How the new EU cookie law affects law firms
Most websites nowadays use ‘cookies’ (as I will explain) and the European Union has passed a law which means we all have to take action. Your clients need to take action, but so do you, as your firm has a website too.
What are cookies? They are tiny files that websites place on visitors’ computers. Cookies are helpful and provide many benefits. For example, they can automatically log a user in next time they visit a website - imagine having to type in your password every time otherwise.
Even small websites tend to use cookies, combined with free tracking software (analytics), to reveal which pages users visit on the site. But cookies (including third-party cookies) are also used on commercial websites to target future advertising at users, which many users would rather avoid; hence the new law.
So what do you need to do?
The EU’s Privacy and Communication Directive came into force on 26 May 2011 and will supposedly be enforced from 26 May 2012 onwards. Sounds a bit vague? You get the picture. Put simply, the law says that before putting a cookie on anyone’s computer, that user must opt in on an informed basis.
Millions of websites suddenly switching to an opt-in approach? All with pop-ups to explain which cookies are used and why? It sounds like a pretty irritating interruption that will put a lot of people off visiting a lot of completely harmless websites, doesn’t it?
This technology site is an example of what to expect, although you’ll notice that it is opt out and not opt in.
As a publisher of websites covering law, marketing and IT among other things, we went straight to Dave Chaffey, the UK internet marketing guru who writes and lectures on matters such as cookies. Chaffey explained that the regulator, the Information Commissioner's Office in this case, is not expecting instant compliance even after 26 May 2012. Although not strictly legal, you are unlikely to be prosecuted provided that you are 'moving towards compliance'. Plus, there are exceptions (‘strictly necessary’ cookies... which even the ICO itself has).
Phew. That sounds a bit more realistic for the real world (outside Brussels) that most of us inhabit.
Although some law firms may choose to be fully compliant on day one, I expect that most of them will take a wait-and-see attitude. After all, this new EU law is not about law firm websites, is it about intrusive adverting and passing on personal data.
And what will law firms advise their clients? To spend precious time and money becoming compliant to the letter of the law? Or will they offer more ‘commercial’ advice, suggesting that clients save their money but stay out of trouble by simply moving towards compliance, at least until one sees how things turn out in the next few months?
No need to ask what all the website developers will recommend. The ICO’s stipulated website adjustments seem like a bit of a windfall for them.
Here, Blue Peter style, is an example of a website that has shown a move towards compliance for some time. Read the current Privacy Policy, Cookies section of the legal resource centre of Gregg Latchams'. We used simple online cookie audit software to establish which cookies were in use, then, as you can see, we put this into a clear, accessible explanation. The main Gregg Latchams website (hosted by Conscious Solutions) will be fully compliant by 26 May, but this element of the website is not live in the meantime.
You can find a list of cookie audit software in the guide Coping with the EU cookie laws.
And finally, as this is a blog after all, here’s my chance to predict the future. The law will work to the extent that more websites will now reveal what cookies they are using, which is a good thing.
The law will gradually make the more reputable commercial websites move to an opt-in approach, after a messy initial period when users will be confused and put off. The law will also waste lots of taxpayers’ money as thousands of public sector websites - which were never a problem in the first place - dutifully comply.
But most websites are pretty harmless in terms of cookies/privacy and will simply continue as before (perhaps with some standard cookie wording added to their privacy statement).
Which brings us to the $64m question: enforcement. I imagine that the ICO will be completely toothless when it comes to enforcing the cookie law, just as it has been 100% ineffective in enforcing the EU’s anti-spamming laws. What about all the offshore websites that sell to EU citizens, for a start?
The ICO site is compliant (see top) and is rumoured to have instantly lost tracking of over 90% of its users. Tracking is the ‘eyes and ears’ of any website and in this respect compliance comes with a pretty severe price tag for what it achieves in return.
It’s now 10 May, we’ve less than three weeks to go. I know of many websites that will switch over to a compliant version a week before 26 May. But has anyone seen examples of full compliance already being put into practice on a commercial website? I would be interested to know.
Rory MccGwire is chief executive of BHP Information Solutions
Comments
Cookies
'Great article and lots of good info. I challenge the legality of such laws as how are you to ascertain when a company is based in the EU or not? Corporates like Coca-Cola are global brands and have audiences on many continents, so it begs the question about enforceability.
I personally don't see this as ever being enforceable and will certainly have a negative impact on all web traffic as a result. This goes against the grain of new technologies and forces the general public to engage in exercises of authentication and opting-in, rather than the web 3.0 approach to content curation. Think how this might impact Google searches?
