A Marketer's Guide to Complying With EU Cookie Laws

    by Jeffrey Russo

    Date

    September 3, 2012 at 9:00 AM

    eu cookie law introductory3

    We've come a long way, baby. Remember when web and marketing analytics were just about measuring the number of times your page loaded? Ha! What hogwash.

    Now, marketers can barely survive without detailed reports on how visitors are actually using their website.

    But with great power comes great responsibility. As tracking systems have become more robust , the question comes up more and more often -- should users have a say in the matter, or at least be informed of how they are being tracked?

    It's a question that many government organizations are starting to consider; in fact, the European Union took up the issue back in 2009. Their efforts culminated in what has come to be known as the EU Cookie Directive, a wide reaching piece of legislation that requires EU member countries to pass laws around web privacy . And since a large segment of our audience markets to European internet users, we thought it prudent to give a rundown of what exactly the EU Cookie Directive means for marketers.

    ( Note: This article does not constitute legal advice. If you have questions about how these laws apply to your business, you should contact a legal expert for help.)

    What does the law actually say?

    While the part of the legislation that has come to be known as the “cookie directive” is just one piece of a larger set of regulations on web privacy, this particular portion is capturing the lions’ share of attention as it impacts a huge number of websites:

    "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."

    This part of the regulation is aimed squarely at systems that store information about a user on their own computer -- cookies, LocalStorage (a feature of HTML5), and flash objects, to name a few -- the first of which is used by most web analytics systems like Google Analytics and marketing analytics tools like HubSpot . The law requires companies to obtain “explicit consent” before using storing data in ways that may be considered to be “intrusive.”

    From its date of passage in 2009, EU member nations have had time to formulate and implement their own legislation. One of the first of such laws to come into effect is from the UK, which the government started enforcing on May 26th, 2012. Other nations are at various stages of drafting and releasing their own laws, too.

    Who does this apply to?

    In short, if you are based in Europe or have offices in Europe, you are technically subject to the law -- or will be eventually, as more and more nations come into compliance. For sites based outside of the EU, the EU contends that targeting users in their member states would require compliance. That being said, this is a grey area, and most sites outside of the EU have not taken any steps to do so.

    So, what does complying actually mean?

    What “complying” with the law means depends a lot on your interpretation of the law, and the interpretation of the individual nations. The directive from the EU was ambiguous about a few things -- what constitutes consent, and exactly what it means to “provide” a user with information on how your site uses cookies. That being said, here's what we do know, and how it’s being interpreted in the UK’s law, which is the most solidified example at this point.

    The UK government seems to have a more relaxed interpretation of the law.

    The initial regulations that came down from the EU seem clear -- site owners should be getting explicit consent before installing cookies on their visitors' computers in almost all cases, and websites that use cookies should also have an up-to-date privacy policy that spells out what cookies are being installed and exactly what information they collect.

    But there is some ambiguity. More recent guidance from the UK government’s Information Commissioners’ Office (the body responsible for implementing the law in the UK) made it unclear whether or not consent is implied, or must be explicit. For example, do websites have to prompt a user with a banner or popup before installing cookies, or can they assume that the user would be okay with it? The ICO says that implied consent is a valid form of consent in some cases, which dramatically changes how the law affects most websites.

     

    bbc cookies

     

    The BBC has taken an approach somewhere in the middle -- explicitly informing visitors that they store cookies with this banner, but letting visitors opt not to have their cookies stored by changing their cookie settings.

    Some cookies are exempt.

    Cookies have a lot of uses outside of tracking visitors to your website. Many websites use cookies to store mundane data about a visitor's preferences, or the state of their browser -- kind of like when a site remembers the items you've placed in your shopping cart as you continue to shop for other things. While there isn’t a clear line on what is and isn’t covered, cookies that are being used in this way may be exempt.

    While a number of UK-based sites have rolled out changes to get explicit consent from their users before installing cookies, many appear to be leaning toward the more relaxed interpretation from the ICO. You can find the guidance here and make a decision for yourself.

    What's the bottom line?

    The bottom line here is that it’s still early, and how these new regulations will be interpreted and enforced aren’t clear just yet. The best course of action is to read the actual EU directive and UK legislation yourself, get help from a qualified legal expert if you need it, and make your own decision about the best way to manage the use of cookies on your website.

    Like many analytics providers, HubSpot has made changes that allow our customers to customize their tracking code to comply with the regulations in the way they think is best, whether it’s an updated privacy policy, a popup, or another means of informing visitors to your website.

    This article does not constitute legal advice. If you have questions about how these laws apply to your business, you should contact a legal expert for help.

    Image credit: big-pao

    SUBSCRIBE TO HUBSPOT'S MARKETING BLOG

    Join 280,000+ fellow marketers! Get HubSpot's latest marketing articles in your inbox. Enter your email:

    Search Inbound Hub

    Subscribe to Marketing Articles by Email

    Subscribe by RSS

    Follow HubSpot

    Call Us: 1-888-HUBSPOT