See all Insights

Europe’s New Internet Privacy Law: What You Need to Know

There has been increasing noise in recent weeks about new European Union privacy rules that will dictate how websites can use cookies. The new regulation (also known as a “directive” in EU-speak) requires EU-based websites to be much more transparent about how they use cookies. The policy becomes effective on May 25 and will be enforced, though according to the UK Information Commissioner’s Office (ICO), persistent cookies used for analytical purposes (the kind many of our clients use on their websites) will not be high on the enforcement priority list. The information available right now doesn’t get much more specific than that, but you shouldn’t interpret this vagueness as permission to ignore the policy.

The new directive amends the EU’s 1995 privacy rules, which were developed when both the EU and the Internet were both very young. Obviously there have been drastic technological, geopolitical and commercial changes in the EU since 1995, so the new rules are intended streamline existing privacy regulations and enforcement protocols that currently vary widely across member countries.

Under the existing rules, an EU-based website can use cookies if it discloses their use and provides users with an opportunity to opt-out. Most websites usually meet this requirement through their site’s privacy policy. The new rule actually goes beyond this and requires user consent to place a cookie on their computer. However, many websites place cookies immediately upon the first page load, making prior consent problematic. Because of this difficulty, the ICO is recommending that websites first provide more detailed information about cookie usage in their privacy policies.

If you operate an EU-based website, here are three approaches you could take right now in order to achieve compliance:

  1. Disable all cookies: This would be the simplest approach to compliance, but would leave you with no analytic insight to your website.
  2. Amend your privacy policy: Update your existing policy to include more detail on cookies and relocate its link to a more prominent position, while taking a wait-and-see approach to whether the law will be adjusted to place more responsibility on browsers than the websites themselves. The ICO guidanceprovides some helpful examples of how to word your revised policy, including this opt-in notification:

  3. Amend your privacy policy and implement a banner alert: To go a step further, locate the alert in a prominent position, and ensure it says more than simply “privacy policy.” You could also word the notification as a call to action, such as “Find out more about how our site works and how we put you in control.” Here is another straightforward example from the ICO guidance: 

We knew this sort of thing was coming, but it will take a little longer for the U.S. to implement enforceable privacy rules. Last month the Obama Administration unveiled its Consumer Privacy Bill of Rights, a set of voluntary guidelines. Similar legislation was introduced in the U.S. Senate, but with an election year well under way, don’t expect your cookies to be tossed anytime soon.

Related Posts