It is collecting information about users through multiple websites. Your website forms part of the network and provides information about the behavior of the said user. But the user has never specifically requested this service of “advertising personalization”.

In the sequel to this post (part II) I will explain in detail what we at Sweetspot have done to prepare ourselves.

You may also be interested in:

• Following me on Twitter for further news: @sergiomaldo
• Divisadero Report: Global Compliance of Cookie-based Web Analytics Activities.