A question on the radar for many companies in the past year has been how to get user consent for using cookies on their respective .com/.xx's? Because a lot has been said and because we've received this question fairly often it is time to share our view on the subject.
Over the past few years there has been a healthy debate around online privacy and seveal changes have been made with regards to online privacy legislation, including several updates of the EU-wide Directive on Privacy and Electronic Communication (or in short the "E-privacy Directive"). One particular area of interest has been how to collect user consent for storing data in cookies.
What is a cookie?
According to the EU Internet Handbook a cookie is "a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to "remember" your actions or preferences over time. Most browsers support cookies, but users can set their browsers to decline them and can delete them whenever they like."
To make things more complicated there are different types of cookies which is relevant for the question of consent. First of all a cookie can be classified by its lifespan and the domain to which it belongs:
- Session cookies which are erased when the user closes the browser, or
- Persistent cookies which remains on the user's computer/device for a pre-defined period of time.
Secondly, cookies can also be classified by the domain to which it belongs:
- First-party cookies which are set by the web server of the visited page and share the same domain, or
- Third-party cookies stored by a different domain to the visited page's domain.
What does the legislation say?
- Do all cookies require "prior informed consent"?
- How exactly do I gain "prior informed consent"?
Do all cookies require "prior informed consent"?
In fact, some cookies are exempt from the above requirement. According to the 2012 Opinion on Cookie Consent Exemption, consent is not required for:
- User‑input cookies such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session (i.e. session cookie, or persistent cookies limited to a few hours in some cases)
- Authentication cookies, to identify the user once he/she has logged in, for the duration of a session
- User‑centric security cookies, used to detect authentication abuses, for a limited persistent duration (e.g. too many login attempts during a limited time period)
- Multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
- User‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
- Third‑party social plug‑in content‑sharing cookies, for logged‑in members of an Offsite community (e.g. Linkedin or Facebook)
How exactly do I gain "prior informed consent"?
Since the E-privacy Directive is implemented into local legislation across Europe, it is likely that some countries will start to go further than others in the coming years, but we can draw some conclusions from looking at some major websites today, companies that should have their eyes on them and therefor make sure they are in compliance:
How do major companies do it?
- Amazon.com have a "Privacy Notice" information link at the bottom of the website. Clicking this takes you to a page where you can read a lot of things including "What about cookies?" information.
- Apple.com has the same setup as Amazon.com
- Microsoft.com also has the same setup as Apple.com/Amazon.com
What about the European versions of above websites, are they the same?
Is this enough?
Looking at the examples from Amazon, Apple and Microsoft in light of the quotes from ICO, it is more likely that a "banner alert" solution like the one from Microsoft would be in full compliance with the "prior informed consent" rule than the more simple solution of providing a clear cookie link in your footer. However, the best answer to the question above is that it still remains to be seen and is likely to vary by country. To make this point, in Sweden for example, the Post and Telecom Regulator "Post och Telestyrelsen" (equivalent to Ofcom in the UK) still to this day have a link in their footer to a page "About cookies" and nothing else. Likewise, the Swedish Data Inspection Board, "Datainspektionen" (the equivalent to ICO in the UK) has hidden its cockie information as a subcategory to "About this Website".
Step by step guide to cookie compliance
We can summarise above in a few simple bullet points creating a step by step framework to follow when using cookies to store data about users:
- If you think a cookie is essential, ask yourself how intrusive it is: what data does each cookie hold? Is it linked to other information held about the user? Is its lifespan appropriate to its purpose? What type of cookie is it?
- Evaluate for each cookie if informed consent is required or not:
- First‑party session cookies don't require prior informed consent.
- First‑party persistent cookies do require prior informed consent.
- All third‑party session and persistent cookies require prior informed consent.
- If required, gain the "prior informed consent" from users (by e.g. looking at the interpretations above).