The EU Cookie Monster

Follow Arekibo

You’ve seen them; in fact, your site probably has one. A large banner or pop-up that warns users that your site uses cookies and allows the user to opt-in (or out) of accepting cookies from your site.

They’re ugly, right?

Ok, we’re in agreement here, so why do we need them? The rules and regulations around the use of this notification, shift regularly and come under jurisdictional review, making it hard to answer that question cleanly and simply. As recently as October 2015, along with the collapse of “Safe Harbour”, the machinations of cookie consent have changed and been revised.

The basic premise of cookie consent legislation is data protection. Even though cookies (small text files of data with expiry dates) stored on your machine are in and of themselves mostly harmless, they can be used to store personal data about you or your users. Sometimes this is just stuff like session data, relating to a user’s login, or a persistent login (i.e. so you don’t need to login again at a later date). Sometimes, in e-commerce, it can relate to what you’ve put in your shopping cart. But the problems arise when they store data such as your personal details or credit card details (to name but two). Further issues arise when the handling of the cookie is managed by a third party website of application.

So what does this all mean? On the surface, it means that if your website uses cookies to store any kind of personal data, you require a cookie consent alert. Never mind that cookies can’t be accessed by other sites or scripts (and absolutely cannot contain a virus), the nature of their content means they are considered insecure (any text application like Notepad or Textedit can open them to read their content).

You may also feel that you don’t have cookies on your website so you don’t need an alert. Do your posts have Facebook like buttons? Do you use Google Analytics (or any analytics software for that matter)? Do you use a webfont? Then your site uses cookies. In fact, unless your website is a raw HTML and CSS website, with no external JavaScript interaction, then there’s pretty much a zero percent chance you DON’T require a user’s consent. Also, in the majority of instances, we would recommend including it anyway. If your site includes a third party script that changes in the future to include cookie handling, you are liable for not having an opt-in alert.

There is however, an option that we have started exploring with our clients. Cookie consent can now be implied. What does this mean? Well it means you can provide a link to or information relating to use of cookies that the user can opt-out of, though it still requires a banner alert of some description. Just how big that banner alert is, is up to you. Is it a solution? Not really, but it does minify the exposure to the “dreaded banner of doom”. We used this on several websites to good effect, but it should be noted that some countries such as Croatia, France, The Netherlands and Poland, do not allow implicit cookie consent.

Will we ever see a day where these alerts are no longer required? The short and short-term answer is No. Even though most developers are in agreement that they can hamper user’s sense of trust in your website, there is no indication that the EU is going to scrap their requirement. Even with the advent of HTML5 and Local Storage, the cookie consent legislation relates to ALL data retained by the website, no matter the format. In fact, we’ve called it the cookie consent legislation up until now, as cookies were the primary way of storing your offline information, but the legislation is worded to include all current and future technologies.

“But I’m in the States!” Doesn’t matter. Your website is a portal in the EU and, unless you plan on blocking all your European customers, your clients in Europe are protected under EU law so you must abide.

It’s very complicated, but we’re well used to dealing with it, so if you’ve any questions, call us and we’ll be glad to help you out!

Useful resources:

Irish data protection info regarding cookies
Europa guidance documentation (relates to EU Europa site documentation but follows the legislation)