Protecting your visitors’ privacy according to EU directive on cookies

In order to protect visitors’ privacy when visiting websites, EU countries have had reason to review their legislation regarding the usage of cookies. An EU directive states that site owners are responsible for informing visitors about which cookies are used and what they are used for. The website visitors must also approve the cookies to be used.

This means that website owners must inform and explicitly ask each first-time visitor if a cookie may be placed on the computer, mobile phone or other terminal equipment. It is not acceptable to solely rely on the visitors’ web browser cookie settings.

A worst-case scenario is that the website must seek the visitors’ approval for every cookie. Large websites with many cookies may have more than 30 pop-ups for the visitor to click in order to read the content on the site. Lack of awareness regarding the EU directive may lead to website visitors saying no, which will in turn affect the website negatively.

The directive is also unclear as to how visitors should be informed about cookies and approve them. Instead, this has been left up to the market to develop a solution to handle approval, as long as the requirement that visitors can approve cookies is met.

Exceptions from the approval requirements can be granted if a service is offered that technically cannot function without cookies. For example, if you have an online store with a shopping cart to keep track of what the customer wants to buy. If the customer upon registration approves the rules, there is no need for a new approval.

Intended to protect privacy

Cookies are not harmful to your computer and are used on many websites to facilitate visitors’ access to various functions such as “remembering” the choices made ​​by visitors on the site. For example, a nationwide site that “remembers” which county the visitor chose on the last visit.

The information in the cookies can be used to compile and analyze the information that a visitor leaves when surfing the web. Ad networks use such cookies to “track” how visitors browse, which websites and pages they visit  and how long they stay on the sites. Hackers may use cookies as a component of an attack, for example, phishing.

Today’s technology makes the law difficult to follow

It is common for websites to have information on the usage of cookies on the site, yet cookies will be sent to a visitor’s computer without notification. Very few of today’s browsers are designed for the so-called opt-in model, that is, the visitor must expressly give consent to sharing personal information. This is, however, now a requirement under the directive. The browsers are not sophisticated enough to distinguish between different types of cookies and visits no longer take place via conventional web browsers only, but perhaps via an app on a mobile device.

For website owners and managers, what is relevant is where their organization is active, not where the server is located. In some cases, there may be a question of limitations which can be determined from case to case. Check this with the Office of Data Protection in your country.

Solution for EPiServer websites

As a first step, the information texts below should be downloaded for usage when implementing a solution. You can put a statement like this on all pages (or pages with dynamic content and a form) for “new visitors” by using the personalization feature in EPiServer CMS. Refer to Creating Personalized Content section in the user documentation (web help), by using visitor groups based on the Number of Visits (less than 1) and Geographic Location (country) criteria. However, to use personalization for collecting the visitor's approval will require development.

You can also develop an ASP.NET solution to handle session states without cookies. Refer to the blog posts Cookieless Session State in ASP.NET without Nasty URLs and Going Cookieless with EPiServer CMS by Allan Træn.

Cookies used by EPiServer products

EPiServer CMS

EPiServer CMS uses the following cookies:

 
EPiServer Commerce

EPiServer Commerce uses the following cookies:

 
Information texts and statements for download

The information to visitors should contain the following:

• Information about the cookie. List the cookie names, domain/service where they are used, and how long they are stored on the computer. Also list cookies from third-party analytics tools used.
• Purpose. What are the cookies used for, for example, storing web browser settings, statistics on banner clicks etc.
• How the information is used. If IP addresses are stored for security reasons, for example, when the visitor signs up as a member, or buys anything in a web shop.
• Alternative. If the visitor can use the services on the website without cookies being used. Specify what services that technically need to have cookies.

You can download the following samples of information texts and statements for usage on your website:

• In English
• In Swedish

References

• Offices of Data Protection in all European countries: European Commission
• EU Data Protection Directive and Directive on Privacy and Electronic Communications: Europe’s Information Society
• Service to find out which cookies are used on the website: PTS.se ”Hitta kakor” (In Swedish)
• Session ID for ASP.NET: Microsoft.com
• Google Analytics Privacy Policy: Google.com

United Kingdom (In English)

• Information about the law: Guide to the Privacy and Electronic Communications Regulations
• Example of website with approval of cookies: Information Commissioner’s Office in UK

Sweden (In Swedish)

• Information by Post- and Telestyrelsen about cookies for site owners: PTS.se
• Information by Post- and Telestyrelsen about cookies for visitors: PTS.se 
• Example of website with approval of cookies: Svenska Regeringskansliet

Comments