In-depth articles, interviews and debates covering local and global topics related to the Experian business expertise.
Businesses across the EU should start preparing to implement the “Cookie Law”
The result is the change to the e-Privacy Directive, part of the Telecoms package of reforms implemented by the EU in May 2011, that states that individuals must be notified prior to a cookie being placed on their PC and must have given their consent to do so. The only exception to this rule is where the cookie is strictly necessary for the web site to function properly. To date, the legislation has seemingly proved unpopular with EU member governments and up to November 2011 only seven out of the 27 member states have confirmed that it has been implemented into its own laws.
First necessary steps
Whilst each country is responsible for introducing this Directive into national law and therefore could implement it in different ways, there are some steps that all businesses operating web sites within the EU can take to prepare for this change in legislation. First of all, it is important to understand what, if any, cookies are used by the site and what they are used for. Those that are strictly necessary for a service to be provided to a user are exempt from the ruling, though the definition of “strictly necessary” is likely to be very narrow.
For those cookies that do not fall into the strictly necessary category, businesses can then assess the level of intrusiveness of the remaining cookies in terms of the data that they contain and the way they are used. Although the worst case scenario is that individual countries will implement the letter of the law and require that all cookies (other than those that are strictly necessary) will require some form of opt-in from the user of the site prior to being deployed, some may take a more pragmatic view and allow for a range of measures to be implemented depending on the nature of the cookie. For example, for those that are used to perhaps record site preferences or collect site statistics, it may be sufficient to notify the user.
Either way, by understanding and analysing the way in which cookies are currently used as soon as possible, individual businesses will be in a position to make the necessary changes to their sites as soon as the directive is introduced and the requirements are clarified in each country.
In July 2011, the European Commission wrote to the remaining 20 countries that have not yet introduced the directive in the first stage of legal action towards enforcement. This may lead to a flurry of activity from those countries that have not yet acted and the rapid introduction of new legislation. With this in mind, businesses across the EU should start preparing now.