The Privacy and Electronic Communications Regulations

On the 25th May 2011 amendments to the Privacy and Electronic Communications Regulations made it illegal for any website operator in the UK to “drop” or “set” a cookie on a user’s browser without their ‘informed’ consent.

So what exactly does this mean for users and website operators in particular?

The focus of this article is to discuss the implications; to provide links to official publications and guidelines so that interested parties can gain a broader understanding of the issues involved; and to present a case study of how this might apply to a website running on a WordPress installation.


Background

The UK Regulations are a direct response to an amendment to article 5.3 of the European E-Privacy Directive (2009/136/EC). With the intention of protecting the privacy of internet users, the Directive targets ‘all technologies’ which store information on the user’s terminal equipment, however as this greatly impacts the use of cookies it has become widely known as the “Cookie Law”.

ICO Guidance on the rules on use of cookies and similar technologies

As an EC Directive the law is implemented in the UK by The Department for Culture, Media & Sport (DCMS) and regulated by the Information Commissioner’s Office (ICO).

To assist website operators with compliance the ICO has produced guidelines detailing the background to the regulations and some useful information on how they expect operators to respond. You can download the guidelines here (or by clicking on the image).

Another useful source of information is EU Cookie Law – The Definitive Guide by Oliver Emberton. Although this may appear a lengthy document, it is an easy read and takes a light hearted and occasional deservedly scathing look at some of the pot-holes and pitfalls of the current Directive as it stands.

After a thorough examination of the new “Cookie Law” Emberton protests that it seems clear the Directive “hasn’t been written by anyone who understands the internet”. By lumping cookies into the same description as spyware and viruses the law has managed to criminalize over 90% of the websites in Europe and as such the approach is akin to ‘outlawing all music just to prevent another Justin Bieber album!’ (Emberton 2012 p.40).

Undoubtedly the main obstacle that many will encounter when trying to implement the Directive is the level of ambiguity and the apparent contradictory nature of it’s writing. And this is clearly not a moot point when it bears potential legal ramifications.

Eu Cookie Law

For example, under a strict interpretation of the EU directive (and at its most basic level) if a website cannot set a cookie to remember if a user had chosen not to set cookies then it would have to repeatedly ask the question on every page and on every visit.

Taking the argument a little further, as no website has any means of distinguishing whether it is the same user using the terminal equipment from one page to the next; this again would require websites to ask the question on every page and on every visit (Ironically this would render the pop-up message bar solution that the ICO has implemented on their own site illegal).

On this point, the ICO’s published guidelines seems to recognise that in practice it may not be possible to distinguish between a ‘subscriber’ (the person who pays the bill for the service) and the ‘user’ (the person using the computer), however their assertion that “the key..(in this situation).. is that valid consent has been provided by one of the parties” seems a little woolly.

And even though the IOC’s guidelines acknowledges that there may be several users in a domestic context, it fails to consider whether the user viewing the site (be it a child) has sufficient legal standing to make the decision. This point alone perhaps serves to highlight that elements of the original directive are ill conceived.

Notwithstanding, within the ICO’s guidelines it is possible to detect what might be considered, albeit unstated, an acknowledgement of the practical difficulties in implementing the directive.

With this in mind the IOC appear to be adopting a supportive stance explicitly stating that “monetary penalties will be reserved for the most serious of breaches of the regulations”.

That being said they do also provide the following caveat: “the concept of implied consent..(must not be).. interpreted as a euphemism for “doing nothing…this isn’t going away. It’s the law”.

It is therefore crucial that website operators are able to demonstrate that they have taken sensible, measured action to move to compliance (p.27) by giving careful consideration to the purposes for which cookies are being used on their site and adopting defensible strategies for gaining or making reasonable assumptions of user consent.


So what are cookies and what are they user for?

A cookie is a small text file sent to your browser by a website that you visit. The information in the cookie file travels back and forth between the browser it’s stored on and the website(s) the browser visits allowing websites to recognise a user’s device. Cookies help the website to remember information about your visit (such as your preferred language and other settings), that can make your next visit easier and the site more useful to you.

