The Cookiest Law the EU has Ever Introduced

Just the other day we saw Wikpiedia close their site for a day in order to raise awareness of the SOPA bill going through the American Congress. Well, it seems that the EU has gone a step better than the USA. The UK has already passed a law that could potentially cripple web businesses if they deal with anybody in the EU countries.

Before you start thinking that this law does not concern you because you live outside the UK or your business is hosted outside the UK, you might be wrong. Because if you get any visitors to your site from the UK, you would be breaking UK law if your site sets a cookie on that visitor’s computer.

If you disable cookies on your browser (which you can do easily enough through your browser settings) you will simultaneously lock yourself out of sites like Youtube, Gmail, Yahoo Mail, Amazon and many others because using cookies is how these sites determine whether or not you are logged in.

But cookies are used for many other purposes, like targeting advertising. An example of this is the dart cookie used by Google. Previously, sites were only required to tell users that a website made use of cookies and what they were used for (which we did here). The new law requires that the user actually consents to the use of cookies. This is going to be a major headache for many websites.

This is what the law requires:

a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment-

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

Source: Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) ICO Site

So, just like the SOPA bill, clearly, this is another example of some well meaning legislation that has gone horribly wrong. The difference is that this one is law and you could actually be fined up to a half a million pounds sterling if your site fails to comply with the law by May 2012.

So what should you do? Well, the first thing is to conduct a cookie audit of your own site to find out what cookies are being set in normal operation. Then you need to tackle each instance on a one-off basis. There is no question in my own mind that sites like Clickbank and Google will have to introduce some method of complying with this law into their cookie setting activity. Expect some announcements from them in the near future.

We may have to dump our own method of tracking affiliate referrals – a major pain for us, but, if it has to be done, we’ll do it.

Meanwhile, if you are located in the UK, you should do your best to raise awareness of the issues and write to your local MP to explain why this law is a very bad idea. The UK is the first European country to comply with the cookie law. It’s a bad law and who knows, perhaps it can yet be squashed.

Leave a Reply