EU law regulates the use of cookies, because unregulated they could be a major problem for privacy.
Tracking cookies note your browsing habits, making it possible for websites to serve up advertisements for products you have looked at on other sites. This could help you find the best deal and it ensures that advertisers get the best value from their advertising budgets, but many people feel uneasy about websites tracking their every online move, using the browser history for gain.
EU law recognises that users should have a right to understand what cookies are being used by the websites they visited, and how the information they gather is used. Users of cookie should also have the right to opt out collection if they wish. These principles are embodied in the so-called cookie law, Directive 2009/136/EC, which requires websites to obtain consent from users before setting cookies. And consent must be informed, so website owners muust tell visitors that cookies are being set, and what they will be used for.
So there are four things that website owners must do :
- Tell visitors that the website sets cookies;
- Provide detailed information about how data collected by cookies will be used ;
- Allow visitors to accept cookies; and
- Ensure that cookies will not be set on their machine if they opt out or refuse.
The law is not very specific about how precisely these things must be done.
Permitted cookies
Not all cookies pose privacy problems. Some are essential to the working of the World Wide Web. Cookies that are strictly necessary to perform the services requested by visitors are covered by an exception.
For example, cookies ensure that when a user shops online the contents of their basket are not forgotten before they check out. It would be absurd to ask customers they wish to opt out of that sort of cookie. The same is not true of cookies that customise the user's experience or tailor product suggestions.
Where websites require a high high level of secunity - for example, online banking - cookies that provide security features will be regarded as strictly necessary. However, it is not possible to be absolutely certain about when cookies are strictly necessary and individual Member States may have their own interpretations of the EU requirements.
The legislation is not restricted to cookies other technologies enable website owners to collect user information, many of which involve pushing files to the user's device. Any such technology must be disclosed, and needs consent from the user.
How users must be informed is not something the legislation specifies. It takes a general, high-level, approach. Popups and header bars are common solutions to the problem of informing visitors, and it is permissible to provide detailed information ellewhere - perhaps in the website's privacy policy. However, the opt-out setting has has to be provided in the pop-up a header bar or whatever you are using. If users do not opt out of cookies, this constitutes consent for the purposes of the cookie law. (although this can no longer be relied on to constitute consent for other privacy legislation).
Cookie information may be contained in the website's privacy notice or in the terms and conditions, but this is a less satisfactory technique. It is not generally the case that users are required to accept those documents - as they have to do with cookies, of course. And consent to cookies has to be specific.
Consent must be obtained the first time a visitor looks at your site. Cookies should identify returning
visitors, so they will not be asked for consent again. Changes to the cookies will not normally require
con seut, but if significant changes to how the cookies work, or what you do with the information, have
been made new consents may be necessary and erring on the side of caution is always the best policy.
The information provided about cookies on your website should be linked from each page of the site. It should detail the types of cookie used (not every single cookie) and how the information from each of these categories is used.
Not required, but often prudent, is a description of what cookies are. Arguably, as users have become more familiar with the technology, the need to explain what cookies are has diminished.
Opting out
It is permissible to put the burden on the user to disable cookies in their browser settings. The alternative will be simply not to use the site, and this is probably not what the site's owner wants, so websites will often be set up to with hold cookies when the user chooses to opt out. This may mean that the user does not felly enjoy the website experience, and it is common to tell the user that by rejecting cookies they may lose some of the website's functionality.