Web Design Industry Blog

Blog Rss Feed

Update on Cookie Law Implementation: Implied Consent

Published on June 1, 2012
Tags: Web Site Law

We have now passed the deadline of May 26th 2012 for websites to comply with the new EU Cookie Laws and it is thought that many sites are still in some ways breaching the law. However, there have also been some interesting updates from the Information Commissioner’s Office, in charge of the law in the UK, giving us more information on how the law might work in practice.

Notably, there has been an update to the policy guidance from the ICO. The new guidance says that websites are now able to assume ‘implied consent’ from web users. This means that there is not necessarily any need for websites to display options for users to choose from, as we discussed in our post last week, but rather they can assume that if a user continues to make use of a website, they are happy for cookies to be used.

However, this does not mean that websites do not need to comply with other aspects of the new Cookie Law and so it still pays for organisations affected to read through the policy guidelines from the ICO to find out their obligations. For example, they might have to carry out an audit of the cookies they are currently using on their websites and perhaps update their own site information to make it clear to users the cookies that are in operation on the website.

Also, the updated ICO guidelines say that: “While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.” This suggests that the implied consent principle is only applicable in some situations; if a website cookie is collecting sensitive personal data on a web user, it is likely that they will still need to obtain specific consent from them as we have discussed in previous blog posts.

Another key point from the updated guidelines is that the concept of implied consent cannot be used as a “euphemism for ‘doing nothing’.” Action still needs to be taken so that consent can be inferred from the web user. For example, you may have seen some websites with messages at the top of the page stating that they use cookies and that by using the site, web users consent to those cookies being used. In short, this means that no matter how a site goes about implementing the cookie policy, at least some action will need to be taken so that web users are aware of the cookies being used.

It is important to remember that the ICO has the power to levy fines on websites that do not comply with the Cookie Law, so even though the concept of implied consent might take some of the heat off web operators, this is not the only aspect of the law. A recent study from KPMG found that 95% of firms still hadn’t implemented the new law. However in practice, the ICO has said fines are unlikely to be levied. This is because sites are unlikely to cause a serious data protection breach. Non-compliant sites may still be expected to show the progress they have made towards implementation, though.

One slight worry with the implied consent concept is that it has been suggested this could lead to the UK battling its interpretation of the Cookie Law in European Courts. However, others have noted that many other European countries have yet to take the law seriously and that it could make the UK less attractive in terms of business. Also, some non-EU businesses could in theory get around the Cookie Law in a way that EU businesses cannot, which, it is suggested, could put European online retailers and other businesses at something of a disadvantage.

Either way, the Cookie Law is now in force in the UK and so it makes sense for businesses to do what they can to comply with the laws. The implied consent component has been described as being more business-friendly and it will hopefully make it easier for many sites – particularly those that don’t collect sensitive user data – to comply with the law.

You can download the updated ICO guidance on the Cookie Law with the addition of implied consent here.

By Chelsey Evans

Submit Blog & RSS Feeds 

  0 Comments | Post Comment

Cookie Law and Google Analytics

Published on May 25, 2012
Tags: Web Site Law

With only days to go until the EU Cookie Law comes into effect, many website operators are likely to be wondering just how the new law will affect their ability to, among other things, make use of services like Google Analytics. This is a real concern; since tracking cookies such as Google Analytics are not considered to be ‘essential’ to a website’s operation, consent is needed from users before they can be deployed.

This means that if a web user declines the cookies, website operators will no longer be able to track what they do on the site. If multiple users do this, the value of Google Analytics data will naturally go down and it will be harder to make use of it as a resource. This is something that could affect a huge proportion of websites – it is thought that of the top 10,000 websites, 57% make use of Google Analytics. Many more use similar alternatives such as Statcounter.

We’re going to focus on Google Analytics in this post since that is the major player when it comes to this sort of software, but similar issues are likely to apply to Statcounter and other analytics alternatives.

Currently, Google Analytics automatically sets four cookies. There is also an optional fifth cookie that gives website owners the option to share website traffic information with Google. There is something called a first party cookie that is set by Google Analytics that means if you utilise it on your website, you will only need to gain user consent once before it can be used (in contrast to ‘third party’ cookies that require consent each time they are used).