I studied Law at University and the incompatibility with most EU laws in the UK means that individual member states will do whatever they want, when they want. EU Law is a waste of time in my opinion and adds little value to our society in the UK.
ABBII
Here are three already-compliant law firm websites
Thanks Allan, I completely agree about the lack of enforceability. And if the global companies ignore the new laws, and our friends on the content don’t quite get around to following them either, it makes it doubly difficult to insist on UK websites complying.
For most UK law firms, which only use cookies for Google Analytics anyway, compliance is not a big deal. If they comply, not much will change, as web traffic tends to be an aspiration rather than a reality in most cases. On the other hand, if firms take a “wait and see” approach, the ICO is hardly going to come chasing after them.
So the question then becomes: How will my firm be perceived if I do comply, or if I don’t? Should a law firm knowingly not comply? Does this show commercial savvy, or does it suggest a firm with low standards? On this basis, I think a lot of law firms will play it safe and opt for compliance.
But the messages that I have been receiving today suggest that most firms have not even started addressing this problem re their own website. So I doubt they have been pressing their clients to comply … which leads me to think, as before, that most UK websites will remain non-compliant.
Here are three examples of already-compliant law firms: Last Cawthra Feather (thanks Keith Hardington), and both Brabners Chaffe Street and McClure Naismith (thanks David Gilroy).
Compliance
Hi Rory,
Traditionally, law, finance, and ANYTHING to do with public sector are very slow on the uptake of most web-related trends and issues; especially, social media. What I do find quite often is that is not because they don't want to, but because they lack the necessary in-house skills to manage.
Being savvy is a great way to reference what I call apathy and lack of understanding. I am not really sure that most companies and business leaders outside of IT even understand what a cookie is in the first place. There will always be those that comply before the ink has dried on new legislation, but then there are others that simply don't care, know, or understand. This will be the litmus test for me...who will actually spend the time, money, and other related resources to comply in an area that most laws can't even govern as we speak.
Take my blog dated Aril 30th. I have been harassed, stalked, and generally annoyed for over 18 months. Legally I have some grounds for action, but is it worth the time, effort, and resources to fight? I think not. Until our government gets their heads around everything to do with the web, I don't think the EU has a chance.
Article 8 of the ECHR is the most abused article in the history of mankind. I am sure that blurred geographical boundaries, time zones, and technology will find a loop hole for non-compliance. I'll be intrigued to see what happens. Where will the EU start with enforcement? That will be even better. I bet it won't be in Brussell's though!
Wales is the lowest ranking region in the UK, for Internet access and usage, so the enforcers can stay on your side of the bridge for a while.
ABBII
Report abuse reply
Compliance
I am not entirely against the Regulations. Research undertaken by PwC (April 2011) showed 77% of respondents were concerned about internet security, with 62% considering it important to know the purpose of a cookie and 56% considering it very important to know how to delete them. The extent to which the Regulations will improve security is a matter for debate, but just because compliance might be messy, cost a few quid and be a pain, doesn't render it unworkable and useless! We live in an internet society and users deserve their interests to be protected.
However I agree with you Rory that the ICO is going to have a tough time regulating this given the volume of new websites added every day in the UK alone! The ICO will be able to do very little about non-compliant offshore websites. However following the Amazon tax uproar (£3.3bn UK sales, no corporation tax paid), there is some suggestion that overseas companies should be regarded as resident in the UK for corporation tax purposes in respect of sales made in the UK. Perhaps the UK will introduce overseas trading regulations requiring commercial website operators with a UK customer base to comply with the cookie regs!
As the article says, businesses can take two approaches: aim to be fully compliant by 26 May, or "move towards compliance" by undertaking a cookie audit, adding a simple notice to their websites and observing how ICO policy develops. I would suggest (but not advise of course) that businesses take a risk-based approach - the more intrusive the cookies stored on a user's computer (i.e. targeting cookies), the more important it is to comply by 26 May.
The ICO solution interests me for three reasons: (1) the cookie header notification is sweet and simple, providing little up-front information to users; (2) the cookie policy is embedded in the privacy policy which, while not a wrong approach by any means, is not the preferred option in the ICO's own guidance; and (3) the third party cookies listed on the privacy policy direct users away to the privacy notices of Google etc (which makes sense, but is a little ironic given that the ICO is reopening its investigation into Google's collection of personal data from Street View cars!).