Example cookie

Figure 1.1 Example Cookie File

A cookie is typically made of letters and numbers but cannot contain computer code of any kind so it cannot carry viruses or install malware on the host computer. However it is the ability of some third party cookies to track users across different websites and in such a way construct a record of that user’s online behaviour that has given rise to privacy concerns.

That being said, cookies play an important role and without them, using the web would be a much more frustrating experience. It is worth noting that the regulations do not prohibit the use of cookies but that website operators should have a user’s informed consent to use them in certain situations. How this consent is gained depends upon the type of cookie and the extent to which it may be perceived to be intrusive.

According to the ICO’s guidelines the overarching principle should be whether the cookie is essential to the operation of the website. In circumstances where the action taken by the user would imply an expectation that the website would track the user’s action the website operator is covered by the concept of implied consent. An example of this would be the adding of an item to a website’s shopping cart.


Session and Persistent Cookies

As web pages have no memory session cookies are often used to enable websites to keep track of a user’s movement or actions as they move from page to page within a web site.

Perhaps the most common use of this functionality is to remember if a user has logged into a website. A user’s session cookies exist in temporary memory only while the user is reading and navigating the website and generally expire at the end of a browser session (when a user exits the browser) although they can be stored for longer, for example, on a mobile device where the concept of closing a browser is less appropriate. Thus when a user closes their browser they are automatically logged out.

A persistent cookie on the other hand is stored on the user’s terminal between browser sessions. As shown in figure1.1, a cookie file contains an expiry date which is set by the cookie on creation (If an expiry date or validity interval is not set then a session cookie is created). Persistent cookies are generally used to remember user preferences when using a website but are also utilised by ‘third party’ websites to track users across multiple websites and to target advertising.


First and Third Party Cookies

The distinction between a first and third party cookie relates in part to the domain setting the cookie but more so to the way they are used. A first party cookie is set by, and more importantly, only readable by pages on the website the user is visiting. Third party cookies are set by companies external to the website the user is visiting and can also be read by external websites. In such a way third party cookies allow a user’s browsing activity to be tracked between websites in a way that they may not expect. This is commonplace where websites include content from third party sources such as YouTube videos, Facebook like buttons, Twitter streams or Google Analytics to name but a few.


What does it mean in practice?

While all major browsers provide users with controls to select which cookies they will allow, the ICO’s guidelines make it clear that at present ‘browser settings are not sophisticated enough for websites to assume that consent has been given” (p.15) [see Emberton 2012 p 49 for a detailed explanation of why this will likely never be a reliable option].

This means that the onus is on website operators to ensure that informed consent is obtained from users for the cookies that they use on their website.

In order to comply with the regulations the ICO suggest that website operators conduct a “cookie audit” comprising of 3 main steps:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Determine how intrusive the use of each cookie is.
    • Identify what data the cookie holds and whether it links to other information held about users such as usernames;
    • confirm the type of cookie (session or persistent) and its lifespan;
    • Is the cookie first or third party? If third party who is setting it?
    • Check that your privacy policy provides accurate and clear information about each cookie.
  3. Where consent is required – decide what solution to obtain consent will be best in your circumstances.

Due to the nature of cookies and their infinitely varied uses it is not possible to provide a definitive list of scenarios or solutions. This is a task for each website operator based on the process outlined above.

The two elements that are likely to appear in any solution where it is deemed that consent must be obtained is the provision of information via a clear cookie policy and some form of technical element whereby users can indicate that consent has been given.

For the purposes of this discussion the following section considers how such a process may apply to a website running on a standard WordPress installation.


WordPress’ use of Cookies

To find out which cookies your website sets open your site in a browser window.

Most main stream browsers provide options to manage and view the cookies that have been set although some are more user friendly than others.

Internet Explorer

Arguably the least user friendly browser for viewing cookie files is Internet Explorer. You can view a list of cookies in the Temporary Internet Files (TIF) folder which can be accessed via the Tools menu (Tools > Internet options > Browsing History > Settings > View Files). However, since Windows Vista there are several integrity levels and those cookies that belong to the “low” category level will not be displayed in the TIF folder at all.

