Keep updated on thoughts, facts and knowledge!
Please set a blog tag to enable Related blog posts
A question on the radar for many companies in the past year has been how to get user consent for using cookies on their respective .com/.xx's? Because a lot has been said and because we've received this question fairly often it is time to share our view on the subject.
Over the past few years there has been a healthy debate around online privacy and seveal changes have been made with regards to online privacy legislation, including several updates of the EU-wide Directive on Privacy and Electronic Communication (or in short the "E-privacy Directive"). One particular area of interest has been how to collect user consent for storing data in cookies.
According to the EU Internet Handbook a cookie is "a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to "remember" your actions or preferences over time. Most browsers support cookies, but users can set their browsers to decline them and can delete them whenever they like."
To make things more complicated there are different types of cookies which is relevant for the question of consent. First of all a cookie can be classified by its lifespan and the domain to which it belongs:
Secondly, cookies can also be classified by the domain to which it belongs:
In fact, some cookies are exempt from the above requirement. According to the 2012 Opinion on Cookie Consent Exemption, consent is not required for:
Since the E-privacy Directive is implemented into local legislation across Europe, it is likely that some countries will start to go further than others in the coming years, but we can draw some conclusions from looking at some major websites today, companies that should have their eyes on them and therefor make sure they are in compliance:
What about the European versions of above websites, are they the same?
Looking at the examples from Amazon, Apple and Microsoft in light of the quotes from ICO, it is more likely that a "banner alert" solution like the one from Microsoft would be in full compliance with the "prior informed consent" rule than the more simple solution of providing a clear cookie link in your footer. However, the best answer to the question above is that it still remains to be seen and is likely to vary by country. To make this point, in Sweden for example, the Post and Telecom Regulator "Post och Telestyrelsen" (equivalent to Ofcom in the UK) still to this day have a link in their footer to a page "About cookies" and nothing else. Likewise, the Swedish Data Inspection Board, "Datainspektionen" (the equivalent to ICO in the UK) has hidden its cockie information as a subcategory to "About this Website".
We can summarise above in a few simple bullet points creating a step by step framework to follow when using cookies to store data about users: