EU Privacy Directives

4 Ways to Stay Ahead (and Out of Trouble)

In May of 2011, the European Union (EU) adopted a set of privacy rules that many are referring to as the "EU Cookie Law."

The most prominent (and important) aspect of this legislation is that it makes setting website cookies or other tracking technologies without a visitor's consent illegal in all 27 EU member countries.

Ramifications for Merchants
Many Internet insiders are fervently opposed to this initiative, with some going as far as claiming it will be the death of the ecommerce industry, if not digital marketing and the Web in general. And although some of these reactions may be a bit hyperbolic, the rules do raise a number of concerns, particularly for European retailers.

Simply stated, the new law forces websites to ask visitors for permission before they can install (most types of) cookies. This is contrary to the popular misconception that it is an outright cookie ban, as well as the idea that all cookies are subject to the law. For example, cookies necessary for a website to function (i.e. session cookies used to track a user's shopping cart through checkout) do not require user consent. The tracking cookies that are affected include those being used for advertising, recommendations and even analytics (see sidebar below).

Do Not Track (Without Consent)
While the new EU regulations have been colloquially referred to as a "Cookie Law," it is crucial to note that these new laws are actually much broader and cover many tracking technologies (whether a cookie is involved or not) including analytics. Fortunately, many technology vendors have taken steps to support the digital business and internet retail community. A good example is in analytics solution Piwik whose recent platform release (version 1.8) now supports DoNotTrack (DNT) by default. Learn more at https://wsm.co/M6P2yq.



Who is Affected?
Any enterprise with a Web presence operating in Europe is subject to this new rule, as well as any company with headquarters or offices within the EU. And, it does not matter where a business's servers are located, but rather where the business is directed. Thus, even US-based companies with a Web presence in the EU are subject to these rules. However, only dedicated pages for EU member countries are affected, not US or other non-EU sites.

Following the Law

For merchants who don't want to risk drawing the ire of EU regulators, here are a few common sense steps to make sure you fall in line with the Cookie Law:

Know what's up
The obvious first step is to familiarize yourself with the directives. In other words, do your research (and this article is a good first step) and be aware of features of a website may be directly affected by the law.

Check your cookies
If it seems like there may be parts of your site could be problematic with regards to these new regulations (and maybe even just to be safe), the next step is to identify the cookies associated with your website, and find out what they do and from where they're being served.

You can perform an audit on the types of cookies and similar tracking technologies employed on your site. Many privacy and security companies offer cookie audits, including TRUSTe and PrivacyTrust, but make sure they go beyond just cookies and also look at the other tracking technologies on your site.

Boldly display your privacy policy
Since the whole purpose of this new directive is to give users more control and awareness over what certain websites know about them, site owners should be as transparent as possible. Thus, you should offer a prominent link to your privacy policy - you can include the word "cookies" to be even clearer.

On the corresponding page, list the cookies you use on your site. For the first-party cookies served from your site, list their name and purpose, and for third-party cook ies, include the source, as well. Also, provide information about social sharing buttons you may use, particularly when scripts from outside sites are used and may be gathering data.

Figure out how to deal
The final, but most significant, step in the process is to decide how you will go about gaining the consent of your visitors. Perhaps the most popular option has been to use pop-ups (or something similar) that let visitors click on to accept and enable tracking. Or, you could simply include information about your cookies and the tracking technologies in place within your site's terms and conditions. The problem with this is that you are required to ensure that all users are aware of the changes - specifically that they deal with data tracking - and you have to get a positive indication that they read and understood the updated terms.

Other possible routes to take are settings- or feature-led consent, where users can define when and which technologies are deployed by either letting them decide how they want the site to work for their experience (confirming consent for some or all cookies in the process), or by offering their consent to perform certain actions (e.g. watch a video).

Most merchants should have little trouble complying with the new EU Privacy Directives. The key is to be educated on exactly what defines compliance, go through the steps necessary to abide and be transparent with consumers about the cookies and other tracking technologies you use and why.