Apple Safari

Since version 5.1 Apple has streamlined the display of cookies. For example, if you select Preferences > Privacy > (Cookies and other website data) > Details, you’ll be presented with a list of domains that have placed cookies in your browser, but you will be unable to view any individual cookies or their specific details.

While it is possible to access cookie data in Safari the process is a little more convoluted.

  1. Go to Safari Preferences > Advanced.
  2. At the bottom, check “Show Developer Menu in Menu bar.”
  3. If necessary, visit the site for which you want to view the cookies.
  4. In Safari’s Developer menu, select “Show Web Inspector.”
  5. Select the “Resources” tab at the top and expand the “Cookies” disclosure triangle. Then select the site of interest to see the cookie details.

Safari Cookies Window

Google Chrome

To view cookie files in the Google Chrome browser:

  1. Click the Chrome menu on the browser toolbar .
  2. Select Settings.
  3. Click Show advanced settings.
  4. In the “Privacy” section, click the Content settings button.
  5. Click on the All cookies and site data button.

Chrome cookie window

This will display a list of all the cookies in your browser and clicking on any individual cookie name will reveal its data.

Firefox

One very useful feature of the Firefox browser is that it displays a list of its cookie files in a new window. This allows you to view your site in a separate window and move back and forth between the two. As it also doesn’t suffer from some of the drawbacks associated with some of the other browsers (as discussed above) the following example will be based on the use of the Firefox.

First, while cookies are enabled by default in Firefox, it is important to ensure that the browser settings are configured to allow all cookies.

How to change Cookie settings in Firefox.

To change your cookie settings:

  1. At the top of the Firefox window, click on the Firefox button and then select Options
  2. Select the Privacy panel.
  3. Set Firefox will: to Use custom settings for history.

Firefox use custom settings

Check mark Accept cookies from sites and Accept third-party cookies to enable all cookies.

Firefox - Accept cookies

Next, click on the tools menu (or the Firefox drop-down menu in the top left-hand corner of the browser window) and select options. In the pop-up window that appears click on the remove individual cookies link to open the cookies window.

Firefox - cookies window

Click on the small “+” sign beside the cookie folder for your site and the window will expand to reveal a list of all the cookies. Make sure to perform any actions on your site that might cause the system to set a cookie. For example if you require users to log-in to place comments on your blog.

Clicking on any individual cookie will display its data at the bottom of the window.

From this information you can determine the expiry date (whether the cookie is session or persistent) and the host setting the cookie (whether it is first or third party).

Create a table with a description of each cookie and what it does (see example below).


WordPress Cookies

As can be seen in the table above, a standard WordPress install will set a number of cookies.

wordpress_test_cookie – As its name suggests this is merely testing to see if the browser settings are allowing cookies to be set.

PHPSESSID – PHP is the coding language in which WordPress is written. If your browser allows cookies PHP will set a cookie to store the session ID which may be required by certain scripts to set session variables. These expire at the end of the browsing session and are not considered to be a threat to users privacy.

wordpress_ / wordpress_logged_in_ – These cookies are set when a user logs into your site. Although they are only valid for the current browsing session these cookies do contain usernames and so might be considered to represent slightly more of a privacy concern. For this reason it is advisable to provide a warning to users on the log-in screen or within the terms and conditions supplied when they register for an account.

wp-settings-1 / wp-settings-time-1 – One or both of these cookies may be set to keep track of user settings between browsing sessions. As they are persistent cookies and are not essential the the operation of the site they require user consent and should be removed if permission to set cookies is denied. Technically, this is difficult to achieve as WordPress will keep resetting them each time the user logs in, however ,as they hold no personally identifiable information they represent a negligible privacy concern. As with the previous log-in cookies the best option is to provide a warning to users on the log-in screen or within the terms and conditions supplied when they register for an account.