The BT solution is also interesting because the ICO guidance says that "It is not enough simply to continue to comply with the 2003 requirements to tell users about cookies and allow them to opt out" and, while impressive, the BT solution does just that. However the BT solution was developed in conjunction with advice from Herbert Smith and has been pitched as an excellent example of compliance by the ICC in its recent guidance.
As Rory said, over time, websites will become more compliant as website operators learn that gaining users' confidence through compliance can be a good thing.
One Web Developer's Opinion
Thanks for the interesting article.
I do however, take small issue with the slightly specious remark, "No need to ask what all the website developers will recommend."
While there is no doubt opportunity to 'cash in' on this (and some will for sure), I for one, see it as an incredible pain in the rear, for both my clients and our industry in general.
There are MUCH better ways of making money than fiddling around dozens of client's websites to make them compliant with this asinine law. And in addition, dealing with the surge of emails, phone calls etc. from panicked website clients, who may well think it is our responsibility to make the problem 'go away' simply because we built their website.
I will, of course, do my best to assist website owners deal with this new requirement but please don't think I'm rubbing my hands together in glee over this. At all.
Cheers,
David
Use hashtag #EUCompliance on Twitter re this cookies blog
Great comments Ed and David, thank you.
Reading all the comments so far, we seem to be in broad agreement.
I even agree with David that my remark re website builders was "slightly specious”. Of course, I prefer the word “controversial” … but you can see where I am coming from. Is a wait-and-see approach really that unwise, do we all have to race to fully comply by 26 May?
We’ve started a hashtag #EUCompliance on Twitter, to see what interest there is in this issue among people running other businesses.
Cookies
I agree with you Rory that most law firms will take a wait & see approach. Or maybe that is because most law firms won't even know about the issue...
We recently had our site redesigned and decided simply to add a paragraph to the privacy policy (which I'm sure everyone always reads!) On another solicitors' site I saw, they had a massive banner about cookies and a button to click that you accepted, but the website worked fine whether you accepted or not.
If only we could be more like the French: agree to the laws in a meeting and then do our own thing afterwards!
Digital Marketing & Cookies
Thanks for a terrific article Rory.
I'd like to stand up for cookies - they are a terrific technology making browsing easier and helping to serve relevant content to web visitors. As you mentioned they also provide the eyes and ears of websites with systems like Google Analytics. I understand Google are still discussing ways to validate Analytics with the ICO.
The regulations are a sledge hammer to crack a very small nut - the virus-like cookies that infect your machine with unwanted pop-up ads etc. Surely these are better fought with good anti-virus software.
However, the regulations are here and I believe your view of their slow adoption is broadly right. I also have to agree with David, that web developers see them more as a pain than an opportunity to cash in.
realityhouse legal is recommending that clients update terms and conditions now while we wait and see how the regulations develop.
This law is causing a lot of stress for micro businesses
We tend to be the ones who are first in line for complying, and also the ones who are finding it the most difficult with the least resources.
There are lots of networking groups with some very stressed and worried small business owners having discussions and arguments (mostly stress driven) about what we need to do.
I took the approach of having a photo of a plate of cookies on my home page with 'Want cookies?' and a link. This goes to a page with a humorous photograph and details of what cookies my site may have, and what it won't, and what they are used for. I've used a lot of humour and a lot of talk of chocolate, superheroes and wanting to be sent nice things by marketing people in my explanations.
I'd appreciate a legal perspective on my rather unusual approach -
How I complied with the EU Cookie Law, my style - http://bit.ly/KnrTuH
Web developers are not doing cartwheels
As others have said, web developers really aren't particularly thrilled by this, as there are plenty of other things they could be doing, but at least those worth their salt are trying to put simple solutions together where possible - particularly for SMEs who these days can't really afford to be paying for more stuff to be done on their sites, and are also the one's least likely to understand what's going on here with the EU Cookie Directive , unlike the big guys with their IT and marketing departments.
List Cookies
Moving towards compliance is enough for now. Enforcing websites to have intrusive pop-ups with opt-in or opt-out options (which, by the way, rely on cookies to work) is unrealistic. In my opinion, a decent page like Gregg Latchams is enough for now, although they, like all of us should probably list the cookies that their site uses. That is a pretty transparent way of going about things without all this opt-in ridiculousness.
'Specious' remarks, Google Analytics and plug-ins
Thanks for a well-written article, Rory. Like the other web developers who've commented, I see this cookie law as a distraction rather than an opportunity. I have to keep my eyes open and look out for information about the law because I'm getting asked about it by some clients. One of those is a law firm.
