A new EU directive will come into force on the 25th of May – an amendment to the existing “Privacy and Electronic Communications (EC Directive) Regulations 2003” . The intent of this law is good, but its strict implementation could mean the end of the web as we know it. No European government has, as yet, issued any guidance on how it will be regulated.
What is it trying to achieve?
One of the objectives that the EU are trying to achieve is to enhance people’s privacy on the web. Have you ever browsed a website for a certain product one day and then, possibly days later, gone to an completely unrelated website and you suddenly notice that you are being shown ads for the products you were looking at previously? That’s online marketing companies using data about your behaviour from one website to influence what is shown on another website. In my mind this is a step too far in online marketing and I applaud the EU for trying to curtail it through the update to this directive.
How is your privacy breached?
You privacy is breached by one website storing information about your behaviour using files called cookies stored on your machine, and then sending this information back to a central server that stores your behaviour and then uses this to influence the content on other websites which are part of the same ‘network’.
Cookies are small files stored on your own machine that remember pieces of information
Cookies can either be ‘first party’ or ‘third party’. The former are written by a website for use exclusively by that website and they can’t be accessed by any other website. They are what make the web work a lot of the time, by remembering things like logins, shopping baskets etc. The latter, however, are created by a website specifically to be shared with other websites in a ‘network’.
Third party cookies are, therefore, generally seen as acting against your privacy and most browsers have ways of stopping them from being stored on your machine (not that many members of the public even know about this issue never mind how to prevent it).
How is this new law trying to protect privacy?
The EU directive appears to say that, before storing ANY information about you in cookies, that a website must first ask for your consent. Clearly this would stop the web from working as you would be bombarded with warning messages whenever you logged in, added an item to a shopping basket etc. on your favourite shopping website. The EU have therefore made a provision for this and cookies can be written if they are essential to the operation of a website.
What is the problem?
A big problem lies in gathering data on user behaviour. The directive appears to apply to first party (‘friendly cookies’) and third party (‘evil cookies’) alike, and that would mean that practically ALL systems such as Google Analytics MUST ask for permission before storing a cookie on a visitor’s machine. There is currently no ‘out of the box’ mechanism for doing this so, in theory, on the 25th of May most websites must turn off Google Analytics, otherwise they will be breaking the law. Google Analytics is an important – and privacy safe – system for analysing website visitor trends for many businesses, and by this side effect of the updated directive, the EU stand to cripple EU businesses’ ability to apply a vital tool in their online marketing toolbox. (It isn’t clear to me whether this applies to websites hosted outside the EU, but operating within the EU, – hence why it is seen by many as hugely anti-competitive for EU based companies).
The UK government has, as of writing, not put any guidelines in place on how the directive will be enforced. We will have to wait to see what they say on the matter (I’ve searched the web and can find no government information or recommendations about the impending legislation). Hopefully they will take a pragmatic view and balance people’s privacy needs with the ability of businesses to operate effectively… we wait with bated breath.