_utma / _utmb / _utmc / _utmz – If you are using Google Analytics to collect information about how visitors use your site then these cookies are set as soon as a visitor lands on a page within your site (an optional 5th cookie _umtv may also be set if you are using any of the custom reports within Google Analytics). This is perhaps one of the biggest issues with the new regulations. As these are non-essential to the operation of the site, under a strict interpretation of the EU directive, consent is required before these can be set. However, the ICO recognise the difficulty in obtaining ‘explicit opt-in’ consent for analytics cookies and appear to be taking a softer approach:

“Provided clear information is given about their activities we are unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action”.

With this in mind we will adopt the same approach that the ICO have implemented on their own website. That is to say Google analytics will be allowed to set cookies before obtaining user consent but users will be provided information regarding their use (within the cookie policy) and given the option to remove them.

Third Party Cookies

Because third party cookies are used to track users across multiple websites these represent the highest risk category. As clearly noted by the ICO:

“where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent “(p13).

If you are using any software plugins that drop third party cookies you need to consult their own documentation and provide ensure users are able to opt-in to these services.

It’s worth noting that YouTube has a ‘privacy enhanced’ mode which prevents the site from setting a cookie. Simply select the “Enable privacy-enhanced mode” (see figure x) option when generating the embed code or just change all embed links from youtube.com to youtube-nocookie.com.

Youtube privacy mode

Technical Solutions

As noted by the ICO user consent must involve some form of action (such as clicking on an icon) by which a user can communicate their acceptance.

Many website operators (the ICO included) have implemented a pop-up message bar informing users of their use of cookies and giving them the opportunity to manage their settings.

In spite of their own guidance notes stating that:

‘It is difficult to see that a good argument could be made that agreement to an action could be obtained after the activity the agreement is needed for has already occurred’

the ICO’s chosen solution permits the setting of Google Analytics cookies and asks for user consent retrospectively.

With this in mind, we will assume that this is an acceptable interpretation of the regulations and adopt a similar approach.

The software development company silktide.com has produced a simple pop-up message bar application ‘Cookie Consent’ that can be downloaded here.

The plugin is well designed, well documented, and easy to configure. While it can accommodate various types of cookie, our discussion here will be limited to ‘essential’ and analytics cookies.

One slight drawback with Cookie Consent is that it doesn’t actually stop, block or delete cookies but stops the scripts which set and use cookies. In practice this means that if you adopt an implied consent approach where users are required to opt out of cookies, the analytics cookies will have already been set. Although the plugin will prevent the script which uses them to track visitors from running, the cookies will lay dormant on the users terminal until they expire.

As we are trying to replicate the ICO’s solution, we would like to provide users with a button to delete these cookies. This can be accomplished with a little Javascript gymnastics.

<script>

function clearCookie(name, domain, path){

try {

function Get_Cookie( check_name ) {

var a_all_cookies = document.cookie.split(';'),

a_temp_cookie = '',

cookie_name = '',

cookie_value = '',

b_cookie_found = false;

for ( i = 0; i < a_all_cookies.length; i++ ) { a_temp_cookie = a_all_cookies[i].split( '=' ); cookie_name = a_temp_cookie[0].replace(/^\s+|\s+$/g, ''); if ( cookie_name == check_name ) { b_cookie_found = true; if ( a_temp_cookie.length > 1 ) {

cookie_value = unescape( a_temp_cookie[1].replace(/^\s+|\s+$/g, '') );

}

return cookie_value;

break;

}

a_temp_cookie = null;

cookie_name = '';

}

if ( !b_cookie_found ) {

return null;

}

}

if (Get_Cookie(name)) {

var domain = domain || document.domain;

var path = path || "/";

document.cookie = name + "=; expires=" + new Date(0).toUTCString() + "; domain=" + domain + "; path=" + path;