The only thing that's clear about this law is that it's unclear what the end result will be. I take it as a sign though the distinct lack of media attention from Google on this topic means they're not particularly worried that the EU will suddenly be making a mass exodus out of Google Analytics. Of all the cookies this is the one that has the most ambiguity surrounding it. Every website owner wants the stats about website usage in order to compete better. Most website users don't care about it because it's anonymous. But it's at the heart of the law because websites can work without it and it is a loose form of tracking.
My take is that the ICO will go after a few high profile consumer-serving corporations in the next year and there will be arguments about what counts as 'essential' and 'tracking'. In the end I expect that Google Analytics will be allowed to slide under the wire, but probably not before it's been discussed in court (and more vocally on Twitter). I also expect that some standardised plugins will be developed (for WordPress, jQuery, etc.) that will make it easier for developers like myself to slot into websites at low cost. Then maybe we can all get on with our core business. Now there's something to start rubbing my hands about.
In my previous comment I said
In my previous comment I said "I would suggest (but not advise of course) that businesses take a risk-based approach - the more intrusive the cookies stored on a user's computer (i.e. targeting cookies), the more important it is to comply by 26 May."
That being said, I think the ICO's view will be that we have all had a year's grace to comply with the new Regs! I doubt that the ICO, in the cases it pursues, will have much time for defences such as "We didn't have enough time", "This law sucks", "We have no resources to pander to the protectionist whims of the EU"...
Re Paul's comment, I am currently building two websites and using the WordPress EU cookies plugin (http://wordpress.org/extend/plugins/eu-cookies-plugin/) which works really well.
WordPress EU Cookie Law plugin
Ed, thanks for pointing me to the WordPress EU Cookie Law plugin - I hadn't spotted that.
Though, with Rory's latest findings, it looks like we can just hold it in reserve in case someone decides to make a formal complaint. (Best pop my head back into the trenches then.)
Also use hashtag #CookieLaw to follow Twitter discussion
More helpful comments from everyone, thank you.
My provocative remark about web developers helped to get the conversation going, but maybe I should have aimed it at the lawyers instead, to get them champing at the bit re this discussion.
Happily, we have so far managed to avoid the usual band of self-publicists who invade so many online conversations with their non-comments ... and we have avoided the barbed comments of the many anonymous commenters who seem to thrive on this site.
But let's now open the conversation up a bit. We'll do a few tweets with the #CookieLaw hashtag to broaden out the audience and we'll see if it brings in any more angles on this debate.
(Completely changing the subject for a moment, did anyone notice John Hyde's news blog 'Twitter Twits' on this website on 11 May, lamenting the fact that so few UK lawyers have bothered to look into, and get an understanding of, the commercial benefits of Twitter? Someone said to me the other day that lawyers were the last people in the UK to use business cards, they were one of the last to use email ("What's wrong with the post?"), and so from the outset one could safely predict that they will be one of the last to understand social media. Interesting comparisons, I'd not heard the business card 'fact'(?) before.)
ICO "will only act on complaints" re new Cookie Law
The BBC website today published this article:
Cookies: Majority of government sites to miss deadline
...the revealing few sentences from ICO at the very end of it:
"There will be some companies out there wondering why they've gone to the expense, and committed a lot of resource, into trying to tackle a problem which is not going to be enforced," he [Vinod Bange, a lawyer for Taylor Wessing] said.
In the interview with E-Consultancy, the ICO's Mr Evans said there would not be a team of investigators seeking out infringing sites, but would act on complaints.
"How likely it is that complaints will flood in, we don't know," he said.
"It may be that the great British public simply isn't that concerned about cookies."
>>> So there we are. I think that pretty well says it all!
Cookies round-up: ICO will contact 50 key websites re new law
Here’s an update (Thursday afternoon, 24 May).
Not much has happened since the ICO press briefing last week (see the econsultancy.com website for details), when the ICO deputy commissioner David Smith said that the ICO’s first step in enforcing the new law will be to contact 50 key UK websites to ask them what their position is on compliance.
As regards the website of a typical business, he confirmed that if such a website was not yet compliant the ICO would only impose a fine if extreme criteria were met: “It would have to be a serious breach and it has to be likely to cause substantial damage or distress to individuals.”
This afternoon, a quick check shows that more websites have gone live with their compliance solutions (eg the FT), while others are using more heavyweight policies (eg BBC, John Lewis). But most websites remain blissfully unaware of this new law, and have little to fear from it, as already discussed.
