The Cookie Consent Module & EU Cookie Legislation

In November of 2009, the European Parliament issued EU Directive 2009/136/EC, an amendment to several prior directives concerning data protection and electronic privacy rights.  Of primary concern to this article were changes regarding the storing and accessing of personal data on a user’s device via cookies [1].  The amendment changed such storage to require opt-in rather than opt-out permission from end users.  EU member states were supposed to implement laws in accordance with the directive by May 2011.

Who Is Affected

So, who has to worry about the directive?  The EU member countries (and Norway).  If you own, operate or design websites for EU based entities, you need to worry about the specific Data Privacy Laws in that country, because all EU countries were supposed to enact legislation consistent with the directive.  Not all of them have, and the existing laws vary from country to country.  But if you are operating in the EU, it’s likely that the privacy directive will apply in some way, shape or form.

The Legal Basics

While the specific laws may vary, the EU E-Privacy Directive does provide us with a generic template for building websites that comply with EU privacy concerns.

Users must be informed

Visitors to your website must be informed of your privacy policy, including the use of any cookies or similar technologies (i.e., Locally Stored Objects, etc.).  A generic statement that cookies are used and necessary to site functioning isn’t really enough.  You should specify each cookie and what it does in terms a layman can understand.

Users must grant prior consent

Before setting cookies, you must receive the informed consent of the user.  Given the current state of web browsers, browser settings cannot be used to infer informed consent. 

The directive does make an exception to this requirement, but only when it is strictly necessary and done to provide a service that the user has explicitly requested.  The typical example would be a shopping cart where the user has taken direct action to add items to the cart.

Users should be able to revoke consent

At any time, a user should be able to revoke their consent and remove any existing cookies.  While not explicitly stated in the E-Privacy directive, providing users with an easily accessible means of removing current site cookies and blocking future ones is a wise precaution.

How to address the EU Privacy laws

1. Know the law in the relevant country.
Laws differ among the EU member countries, with some having enacted no law derived from the directive at all.  There is also variation in how the laws address prior/implied consent.  Understanding what the law actually requires is key to compliance.  Unfortunately, reading the relevant statutes doesn’t always provide a lot of clarification and you will need to stay on top of the latest news regarding how the law is actually being interpreted and applied.  For UK users, the The Cookie Collective is a good resource for tracking the latest legal and technical news regarding cookie regulation.  Just keep in mind, the details may vary on a per country basis.

2. Know what cookies your site sets and what they do.
You need to know what data you are storing on visitors’ devices and why you need to store it.  If you’re reading this, you’re probably using ExpressionEngine on your site, so be sure to check out the Cookie Consent Module’s documentation, which details the cookies set by the CMS and its native modules.  It’s also likely you have cookies being set by other applications.  Ad services, analytic tools, store/ordering code, video and social media applications may all be setting cookies on your site.  Know the tools you are using and check with each to see what cookies they set.

Once you think you know what cookies are being set, doing a manual audit of the site is a good idea.  There are a number of browser based tools you can use to help you do a ‘cookie audit’ of your site in action [2].

3. Provide a Privacy Policy
If you don’t already have one, put a privacy policy on the website.  If you do have one, make sure it is up-to-date.  The policy should be easily accessible and it should detail all data that may be stored on a user’s device, the purpose of the data, and how long it persists. 

4. Decide on a plan of action
The reports I’ve seen on users opting-in to cookies when asked on a website suggest around 5-10% will grant consent.  You will need to plan accordingly and make an informed decision regarding the use of cookies on your site.  If you are designing the site for a client, you need to ensure they understand the law and what they may need to sacrifice in order to be fully compliant.

The Cookie Consent Module and EU Cookie Compliance

ExpressionEngine sets a number of cookies on each page load for all site visitors.  In order to prevent these cookies from being set without end user consent, a Cookie Consent Module is available for download in the Add-on Library.

Installing the module instantly prevents any cookies being set using the internal cookie setting method unless consent has been given.  Consent is indicated by the presence of an ‘allow_cookies’ cookie.  Because cookies are required for much member functionality both fronted and backend, login and registration are disabled for users who do not have the consent cookie set.  The module also provides several means for deriving consent (and thus setting the consent cookie), a mechanism for revoking consent and clearing domain cookies, and conditionals allowing you to vary the content included based on whether consent has been provided.

Watch the new ‘How To’ video “The ExpressionEngine Cookie Consent Module & EU Cookie Legislation” for a guide to using the module.

 

   
And remember, we have a variety of “How-To” videos covering other aspects of ExpressionEngine on our Vimeo page.

End Notes

[1] Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
(EU Directive 2009/136/EC)
[Return]

[2] Recommended browser based tools for identifying cookies set on your site:
- Firefox Web Developer (https://addons.mozilla.org/en-US/firefox/addon/web-developer/)
- Firefox Firecookie (https://addons.mozilla.org/en-US/firefox/addon/firecookie/), extension for Firebug (https://addons.mozilla.org/en-US/firefox/addon/firebug/)
[Return]

.(JavaScript must be enabled to view this email address) or share your feedback on this entry with @ellislab on Twitter.