Current estimates put the number of Internet users in the European Union (EU) at more than half a billion, making it an attractive target for online businesses. But recent and proposed changes to various EU directives mean an existing website, even if it's owned by a U.S. company or served by a U.S.-based server, may not be compliant with revised EU data privacy laws if it targets citizens in the EU.
These requirements may well mean a complete change to how a site or business processes work.
The EU data privacy laws that came into force last May state that storing and accessing information on users' computers (i.e. cookies) is only lawful if the user has given consent. In this tip, we'll discuss the compliance implications of this development and what changes U.S. enterprises must make to comply.
Consent is not required for cookies that are considered “strictly necessary” for a service requested by the user. For example, a session cookie that enables a user to add items to a shopping basket and then use the site's checkout feature can be set without prior permission, but be warned; the definition of what is strictly necessary according to the PECR is narrow. Cookies used for load balancing would be deemed necessary, but not those used to collect statistical information about users or that enable a customized greeting or look of the site. As a significant example, cookie-based Google Analytics -- which is estimated to run on 90% of websites -- is not compliant with this legislation. To use this or other non-essential services, a site must first obtain the user’s permission.
If you go to the UK Information Commissioner’s Office website, you will see a banner at the top of the page (see figure). This banner gives a good idea of what regulators are expecting sites to implement by May 26, 2012, when enforcement of the new law begins. Not surprisingly, when the ICO tested the above on their site, only 10% of users actually opted to allow cookies; without such warnings, most users accept website cookies without even knowing it.
The ICO does provide guidance on PECR and EU cookie compliance and recommends a cookie audit as the first step. An organization must check what type of cookies and similar technologies it uses on its websites and how it uses them. Remember that these requirements also apply to cookies set on mobile devices and other terminal equipment such as Internet-enabled gaming consoles and televisions.
More data privacy concerns
How does the Massachusetts data protection law affect enterprises?
PCI tokenization guidelines can aid your card data security policy.
Consent must be unambiguous and be explicitly given, so a simple "check box" without adequate explanation of what a user is consenting to will not suffice. Users must give permission for third-party cookies too. These requirements may well mean a complete change to how a site or business processes work. Where consent is required, a site needs to decide how best to obtain it without breaking existing functionality. Comprehensive testing of any changes is essential to ensure a site does not fail if a user blocks cookies.
If, for example, a company supplies ad services to other sites that require setting cookies to other sites for the ad service to work properly, that company must ensure its clients (the sites that use its services) update their terms and conditions to ensure compliance with the law. Companies will have no control over the methods they use for educating users and obtaining consent.
Guide to EU cookie compliance
This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.
There are further changes to EU data protection laws on the horizon, including increased accountability for those processing personal data, the mandatory disclosure by all organizations of any serious data breaches within 24 hours, and users will have the “right to be forgotten” or have their personal data expunged by third parties at their request. The maximum fine could eventually be raised to 2% of worldwide revenues, so any business operating in the EU or operating outside of the EU but courting EU-based visitors needs to ensure its website and data-handling procedures remain compliant. If a company is solely U.S. based, then nobody is sure yet as to how easy or likely it may be for the ICO to pursue a violation in court. The UK ICO does offer free audits and assessments of whether your organization is following good data protection practice. If in doubt, contact them before a problem arises.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.