Article 5(3) requires that all businesses in the EU must inform users when a website will place cookies on their computers and must obtain consent before a cookie can be placed.
The Article 29 Working Party was formed in 1996 to address issues related to data protection and privacy in Europe. This independent advisory body includes a data protection authority from each EU Member State, as well as the European Commission and the European Data Protection Supervisor.
This working party gives expert opinions and advice to EU states and the Commission and attempts to promote uniformity in the way the Data Protection Directive is applied throughout all EU states, plus Norway, Liechtenstein, and Iceland.
Cookies are commonly used by websites and increasingly by mobile apps as well, and play an important role: it tells the website how to treat that browser (the user using that specific browser) during future visits to the website.
Cookies can enhance the user's experience on a website by allowing for remembered passwords, personal preferences, and other data; so that each time the user visits the same site, the same information doesn't have to continually be re-entered.
Whenever you go to a website that you can log in to and your username is already populated for you upon arriving at the login page, this is because of a cookie.
Most cookies usually don't store personal information about a user. If they do, it's only information the user provided to the website, such as a username or email address.
Findings from Cookie Sweep
The Article 29 Working Party Cookie Sweep examined 250 of the most frequently visited websites in the media, e-commerce, and public sectors of the member states involved in the sweep. These sectors were chosen because they involve the greatest risks of having issues with privacy and data protection for EU citizens.
Some of the main highlights from the Cookie Sweep include:
Websites seem to use a very large number of cookies.
On average, media websites were found to put about 50 cookies on someone's browser during that user's first visit to the website.
Expiration dates of cookie files are often placed excessively far into the future.
While the average expiration date on assessed cookies was about one to two years from the date the cookies get picked up, a few were found to have expiration dates set about 8,000 years into the future.
This means the cookies would remain in place for forever unless manually removed - or that if you visit a website just once, it is possible that two years later you will still have a cookie from that one visit.
A quarter of the websites assessed did not inform visitors that cookies are in use. Half of the websites that did inform users that cookies are in use did not seek to obtain any sort of consent from the user on storing cookies.
Limited options for control. Only about 16% of websites allowed for any level of control for opting out of cookies being placed on a visitor's browser.
How to improve your privacy practices
There are a number of easy steps you can take to your website to ensure that you stay compliant with the ePrivacy Directive:
Step 1 - Inform
Immediately inform your visitors about cookies being in use on your site.
When someone first visits your website, and before placing any cookies on the visitor's browser, you should put forth all of the information about the cookies your website uses in one single page or location.
Tell your visitors:
What types of cookies you use
What types of cookies you allow third parties to use
Any technical specifics about these cookies
This information can be sufficiently displayed in a pop-up window or a top notification header that contains all of the cookies information or links to this information on a separate page (if the information is in-depth and lengthy.)
Take a look at the way Facebook informs users of the ways cookies are used on the website on their "Cookies, Pixels & Similar Technologies" page:
Facebook provides how cookies enhance a user's experience and what third parties are authorized to place cookies on the Facebook website.
Creating a webpage similar to Facebook's example above - that describes your own usage of cookies and linking users to the page on their first visit to your site and before any cookies are placed - can help keep you compliant with the ePrivacy directive.
The image below is a good example of how Facebook uses a chart to show what types of cookies are placed on a user's PC and what exactly that type of cookie is used for:
You can place this kind of information about your usage of cookies in your current legal agreements or on a separate "Cookies Policy" page:
A separate "Cookies Policy" agreement or "Cookies" page
Step 2 - Obtain consent
Obtain consent before placing any cookies.
There are a few ways in which you can obtain consent from users on placing cookies to comply with the EU Cookies law.
One way is by requiring the user to click on something that clearly shows an acceptance of cookies being used, such as in the example below from the BBC website:
By alerting the user that you will collect cookies if that user clicks Continue, you will be obtaining consent from the user.
Link to further information about your cookies if you don't provide it right there, and allow a way for cookie settings to be accessed.
This information can be put as a footer notification or inline header that doesn't break up the flow of your site, nor require active clicking to show consent as in the previous example.
Step 3 - Give control
Allow users the ability to pick and choose which cookies they wish to accept.
Provide your users with information about which cookies you place and what each cookie is used for.
You can also go one step further and provide an option for opting out of all cookie usage as well as individual cookies.
In the image shown above, note the "Change your cookie settings" link. A link like this should lead to the corresponding "Cookies" in the legal agreement that details what kind of cookies are being stored, what each cookie's purpose is, and the ability to decline to allow a cookie.
Linking to this information in a visually prominent place like a top header or floating window makes it easy for the user to learn more about cookies on your website.
What cookies you use
How you use these cookies
You must obtain consent to place cookies on a user's PC. This can be done in one of two ways:
Before a user can browse your website, make it a requirement for the user to click on something that shows he/she acknowledges your cookies usage and is OK with it.
This means that any visitor to your website will have to give actual consent before ever having a cookie placed on their computer.
This at least gives visitors the knowledge that cookies are in use and lets them take steps to avoid them if they so wish.
An example can be seen below of a floating window that adequately alerts visitors and passively obtains consent: