The "Article 29 Working Party" recently ran a Cookies Sweep to determine what website operators are currently doing to stay compliant with the ePrivacy Directive, amended Article 5(3).
Article 5(3) requires that all businesses in the EU must inform users when a website will place cookies on their computers and must obtain consent before a cookie can be placed.
Most websites and mobile app developers choose to inform users about their use of cookies through their Privacy Policy agreement, but you can also have a separate Cookies Policy.
The Article 29 Working Party was formed in 1996 to address issues related to data protection and privacy in Europe. This independent advisory body includes a data protection authority from each EU Member State, as well as the European Commission and the European Data Protection Supervisor.
This working party gives expert opinions and advice to EU states and the Commission and attempts to promote uniformity in the way the Data Protection Directive is applied throughout all EU states, plus Norway, Liechtenstein, and Iceland.
What are cookies
Cookies are small files that get stored on a user's PC that's being sent by a web browser after the user visits (or lands) on a website that uses cookies.
Cookies are commonly used by websites and increasingly by mobile apps as well, and play an important role: it tells the website how to treat that browser (the user using that specific browser) during future visits to the website.
Cookies can enhance the user's experience on a website by allowing for remembered passwords, personal preferences, and other data; so that each time the user visits the same site, the same information doesn't have to continually be re-entered.
Whenever you go to a website that you can log in to and your username is already populated for you upon arriving at the login page, this is because of a cookie.
Most cookies usually don't store personal information about a user. If they do, it's only information the user provided to the website, such as a username or email address.
Findings from Cookie Sweep
The Article 29 Working Party Cookie Sweep examined 250 of the most frequently visited websites in the media, e-commerce, and public sectors of the member states involved in the sweep. These sectors were chosen because they involve the greatest risks of having issues with privacy and data protection for EU citizens.
Some of the main highlights from the Cookie Sweep include:
- Websites seem to use a very large number of cookies.
On average, media websites were found to put about 50 cookies on someone's browser during that user's first visit to the website. - Expiration dates of cookie files are often placed excessively far into the future.
While the average expiration date on assessed cookies was about one to two years from the date the cookies get picked up, a few were found to have expiration dates set about 8,000 years into the future.This means the cookies would remain in place for forever unless manually removed - or that if you visit a website just once, it is possible that two years later you will still have a cookie from that one visit.
- A quarter of the websites assessed did not inform visitors that cookies are in use. Half of the websites that did inform users that cookies are in use did not seek to obtain any sort of consent from the user on storing cookies.
- Limited options for control. Only about 16% of websites allowed for any level of control for opting out of cookies being placed on a visitor's browser.
How to improve your privacy practices
There are a number of easy steps you can take to your website to ensure that you stay compliant with the ePrivacy Directive:
Step 1 - Inform
Immediately inform your visitors about cookies being in use on your site.
When someone first visits your website, and before placing any cookies on the visitor's browser, you should put forth all of the information about the cookies your website uses in one single page or location.
Tell your visitors:
- What types of cookies you use
- What types of cookies you allow third parties to use
- Any technical specifics about these cookies
This information can be sufficiently displayed in a pop-up window or a top notification header that contains all of the cookies information or links to this information on a separate page (if the information is in-depth and lengthy.)
Take a look at the way Facebook informs users of the ways cookies are used on the website on their "Cookies, Pixels & Similar Technologies" page:
Facebook provides how cookies enhance a user's experience and what third parties are authorized to place cookies on the Facebook website.
Creating a webpage similar to Facebook's example above - that describes your own usage of cookies and linking users to the page on their first visit to your site and before any cookies are placed - can help keep you compliant with the ePrivacy directive.
The image below is a good example of how Facebook uses a chart to show what types of cookies are placed on a user's PC and what exactly that type of cookie is used for:
You can place this kind of information about your usage of cookies in your current legal agreements or on a separate "Cookies Policy" page:
- Inside the already created "Privacy Policy" agreement
- A separate "Cookies Policy" agreement or "Cookies" page
Step 2 - Obtain consent
Obtain consent before placing any cookies.
There are a few ways in which you can obtain consent from users on placing cookies to comply with the EU Cookies law.
One way is by requiring the user to click on something that clearly shows an acceptance of cookies being used, such as in the example below from the BBC website:
By alerting the user that you will collect cookies if that user clicks Continue, you will be obtaining consent from the user.
A more subtle but equally effective and acceptable way to obtain sufficient consent to place cookies is to clearly inform visitors that your website uses cookies and that by continuing to use the site, they are consenting to the cookies being used on your website.
Link to further information about your cookies if you don't provide it right there, and allow a way for cookie settings to be accessed.
This information can be put as a footer notification or inline header that doesn't break up the flow of your site, nor require active clicking to show consent as in the previous example.
Step 3 - Give control
Allow users the ability to pick and choose which cookies they wish to accept.
Provide your users with information about which cookies you place and what each cookie is used for.
You can also go one step further and provide an option for opting out of all cookie usage as well as individual cookies.
In the image shown above, note the "Change your cookie settings" link. A link like this should lead to the corresponding "Cookies" in the legal agreement that details what kind of cookies are being stored, what each cookie's purpose is, and the ability to decline to allow a cookie.
Linking to this information in a visually prominent place like a top header or floating window makes it easy for the user to learn more about cookies on your website.
To summarize, if you have a business in the EU and your website uses cookies, you need to let your website visitors know:
- That you use cookies
- What cookies you use
- How you use these cookies
You must obtain consent to place cookies on a user's PC. This can be done in one of two ways:
- Active consent.
Before a user can browse your website, make it a requirement for the user to click on something that shows he/she acknowledges your cookies usage and is OK with it.
This means that any visitor to your website will have to give actual consent before ever having a cookie placed on their computer.
- Passive consent.
You can be less rigid than requiring an actual clicking in order to give consent. Do this by prominently placing a notification that your website uses cookies and that by continuing to use the website, consent will be assumed.
This at least gives visitors the knowledge that cookies are in use and lets them take steps to avoid them if they so wish.
An example can be seen below of a floating window that adequately alerts visitors and passively obtains consent:
Another example from Mirror.co.uk:
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.