Note: I am not a lawyer and this is in no way meant as legal advice. For actual legal recommendations, you should seek the advice of your own legal counsel.

It’s been with equal parts confusion and humor that I’ve been trying to figure out what to make of the so called “EU cookie law.”  In case you missed it, the European Union is attempting to bring a sense of personal privacy back to the web by dictating how cookies and similar information can be stored on your browsing device. In essence, under the new regulations a website must get explicit permission from a user before placing any permanent data on a user’s machine. This could affect how you view sites, shop online and how you’re able to analyze and improve the user experience for the visitors for your site.

Attempting is the operative word. They’re attempting to legislate and as digital communications professionals, we’ll be attempting to stay within those regulations. I’ve been trying to read-up on the subject using as many EU sources as possible but it seems even those on the front lines are confused how to handle. Here’s where things seem to stand:

• The EU mandate is a directive, not a law. The EU doesn’t have the power to pass laws only to force member countries to pass laws that are in compliance with the directives. Why is this nuance important? Read on...
• Each member country is on its own to legislate, regulate and enforce the directive. In theory there could be 27 different country laws to comply with. As of July 1, 2011 only 3 of the 27 member countries have implemented legislation to enforce the directive. Those countries are Estonia, Denmark and the United Kingdom and none have announced how they will implement the regulation. May 26th, 2011 was supposed to be the start date of compliance. The UK has stated they are postponing enforcement until May 2012.
• Not even governing bodies know how to handle compliance. The Information Commissioner’s Office (ICO) is the UK’s body for policing and enforcing the law. Check out their web site. Up at the top you’ll see their attempt at compliance. Unless you allow them to store a cookie on your machine you’ll get that message on every page of the site. Even if you don’t like cookies, you have to accept a cookie so that you’ll no longer see a message about cookies. (BTW – That message is at the top dead center of the page and on a mobile device is the first thing you see. On an iPhone 4 that means it’s taking up the top 12% of your screen real estate. I think our user experience expert just died a little.) But that’s not the kicker – go to the ICO Privacy notice. Scroll down to the note for their Content Management System cookie and pan to the right under ‘More information’.

We have recently become aware of this cookie. We are working with the supplier of our content management system to remove it or, if it can’t be removed, to find another solution.

Read another way, the organization responsible for policing the policy in the UK is out of compliance. I wasn’t kidding when I said this was confusing. That aside, I really like the way the ICO privacy notice is written and lists out explicitly what cookies are in use. In general there are going to be some thorny user experience issues to sort out.

• (This one you really need to confirm with your counsel) – If the EU can legally enforce regulation against you, one of your businesses, one of your divisions, etc… then the law applies to you. If you’re outside the EU and conduct business inside the EU like Internet sales, then you might not be affected. Might not. Get counsel. Read more.
• The laws apply to data stored on the visitor’s machine through any method, just not the explicit use of cookies. Most people, me included, call it the cookie law because that’s the easiest name to give it. Whether you technically use HTTP cookies, Flash cookies, or local storage (HTML5) it will apply to you. Unless….
• Cookies that are “strictly necessary” are permitted. From the original EU Directive:

“This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

It would seem then that we need to figure out what’s “strictly necessary” and what is “necessary but not strictly so”.

Which leads into a big one…

• Website owners will be held accountable for the use of any cookies on their sites. Put another way, even if you, the website owner do not use cookies, you will be responsible for any vendors or partners that use cookies on your site. In the example above for ICO, they are responsible to be in compliance with the law even though their CMS vendor is the one using the cookie, not them. As so much analytics gathering is sourced to 3rd parties (e.g. - Google Analytics, Omniture) this one has caused as much concern as any other issue. Omniture and WebTrends have both issued statements regarding the new law and what they’re doing in order to comply (still works in progress). Google has issued nothing official. Analytics is critical to good program definition on the front end and optimization on the back end is nearly impossible without it. We use all three of the vendors listed above so it’s going to be real interesting to learn how they plan on addressing the problem.
• As with much new legislation, new businesses or services are created. We are already starting to see a small cottage industry build up around helping organizations measure their compliance and offer solutions to non-compliant sites. 5 or 6 years ago when you couldn’t swing a dead keyword around without hitting some SEO vendor that would promise 1st page placement on search engine results pages. I hope I’m wrong but I think we’re going to see lots of similar offers regarding analyzing and optimizing sites for EU compliance.

If you have 2 minutes 47 seconds and still haven’t had enough, here’s a really good video on YouTube taking a humorous look at the law. The humor is used as a good cover to illustrate just how confusing it all is. Embedded in privacy-enhanced mode of course.

I think we’re all still a long way from something resembling direction as to how this all is going to work. US privacy laws tend to be a little less restrictive so aiming for EU compliance should help in case the US decides to beef things up here.

There are some basic things to do while it gets clearer. If you haven’t done so already, take a look at your site privacy policy and make sure you’re doing the basics. If you’re using cookies, be clear about why you’re using cookies, how you’re using cookies and what you’re doing with them. Keep abreast of what your vendor’s plans are for meeting compliance as well. Above all, check with your own legal counsel. You’ll have to do it at some point and better to be proactive about it rather than reactive.