}

}

catch(err) {}

};

function readCookie(name) {

var nameEQ = name + "=";

var ca = document.cookie.split(';');

for(var i=0;i < ca.length;i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } function createCookie(name,value,days) { if (days) { var date = new Date(); date.setTime(date.getTime()+(days*24*60*60*1000)); var expires = "; expires="+date.toUTCString(); } else var expires = ""; document.cookie = name+"="+value+expires+"; path=/"; } function deleteCookies () { clearCookie('__utma','.yourdomain.com','/'); clearCookie('__utmb','.yourdomain.com','/'); clearCookie('__utmc','.yourdomain.com','/'); clearCookie('__utmz','.yourdomain.com','/'); createCookie('cc_analytics','no','365'); var cookiecontrol=document.getElementById("cookiecontrol"); var htmlTagString="<a id='allowCookie' onclick='allowCookies()'>" +"<img alt='Delete cookies set by this website'" +" src='http://www.yourdomain.com/wp-content/uploads/2013/04/coallow.jpg'>" +""

cookiecontrol.innerHTML=htmlTagString;

}

function allowCookies () {

createCookie('cc_analytics','yes','365');

var cookiecontrol=document.getElementById("cookiecontrol");

var htmlTagString="<a id='deleteCookie' onclick='deleteCookies()'>"

+"<img alt='Delete cookies set by this website'"

+" src='http://www.yourdomain.com/wp-content/uploads/2013/04/codelete.jpg'>"

+""

cookiecontrol.innerHTML=htmlTagString;

}

function cookieInit()

{

var cookieis=readCookie('cc_analytics');

if(cookieis==='no'){

var cookiecontrol=document.getElementById("cookiecontrol");

var htmlTagString="&rt;a id='allowCookie' onclick='allowCookies()'>"

+"&rt;img alt='Delete cookies set by this website'"

+" src='http://www.yourdomain.com/wp-content/uploads/2013/04/coallow.jpg'>"

+""

cookiecontrol.innerHTML=htmlTagString;

}

var deleteCookies = document.getElementById("deleteCookie");

deleteCookies.onclick = deleteCookies ();

var allowCookies = document.getElementById("allowCookie");

allowCookies.onclick = allowCookies ();

}

if (window.attachEvent) {window.attachEvent('onload', cookieInit);}
else if (window.addEventListener) {window.addEventListener('load', cookieInit, false);}
else {document.addEventListener('load', cookieInit, false);}

< /script >

Functions

To delete a cookie simply involves setting its expiry date to a date in the past. The system will then automatically remove the cookie. The clearCookie function allows us to search for a cookie by specifying its name, the domain it belongs to, and its path (i.e. whether it applies throughout the domain or only to a sub-directory). The clearCookie function is called by the deleteCookies function.

The deleteCookies function is called by the onclick event attached to the delete cookies button. The deleteCookies function essentially performs three tasks. First it deletes the Analytics cookies (note if you are using custom reports you will need to also delete the optional fifth cookie __utmx). Next it calls the createCookie function to reset the value of the cc_analytics cookie to no. This prevents the the analytics script from running and resetting the cookies. Lastly it replaces the delete cookies button with a button to allow cookies.

The allowCookies function is called by the onclick event attached to the allow cookies button. This calls the createCookie function to set the value of the cc_analytics cookie back to ‘yes’ (allowing the analytics script to generate cookies) and then replaces the allow cookies button with the delete cookies button, enabling a toggle between the two buttons.

The readCookie function simply searches for the cookie name specified as its argument and returns its value. This is used by the init function to check the value of the cc_analytics cookie and determine whether it is turned on or off. If analytics cookies are turned off the default delete cookies button will be replaced by the allow cookies button.

As the two buttons are created by assignment to innerHTML property, this causes the destruction of all child elements disabling the onclick handler. The two variables deleteCookies and allowCookies are required to circumvent this behaviour.


Wrapping it up

Having completed a cookie audit and put in place the necessary controls to enable users to confirm consent the remaining task is to provide users with clear and accurate information about cookies so that they may give ‘informed’ consent.

This could include the table constructed during the cookie audit of your site together with any other relevant information. The ICO includes a couple of links to other sites where users can find out more about cookies if they so desire, and so we have also included those for good measure.

As suggested in the ICO’s guidelines we have also sought to raise the profile of the cookie policy by highlighting the link and giving it its own page rather than making it an element within the Privacy Policy.

Filed in Cookie Law