describe the imageAs many HubSpot customers are aware, the EU has recently issued guidelines regarding the use of cookies on websites operated within their jurisdiction. 

What is the new directive?

A new directive from the EU says that websites operated in the EU must get prior consent of users to use cookies stored on the user’s device. Excluded from this rule are cookies that are “strictly required” – a term which is not well defined but at least includes cookies to complete e-commerce shopping cart experiences and probably login cookies.

When does it take effect?

The new directive took effect on May 26, 2011, but so far only three EU countries have complied with it: the United Kingdom, Denmark, and Estonia.  In the UK, there is a 12-month grace period for websites to comply.  Several other EU nations are still deciding on their approach and it is generally accepted that there is a one-year grace period in effect in all EU countries to comply with the new regulation.

What are the major issues with the new directive?

The directive is not clear on implementation required to comply and hence different countries are taking different approaches.   Moreover there are technical challenges such as if a user says they do not wish to be tracked by cookies the website needs to drop a cookie on the user’s machine to know not to track them. It appears that relying on a browser’s settings for cookie handling, and/or describing cookie usage in a site’s privacy policy is not enough to comply with the new directive. 

What does this mean for my business?

Once the directive is in full effect, after the 12-month grace period, violators of the directive will be subject to a £500,000 fine. It is unclear what the penalties will be in various different countries since most are still reviewing how to interpret the directive for their country.

What could a solution look like?

As an example, see the implementation by the the UK’s Information Commissioner’s Office itself on its website.  See the warning notice at the top of the home page which a user must click "accept" on to enable cookies on the site.

rtaImage

The ICO also provides details on how it uses cookies in its privacy policy:

rtaImage (1)

How does HubSpot use cookies today?

Today, HubSpot uses a number of cookies, including the ones listed below.  Note that this information is subject to change over time, and that this FAQ might become obsolete.  

  • Session cookies: Once you’re a HubSpot customer, this kind of cookie keeps you logged into the application as you move through different pages and applications. 
    • These cookies are used -- even by the ICO -- without asking for a user’s permission, because it is technically difficult to do so and indicating how it’s hard to consistently follow the letter of this new directive.
  • Visitor cookies: So that HubSpot can track which visitors have come to our site before to maintain usage stats.
    • This is the “HubSpot user token” cookie, also known as hubspotutk, and there is one left on every browser visiting a HubSpot-hosted web site.  
    • This cookie contains no confidential or personal information at all, only a unique string value that is meaningless by itself, but identifies that browser.
    • If this cookie is enabled or opted out of, HubSpot will be unable to connect the visitor’s page views to other events, like form submissions and lead-related events.
  • Third-party cookies: Used for aggregate usage stats like those collected by Google Analytics
    • HubSpot itself does not employ any 3rd-party cookies.
    • Some HubSpot customers using our content management system (CMS) use custom JavaScript and custom cookies that they themselves designed and implemented, in order to provide custom functionality on their web site. HubSpot is not responsible for those cookies or their contents.

These cookies are used in a manner that is not intended to be disallowed by the new directive (which is primarily designed to prevent tracking of a user across sites, usually for targeted advertising).  So HubSpot software is in line with the spirit of the law, if not yet on the implementation.

What is HubSpot going to do about adhering to the directive?

HubSpot is evaluating the law, various interpretations by countries, moves made by browser manufacturers and other trends to determine what is the best course of action for our customers.

Certainly, some interpretations of the law will make the user experience for website visitors onerous and a nuisance so HubSpot is not yet committed to a particular solution.

We aim to comply with regulations while ensuring that our customers have an optimal browsing experience for their sites.

Please watch this page in the coming months for updates on HubSpot’s plan of action.

What if I have further questions on this issue?

Other sources:

UK Government Published Open Letter on Cookie Consent

Originally published Jun 15, 2011 11:13:00 AM, updated December 16 2013