There are now lots of instant compliance options being offered by developers. Just put the hashtag #cookielaw into Twitter and you can find them easily. That’s the beauty of Twitter compared to Google, it really is instant, whereas climbing the Google rankings can take years.
Who's in tune with the visitors?
The discussions here and elsewhere are dominated by parties from the 'business side', and generally they appear to wish to swat compliance away like a troublesome fly. However, if the 90% tracking loss figure for the ICO website is true, then this EU regulation could be much more in tune with web visitors than any providers are - is this the beginning of having to listen to the visitors' voice?
I think all the descriptions of Google Analytics I've seen so far claim the tracking is just for the benefit of the operator's website function. They may be deluded or pretending, but what pays for this miraculous free tracking service? Sharing the data with Google[1]. However 'anonymised' it might be, when combined with Google's other sources it is sufficient to bring enough income to Google for them to keep the service running (probably a lot more).
Visitors are becoming aware that they are being sold as a description/behaviour product between businesses and they support stemming this flow. If this regulation takes hold, perhaps the next stage may be to offer visitors something they want? The use of your website, or targeted advertising, are unlikely to be sufficient.
It could be that the EU is the vanguard of building the safeguards and regulatory structure that were neglected in the extreme gold rush that business on the internet has been so far...
[1] Google say data from your site is not shared with anyone else, but without explicity excluding themselves from that.
Cookie law in 11th hour ‘implied consent’ change
I have just noticed this item in Charles Christian's 'The Orange Rag' legal IT blog (25th May):
COOKIE LAW IN 11th HOUR 'IMPLIED CONSENT' CHANGE
The Information Commissioner’s Office (ICO) has issued updated its Guidance on the rules on use of cookies and similar technologies just one day before it is due to begin enforcing the rules on 26 May 2012. The main change from the previous version published in December 2011 is a new and much expanded section on ‘implied consent’.
Stephen Groom, Head of Marketing and Privacy Law at law firm Osborne Clarke, said: “Previously ICO said that implied consent would be unlikely to work, now it says that implied consent is a valid form of consent.This is a striking shift in how ICO says it will tackle compliance. Just six months ago it said general awareness of the functions and use of cookies was simply not high enough for websites to look to rely entirely in the first instance on implied consent.
“Now it tells us that ‘implied consent has always been a reasonable proposition in the context of data protection law’ and that it remains so in the context of storage of information or access to information using cookies and similar devices. Although this new, pragmatic approach is undoubtedly more business-friendly, ideally it would have been good to have had earlier visibility of this dramatic change. It also remains to be seen whether this puts the UK out of step with Brussels and most other EU states.”
Quelle surprise! The
Quelle surprise!
The consumer put at risk to satisfy big business, whilst the regulator flouts the spirit of the legislation.
EU institutions themselves are ignoring the cookie law
This is taken from a 29 May article by Zack Whittaker on ZDnet.com:
SWEET IRONY: E.U. IMPOSES COOKIE LAW, IGNORES OWN RULES
You would think an executive body of 27 member states that dictates part of their respective laws would adhere to its own? Think again.
On all European Union institution websites, you will be lucky to find a single page that asks the visitor for permission to set cookies. But they’re using them all the same...
The Article 29 Working Party — the group which advises individual European privacy authorities on matters of data protection, and the European Data Protection Supervisor — a cross-nation group of data protection officials, both fail to adhere to the E.U.-wide so-called “cookie law”.
Despite the U.K. “cookie law” taking effect over the weekend, wider E.U. institutions — including the European Parliament and the European Commission — are not practicing what they preach.
Cookies law update: 'Implied consent' approach working well
On Wednesday, Marketing Week carried an article(*) reviewing how the cookie law is being implemented, based on an early analysis by QuBit.
Sites which inform users that cookies are running and then offer the option to disable them – implicit/implied consent - are seeing acceptance rates of up to 99.7%.
By comparison, sites that seek explicit consent from users before receiving cookies are seeing consent rates of just 57.2%.
All as you would expect.
On this basis, now that the initial confusion is over and the ICO has confirmed that implied consent can achieve compliance, I imagine that hereafter virtually all private-sector websites will end up taking the implied consent option. There will still always be a few who like the belt-and-braces approach of having to opt in, even if this acts as a barrier to users using the website.
(* ‘Implicit consent’ best practice on cookies. 13 June)