If you have the fifth optional cookie enabled that passes information back to Google, this will also need to be made clear on your website so that users can see who you are passing information to and what the purpose of this is. The Information Commissioners Office makes the suggestion of having text in a header or footer on your website to highlight the cookies and what they are used for. Google Analytics says that website information they receive is typically used for ‘benchmarking’ performance of sites. This is the sort of thing that will also need consent from users.

From all of this, it is quite easy to see the scale of the impact that the Cookie Law could have on tools such as Google Analytics. However, it is thought that these sorts of cookies are considered to be low priority by the ICO. Their guidance states that ‘provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action’.

Also, the Government’s Digital Service has acknowledged just how vital analytics are to government websites and that cookies are currently the most effective method for this. They say that the usage of these cookies tends to be controlled by a ‘first party’ and that they are minimally intrusive to users. This, plus the information from the ICO, suggests that as long as information about analytics cookies is made clear and that they are operated solely by first parties, compliance with the Cookie Law should not be too difficult. However, even though this sort of cookie might not be the highest of priorities, to not comply is still to break the law and so it’s an issue that needs to be taken seriously.

At this point in time, it isn’t entirely clear what the solution will be for analytics cookies requiring consent from users. Their usefulness has been admitted, but compliance is still important and so it isn’t inconceivable that the value of analytics data will be affected by users opting out of the cookies. Solutions could potentially come from a modification to the code used by Google Analytics, a browser-based solution or updated privacy policies, for example.

There are also a handful of non-cookie based analytics tools available. We’re currently testing one and will advise shortly on the results, but so far we’re seeing similar results coming back to Google Analytics – the downside, though, is that it’s a fee-based service.

The ICO blog has stated that there will be 'no knee-jerk formal enforcement action’ taken against sites that are taking steps to comply with the Cookie Law but who are not yet quite compliant, so there isn’t too much need to panic at this stage if you are still sorting out your compliance procedure.

However, only time will tell what the impact of the Cookie Law is on analytics results but for now it seems that the safest course of action is to do what you need to in order to comply with the law, make sure that your processes and policies are clearly defined and that users are made aware if you are using analytics cookies – and that a decent solution is found some time soon so that Analytics remains a useful, valuable resource for anyone who uses it.

Should you need any advice on implementing compliance with the new regulations, please contact us for further information and our Cookie Consent Service.

By Chelsey Evans

Submit Blog & RSS Feeds 

  0 Comments | Post Comment

The EU Cookie Law: What You Need to Know

Published on May 18, 2012
Tags: Web Site Law, Web Design London

They’re technically known as the Privacy and Electronic Communication Regulations, but you might know them as the EU Cookie Law. This is the new directive that comes into effect on 26th May 2012 and that requires websites to gain the consent of users when they want to run most cookies on that website.

The vast majority of websites currently use cookies and, as it stands, many of them are breaking the law as most websites don’t ask for users’ consent before utilising the cookies. There are different types of cookie though, and some of them are exempt from compliance with the Cookie Law. Generally speaking, those cookies that are exempt are the ones that are essential to the operation of a website. For example, if you have to log in to a website to use its service, a cookie will be needed to remember that or else the service will not work.

However, even though some cookies might be used for operational purposes, they will still require websites to get consent from users before using them. For instance, this could be the case for cookies that remember a user’s preferences for that site. Other cookies considered to be ‘non-essential’ will also need consent before they can be utilised on a website. Notably, tracking cookies (such as those used by service like Google Analytics or Statcounter) will require permission from users, as will advertising cookies.

The Information Commissioners Office, which is responsible for the Cookie Law in the UK, has offered some suggestions as to how websites can make sure they are compliant with the new law. These include getting users to agree to cookies when they accept website terms and conditions, obtain consent when users choose certain settings, obtain consent when users utilise certain features, or utilise tools such as headers or pop-ups in order to gain consent.

For an example of how consent can be gained from users, pay a quick visit to the ICO website. Across the top of the screen you will see a header that requires you to tick a box that states ‘I accept cookies from this site’. It appears that this is a one-time thing. Once you have accepted the cookies from the ICO website, if you then leave the site and come back, it doesn’t ask you again to accept the cookies.

Guidance from the ICO suggests that the person who is responsible for setting a particular cookie should be responsible for the compliance of that cookie with the new law. For instance, if a third party advertiser were to place an ad on our website, they would be responsible for ensuring it complied with the law. However, if we were to use Google Analytics cookies to track our site statistics, we would be responsible for those cookies. The difficulty arises when a third party, such as an advertiser, doesn’t actually have a means of obtaining consent because the website is not theirs. This means that in practice it is much likely to be easier for the website owner to take responsibility for obtaining consent for all relevant cookies.

