Problem solve Get help with specific problems with your technologies, process and projects.

For U.S. companies, EU cookie compliance calls for website changes

With recent changes to European data privacy laws, U.S. enterprises must make website changes to meet EU cookie compliance deadlines.

Current estimates put the number of Internet users in the European Union (EU) at more than half a billion, making it an attractive target for online businesses. But recent and proposed changes to various EU directives mean an existing website, even if it's owned by a U.S. company or served by a U.S.-based server, may not be compliant with revised EU data privacy laws if it targets citizens in the EU.

These requirements may well mean a complete change to how a site or business processes work.

The EU data privacy laws that came into force last May state that storing and accessing information on users' computers (i.e. cookies) is only lawful if the user has given consent. In this tip, we'll discuss the compliance implications of this development and what changes U.S. enterprises must make to comply.

These new compliance requirements have been implemented into law via amendments to the UK's Privacy and Electronic Communications Regulations (PECR) and will certainly require website owners to review and change how their sites work. Previously, visitors only needed to be informed of a site using cookies in the site’s privacy policy. Now sites must explain how cookies are used and obtain explicit permission prior to using cookies and locally stored objects (flash cookies).

Consent is not required for cookies that are considered “strictly necessary” for a service requested by the user. For example, a session cookie that enables a user to add items to a shopping basket and then use the site's checkout feature can be set without prior permission, but be warned; the definition of what is strictly necessary according to the PECR is narrow. Cookies used for load balancing would be deemed necessary, but not those used to collect statistical information about users or that enable a customized greeting or look of the site. As a significant example, cookie-based Google Analytics -- which is estimated to run on 90% of websites -- is not compliant with this legislation. To use this or other non-essential services, a site must first obtain the user’s permission.

ICO banner (for full size, right-click image and open in new window)

If you go to the UK Information Commissioner’s Office website, you will see a banner at the top of the page (see figure). This banner gives a good idea of what regulators are expecting sites to implement by May 26, 2012, when enforcement of the new law begins. Not surprisingly, when the ICO tested the above on their site, only 10% of users actually opted to allow cookies; without such warnings, most users accept website cookies without even knowing it.

The ICO does provide guidance on PECR and EU cookie compliance and recommends a cookie audit as the first step. An organization must check what type of cookies and similar technologies it uses on its websites and how it uses them. Remember that these requirements also apply to cookies set on mobile devices and other terminal equipment such as Internet-enabled gaming consoles and televisions.

More data privacy concerns

How does the Massachusetts data protection law affect enterprises?

PCI tokenization guidelines can aid your card data security policy.

An organization should then assess its use of cookies, including how essential they are to its site and how much they intrude on users. Intrusiveness relates to the extent to which a cookie reduces the privacy of the user, such as profiling their activity. The more intrusive the cookie, the more information the user must be provided regarding the cookie when obtaining their informed consent. This will likely require a site to update its privacy policy, which will also need to explain how a user can withdraw consent. This process must remove any existing cookies.

Consent must be unambiguous and be explicitly given, so a simple "check box" without adequate explanation of what a user is consenting to will not suffice. Users must give permission for third-party cookies too. These requirements may well mean a complete change to how a site or business processes work. Where consent is required, a site needs to decide how best to obtain it without breaking existing functionality. Comprehensive testing of any changes is essential to ensure a site does not fail if a user blocks cookies.

If, for example, a company supplies ad services to other sites that require setting cookies to other sites for the ad service to work properly, that company must ensure its clients (the sites that use its services) update their terms and conditions to ensure compliance with the law. Companies will have no control over the methods they use for educating users and obtaining consent.

Guide to EU cookie compliance

This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.

If a website is not in line with the EU cookie compliance guidelines come late May, it could face significant repercussions. If the ICO receives a complaint about a site’s use of cookies, it is easy for it to check what cookies have been set. The ICO can now issue penalties of up to £500,000 per incident. Therefore, it is important for a website owner to show it has tried to comply with the law. It's unclear how stringent the laws will be enforced, so make sure it's someone else who is in court establishing the legal precedent of how this law is to be interpreted.

There are further changes to EU data protection laws on the horizon, including increased accountability for those processing personal data, the mandatory disclosure by all organizations of any serious data breaches within 24 hours, and users will have the “right to be forgotten” or have their personal data expunged by third parties at their request. The maximum fine could eventually be raised to 2% of worldwide revenues, so any business operating in the EU or operating outside of the EU but courting EU-based visitors needs to ensure its website and data-handling procedures remain compliant. If a company is solely U.S. based, then nobody is sure yet as to how easy or likely it may be for the ICO to pursue a violation in court. The UK ICO does offer free audits and assessments of whether your organization is following good data protection practice. If in doubt, contact them before a problem arises.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

This was last published in March 2012

Dig Deeper on Data privacy issues and compliance