More than ever, businesses need to comply with online privacy rules regarding the use of cookies on their websites. Cookies are used by many sites to track user preferences and behavior. A new European regulation is changing the rules -- and businesses can risk fines of up to €2 million for non-compliance.
If your website serves European citizens, it falls under the current European/national privacy directives, as well as the upcoming regulations. Learn about what your company and chief compliance officer should do to avoid potential fines and penalties.
Why Companies Use Website Cookies
Cookies allow a website you visit to recognize you and keep track of your preferences, which is very useful for both the website owners and its users. Many companies use cookies for online marketing: creating customized advertisements. Others use cookies for basic functionality, such as tracking a user’s country or language settings. Such cookies help ensure that the user will see their personal preferences the next time they visit the site.
When you visit a website, the site creates small text files which are stored in your computer or mobile device. These may be stored temporarily (for one browsing session only) or permanently on the hard disk (until you delete them).
Understanding European ePrivacy Standards
The European Union has quite stringent regulations intended to protect online privacy. The EU’s so-called “ePrivacy directive” was enacted in 2002 and amended in 2009. Since 2009, directive 2009/136 has required all website operators who use cookies for other than technical required purposes to obtain consent by the user before the cookies start tracking.
The concept of “obtaining consent” is unclear, however. Member states implemented the directive in their own national laws, with variations in interpretation. For instance, it is unclear whether the user has to give explicit consent to be tracked with cookies, or whether implied consent is sufficient.
Now, an upcoming regulation for ePrivacy is set to replace the ePrivacy directive, and it’s likely to raise the stakes for compliance. The first draft of the new ePrivacy regulation was published by the European Commission in January 2017, and it introduces three potential changes:
- The regulation will apply in all member states. Use of cookies will no longer be regulated by different national laws.
- Only a “clear affirmative act” is considered consent. Implied consent is no longer sufficient in any member state, as stipulated by the current draft.
- Violations carry higher fines and sanctions. Non-compliance website operators face fines of up to €2 million.
The draft is currently being examined by the European Parliament and the Council and is still subject to change. These institutions, however, are very likely to support the requirement for explicit consent.
What This Means For Your Company’s Website
To make your website compliant with the upcoming EU regulations, your site needs to use a cookie banner on the main landing page, and on other subpages that users could be directed to by search engines. These banners should ask users to opt-in to cookies in a “clear affirmative act” as outlined in the current draft.
Here are three tips for an effective cookies banner:
- Don’t use phrases like “You agree to the usage of cookies when you continue using this site.” Such phrases are merely obtaining implied consent.
- Don’t use pre-ticked checkmarks, as these also only imply consent. Instead, let the user actively tick the checkmark before continuing to browse the website.
- Include short information about the purpose and use of the cookies, as well as the option to withdraw. This text should be in easily understood, user-friendly language.
While the EU’s new ePrivacy regulations have not yet been enacted, many large companies are already using these cookie banners. In addition to maintaining compliance, these banners promote a positive corporate image: They demonstrate transparency and care in handling customer data.