There is therefore likely to be a need for website owners/operators to liaise with any third parties in order to find out the exact nature of the cookies placed on a particular site since an owner might not always be entirely aware of this.

There are clearly quite a few ways in which a website could choose to obtain consent from users for their cookies, but no matter which method is chosen, the most important thing is that users are given an informed and clear choice. It is important to note that this might also mean that websites have to update their terms and conditions or privacy policies in order to ensure they comply with the new Cookie Law and so that users can read more about the kind of cookies that are used on a particular website.

As it stands, the majority of websites are thought to still be in violation of the Cookie Law, with many holding on to see how other websites (such as key government sites) deal with the new regulations. However, the law is due to come into effect very soon, and so if websites have yet to take action to comply with the directive, they would be wise to start forming a strategy now so that they do not fall foul of the ICO and find themselves in trouble.

Next time, we’ll be taking a look at how the Cookie Law affects tracking cookies such as Google Analytics. For now, if you want to find out more about the Cookie Law and different types of cookies and how they will be affected, the International Chamber of Commerce has produced a useful guide.

By Chelsey Evans

Submit Blog & RSS Feeds 

  0 Comments | Post Comment

The New Google Privacy Policy

Published on March 2, 2012
Tags: Web Site Law, Internet Communication

It has been another busy week in the world of online privacy and Google is back in the spotlight with the launch of its new privacy policy. A significant update from Google is always something to interest web designers, and this example is no different.

This particular privacy update is supposed to, according to Google, get rid of inconsistencies in its previous privacy policies so that ‘we can make more of your information available to you when using Google.’ This means that Google is now better able to share users’ data between different services. For example, if you use all of your Google services while you are logged in, your search history could have an impact on the YouTube videos that are suggested to you.

The Google blog post announcing the new privacy policy gives the example of Jamie Oliver (bear with us). They say that, for instance, if you do regular searches for Jamie Oliver and you then search for recipes on YouTube, Google might take note of this and suggest his videos for you, or put up ads for his cookery books while you are using other Google services.

The impact of this is two-fold. One impact is that it can help to make services more convenient for users as their preferences will be registered across Google platforms. The other impact is that the changes are likely to make it easier for Google to target ads to web users.

Another impact of the new privacy policy, however, is that it seems as though Google may have fallen foul of EU laws and the EU is currently taking action to examine the policy. When the privacy update was first launched about a month ago, the data protection authorities in Europe expressed concern and suggested that Google ought to wait to implement the policy until an impact assessment had been carried out. However, as we can clearly see, Google have launched the changes anyway.

The concern of the European Union is that the Google privacy policy does not meet requirements with regards to ‘information provided to data subjects.’ The French data protection authority, CNIL, has been asked to examine the policy as a result. One of the main issues that have been raised is to do with the way the privacy policy has been worded; CNIL is worried that it is too general in the way it talks about Google services and the personal data involved. They are worried that this means normal web users will find it difficult to determine the details of the policy in relation to particular Google services.

Google has already tried to defend itself against the EU’s concerns, saying that they have already carried out an extensive awareness campaign to try and educate service users about the changes that are being implemented. They also argue that if you do not want your data to be shared across the different Google platforms, you don’t need to be logged into all of the services in order to use them. 

For example, you can use platforms such as YouTube, search and Google Maps without being logged in. There is also an option to go ‘incognito’ if you choose to browse the web using Google Chrome. Google also makes the point that you don’t necessarily have to operate all of your services from one single account – you can have different accounts for different services if you wish.

However, a counter-argument could run that this all serves to make privacy more complicated than it was before despite the fact it is supposed to simplify things; the new privacy policy automatically applies to everyone who uses Google’s services while logged in and there is no option to properly opt out of it. The only way to avoid the policy is to stop using Google’s services altogether. 

There are, though, some other things that concerned users can do to limit the amount of data that is linked across services. For example, they have the option to delete search histories and can view their Google Dashboard to see what data is held on them and where.

Despite this, there are still concerns. Even though Google carried out an awareness campaign, a poll carried out by YouGov found that 47% of UK Google users were still unaware of the changes. The EU action continues and there is worry from some campaign groups.

One thing we find ourselves wondering, though, is that even if people are concerned or don’t understand the privacy policy, is it going to stop people using Google services? We suspect probably not.

