In November of 2009, the European Parliament issued EU Directive 2009/136/EC, an amendment to several prior directives concerning data protection and electronic privacy rights. Of primary concern to this article were changes regarding the storing and accessing of personal data on a user’s device via cookies . The amendment changed such storage to require opt-in rather than opt-out permission from end users. EU member states were supposed to implement laws in accordance with the directive by May 2011.
Who Is Affected
So, who has to worry about the directive? The EU member countries (and Norway). If you own, operate or design websites for EU based entities, you need to worry about the specific Data Privacy Laws in that country, because all EU countries were supposed to enact legislation consistent with the directive. Not all of them have, and the existing laws vary from country to country. But if you are operating in the EU, it’s likely that the privacy directive will apply in some way, shape or form.
The Legal Basics
While the specific laws may vary, the EU E-Privacy Directive does provide us with a generic template for building websites that comply with EU privacy concerns.
Users must be informed
Users must grant prior consent
Before setting cookies, you must receive the informed consent of the user. Given the current state of web browsers, browser settings cannot be used to infer informed consent.
The directive does make an exception to this requirement, but only when it is strictly necessary and done to provide a service that the user has explicitly requested. The typical example would be a shopping cart where the user has taken direct action to add items to the cart.
Users should be able to revoke consent
At any time, a user should be able to revoke their consent and remove any existing cookies. While not explicitly stated in the E-Privacy directive, providing users with an easily accessible means of removing current site cookies and blocking future ones is a wise precaution.
How to address the EU Privacy laws
1. Know the law in the relevant country.
Laws differ among the EU member countries, with some having enacted no law derived from the directive at all. There is also variation in how the laws address prior/implied consent. Understanding what the law actually requires is key to compliance. Unfortunately, reading the relevant statutes doesn’t always provide a lot of clarification and you will need to stay on top of the latest news regarding how the law is actually being interpreted and applied. For UK users, the The Cookie Collective is a good resource for tracking the latest legal and technical news regarding cookie regulation. Just keep in mind, the details may vary on a per country basis.
2. Know what cookies your site sets and what they do.
You need to know what data you are storing on visitors’ devices and why you need to store it. If you’re reading this, you’re probably using ExpressionEngine on your site, so be sure to check out the Cookie Consent Module’s documentation, which details the cookies set by the CMS and its native modules. It’s also likely you have cookies being set by other applications. Ad services, analytic tools, store/ordering code, video and social media applications may all be setting cookies on your site. Know the tools you are using and check with each to see what cookies they set.
Once you think you know what cookies are being set, doing a manual audit of the site is a good idea. There are a number of browser based tools you can use to help you do a ‘cookie audit’ of your site in action .
4. Decide on a plan of action
The Cookie Consent Module and EU Cookie Compliance
ExpressionEngine sets a number of cookies on each page load for all site visitors. In order to prevent these cookies from being set without end user consent, a Cookie Consent Module is available for download in the Add-on Library.
Watch the new ‘How To’ video “The ExpressionEngine Cookie Consent Module & EU Cookie Legislation” for a guide to using the module.
And remember, we have a variety of “How-To” videos covering other aspects of ExpressionEngine on our Vimeo page.
 Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
(EU Directive 2009/136/EC)
 Recommended browser based tools for identifying cookies set on your site:
- Firefox Web Developer (https://addons.mozilla.org/en-US/firefox/addon/web-developer/)
- Firefox Firecookie (https://addons.mozilla.org/en-US/firefox/addon/firecookie/), extension for Firebug (https://addons.mozilla.org/en-US/firefox/addon/firebug/)