Cookie consent: How far do you need to go?

A question on the radar for many companies in the past year has been how to get user consent for using cookies on their respective .com/.xx's? Because a lot has been said and because we've received this question fairly often it is time to share our view on the subject.  

Background

Over the past few years there has been a healthy debate around online privacy and seveal changes have been made with regards to online privacy legislation, including several updates of the EU-wide Directive on Privacy and Electronic Communication (or in short the "E-privacy Directive"). One particular area of interest has been how to collect user consent for storing data in cookies.

What is a cookie?

According to the EU Internet Handbook a cookie is "a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to "remember" your actions or preferences over time. Most browsers support cookies, but users can set their browsers to decline them and can delete them whenever they like."

To make things more complicated there are different types of cookies which is relevant for the question of consent. First of all a cookie can be classified by its lifespan and the domain to which it belongs:

• Session cookies which are erased when the user closes the browser, or
• Persistent cookies which remains on the user's computer/device for a pre-defined period of time.

Secondly, cookies can also be classified by the domain to which it belongs:

• First-party cookies which are set by the web server of the visited page and share the same domain, or
• Third-party cookies stored by a different domain to the visited page's domain.

What does the legislation say? 

The the E-privacy Directive Article 5(3) requires what is called "prior informed consent" for storage or for access to information stored on a user's computer/device. In other words, you must ask users if they agree before your site starts to use cookies. The two followup questions become:

• Do all cookies require "prior informed consent"?
• How exactly do I gain "prior informed consent"?

Do all cookies require "prior informed consent"?

In fact, some cookies are exempt from the above requirement. According to the 2012 Opinion on Cookie Consent Exemption, consent is not required for:

• User‑input cookies such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session (i.e. session cookie, or persistent cookies limited to a few hours in some cases)
• Authentication cookies, to identify the user once he/she has logged in, for the duration of a session
• User‑centric security cookies, used to detect authentication abuses, for a limited persistent duration (e.g. too many login attempts during a limited time period)
• Multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session 
• User‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
• Third‑party social plug‑in content‑sharing cookies, for logged‑in members of an Offsite community (e.g. Linkedin or Facebook)

How exactly do I gain "prior informed consent"?

Since the E-privacy Directive is implemented into local legislation across Europe, it is likely that some countries will start to go further than others in the coming years, but we can draw some conclusions from looking at some major websites today, companies that should have their eyes on them and therefor make sure they are in compliance:

How do major companies do it?

• Amazon.com have a "Privacy Notice" information link at the bottom of the website. Clicking this takes you to a page where you can read a lot of things including "What about cookies?" information.
• Apple.com has the same setup as Amazon.com
• Microsoft.com also has the same setup as Apple.com/Amazon.com

What about the European versions of above websites, are they the same?

• Amazon.co.uk have implemented a "Cookies & Internet Advertising" link in addition to Privacy Notice. On this page Amazon informs that simply "Visiting Amazon's websites with your browser settings adjusted to accept cookies or using Amazon devices, mobile apps, or other software tells us that you want to use Amazon's products and services and that you consent to our use of cookies...". This is known as "implied consent", more on this shortly.
• Apple.co.uk have also implemented the same type of additional footer link as Amazon.co.uk and calling it "Use of Cookies". Apple aren't as explicit as Amazon, simply describing what cookies are and what types of cookies they are using, as well as how to prevent cookies in your browser. This is also implied consent.
• Microsoft.co.uk have chosen another way to go. They have implemented a "cookie banner" at the top of the website, stating "By using this site you agree to the use of cookies for analytics, personalised content and ads" and then you can click to close the banner or to "Learn more" about the use of cookies, much like Apple.co.uk. This is also implied consent.

To sum up, these companies all seem to go for what is known as "implied consent", meaning that they don't expressly ask users to actively accept or deny the use of cookies to store data, instead they consider that their actions (like continued usage of a websites/app etc.) in itself is a way for the user to give his/her consent to storing data in cookies.

Is this enough?

According to guidance given by the Information Commissioner's Office in the UK, impled consent is "a valid form of consent and can be used in the context of compliance with the revised rules on cookies". However, they also say that "If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set." and that "You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand."

Looking at the examples from Amazon, Apple and Microsoft in light of the quotes from ICO, it is more likely that a "banner alert" solution like the one from Microsoft would be in full compliance with the "prior informed consent" rule than the more simple solution of providing a clear cookie link in your footer. However, the best answer to the question above is that it still remains to be seen and is likely to vary by country. To make this point, in Sweden for example, the Post and Telecom Regulator  "Post och Telestyrelsen" (equivalent to Ofcom in the UK) still to this day have a link in their footer to a page "About cookies" and nothing else. Likewise, the Swedish Data Inspection Board, "Datainspektionen" (the equivalent to ICO in the UK) has hidden its cockie information as a subcategory to "About this Website".

Step by step guide to cookie compliance

We can summarise above in a few simple bullet points creating a step by step framework to follow when using cookies to store data about users:

1. Ask yourself whether the use of cookies is really necessary?
2. If you think a cookie is essential, ask yourself how intrusive it is: what data does each cookie hold? Is it linked to other information held about the user? Is its lifespan appropriate to its purpose? What type of cookie is it?
3. Evaluate for each cookie if informed consent is required or not:
   • First‑party session cookies don't require prior informed consent.
   • First‑party persistent cookies do require prior informed consent.
   • All third‑party session and persistent cookies require prior informed consent. 
4. If required, gain the "prior informed consent" from users (by e.g. looking at the interpretations above).
5. Inform users about the use of cookies in a clearly written "cookie notice" page (should always be present from a trust perspective, regardless of it being considered enough to gain prior informed consent or not).

If you want to discuss above or related questions with Zooma, then get in touch with us!