By Chelsey Evans

Submit Blog & RSS Feeds 

  0 Comments | Post Comment

The Stop Online Piracy Act (SOPA) How it Affects the Internet

Published on December 2, 2011
Tags: Web Site Law

In recent weeks, you may have read about something called the Stop Online Piracy Act. Or, to give it the acronym such things seem to require these days, SOPA. This is a bill that has been introduced by a member of the US House of Representatives with the aim of… you guessed it, stopping online piracy.

This bill has caused something of an outcry among various groups – but what is it actually all about? There’s been a lot of controversy over this piece of legislation and it’s something that people have been getting heated about on both sides of the debate, so we thought we’d try and cut through the hyperbole to see what is actually going on.

Essentially, at the heart of this bill is an issue of copyright. The purpose of SOPA is meant to be to try and stop copyright infringement – specifically, the infringement of the copyright of American creative products that are illegally ‘shared’ on the internet by sites based in other countries. Currently, trying to bring these sites to justice in the US is relatively useless because they’re all based offshore.

So on the one hand, it’s possible to see the logic behind introducing SOPA as a bill: people who create a product, whether it’s music, a film or something else, have a legal right to copyright. And, unlike patents which are issued by nation states following an application process, copyright is automatic and universal. If anyone tries to infringe it, the holder of the copyright has a right to challenge them.

High profile supporters of the bill include the kind of groups you might expect to support copyright enforcement, including the Motion Picture Association of America and the Recording Industry Association of America. Another interesting supporter is the US Chamber of Commerce – this is an organisation that usually fights for ‘free enterprise’ but is supporting SOPA on the grounds that rogue websites threaten ’19 million American jobs’.

However, on the other side of the debate we have many of the US’ internet giants. Organisations such as Google, eBay, Twitter, Facebook, LinkedIn and AOL are all opposed to SOPA because they fear that if it were to become law, it would make it harder for the web to innovate – largely because it would invite a lot of lawsuits, which are hardly ideal for creating an innovative atmosphere.

In a way, SOPA is similar to a bill that was introduced in the US Senate, the Protect IP Bill. However, SOPA goes one step further: where Protect IP was focused on groups such as domain name providers, SOPA targets internet providers themselves – in order to deal with targeted ‘rogue websites’, the idea is that the US Attorney General would get a court order that effectively compels internet providers to withdraw support from those sites.

Arguably, it is this that has helped to make the current bill so controversial. But what are the implications for web users if this Act is passed and eventually becomes law? It’s hard to make accurate predictions when the legislation is still being debated and it’s not guaranteed to pass, but it seems as though certain popular websites would no longer be available (at least not in the US, but seeing as the European Parliament recently approved a motion that stresses the need to refrain from ‘unilateral measures to revoke IP addresses or domain names’, it seems as though it could create international issues as well).

Another reason it is controversial is because it has potential security implications. This is because internet providers would be required to redirect certain domain names (such as those of sites containing pirated information) to US security organisations. This matters because it contradicts with something called DNSSEC, which is designed to make things more secure for web users. There’s also a worry that innocent sites could be unfairly damaged – and even that cybersecurity could be compromised.

For now, though, we need to wait and see what happens. There’s big, well-funded support on both sides of the SOPA debate. However, it’s worth pointing out that despite all the noise about SOPA, it still hasn’t come to a vote on the House floor and could be subject to further hearings about its security implications before that’s allowed to happen – and even then there’s no guarantee it will get onto the schedule. But should it make it through it could affect us all, whether we're in the US or not.

One thing, though, stands out: whichever side of the debate you may stand on, it seems fair to say that absolutely everyone is passionate about creating and promoting good content – the main dispute is over how to go about it.

By Chelsey Evans

Submit Blog & RSS Feeds 

  0 Comments | Post Comment

<<First < Previous  1 2 3 Next > Last >>

Follow Us: Follow us on Google+ Follow us on Facebook Follow us on Twitter Follow us on LinkedIn

Disclaimer: The contents of these articles are provided for information only and do not constitute advice. We are not liable for any actions that you might take as a result of reading this information, and always recommend that you speak to a qualified professional if in doubt.

Reproduction: These articles are © Copyright Ampheon. All rights are reserved by the copyright owners. Permission is granted to freely reproduce the articles provided that a hyperlink with a do follow is included linking back to this article page.