Data Protection for Ecommerce – Cookies

data protection

January 28 is Data Protection Day.  Hallmark doesn’t do cards to mark the day, nor have we heard of anyone throwing a Data Protection Party.  It’s an international ‘holiday’ started by The Council of Europe ten years ago.  Its purpose is to raise awareness of protecting personal information in the cyber world.  We thought we would mark the day with an overview of the legal aspects for small business and start-ups.

Much of the press coverage on the subject of data privacy/protection is all about how to stay safe online while surfing and shopping.  We want to look at the other side of the equation: what e-commerce websites must and should do to protect the data collected from website visitors and customers.

In this article we’ll look at cookies.  In part 2 we’ll cover the Data Protection Act and what it means to be a Data Collector.

Cookies and data protection

Data protection becomes relevant the moment your website starts collecting information about visitors.  If you use Google Analytics (many websites do), serve up ads, or include 3rd party widgets to do useful things, then you’re probably using cookies.  And if you’re using cookies you have legal obligations to meet.

N.B. We’re using the term ‘cookies’ to cover all types of data objects that websites can create on a visitor’s device.  Cookies are the most common but there are others such as Flash Local Shared Objects.

What’s the big deal with cookies?

Cookies are small bits of data that are created by a website and saved on a website visitor’s device.  Only the website that creates the cookie can read it.  Cookies are useful for web designers because get around the ‘statelessness’ problem of HTML pages i.e. the data is still there when a visitor moves to another page.  Typical uses for cookies include:

  • shopping cart contents
  • display preferences
  • website analytics (e.g. Google Analytics)
  • advertisements.

As a technology, cookies are fairly benign.  Every web browser has settings that allow you to change the settings of which cookies you allow to be stored on your computer.  You can even get plugins for most browsers that allow you to easily see which cookies you have and their contents.  (Cookies data is often encrypted so not very exciting to read.)

‘1st party’ cookies are those cookies that are created by the website you are visiting e.g. a shopping cart.  ‘3rd party’ cookies are those that are set by a site other than the one you are viewing.  Google Analytics cookies are very common 3rd party cookies.

Cookies expire after a certain amount of time.  Some are set to last only as long as you’re at the particular website (‘session’ cookies).  Others last for longer, sometimes much longer (‘persistent’ cookies).

The biggest privacy issue is the use of persistent 3rd party cookies that track a user across multiple websites.  This type of cookie is typically used to serve up ads by 3rd parties.  Such cookies can be used to build a profile of your browsing activity and serve up ads tailored to websites you have visited.  The resulting ads can be intrusive and unwelcome, especially if delivered frequently and as pop-ups.

The EU Cookie Law

The EU ‘Cookie Law’ or the ePrivacy Directive, to give it is proper name, is the legislation that deals with the issue of cookies.  It’s this bit of law that you have to thank for the ubiquitous ‘we use cookies …’ banner that appears on almost every website you visit (for the first time).

Broadly speaking, it says that any website that uses cookies has to:

  1. Tell visitors that they use cookies
  2. Provide details of what cookies are used and for what purpose
  3. Get consent to store cookies on the visitor’s device.

What you need to do

The legislation does not spell out exactly what you must do but guidance and good practices have developed since the directive was introduced.  Unless your website is collecting sensitive data and/or using 3rd party tracking cookies you probably will be able to meet your legal obligations by:

  • Providing clear and accurate information about what cookies you use and why in a Privacy Policy that is easy to find
  • Clearly tell visitors that you use cookies when you first set cookies and gain their consent.

What is consent?

What constitutes ‘consent’ can be a bit tricky and continues to … evolve.  The ICO guidance says that consent has to be a positive action i.e. the visitor has to do something to indicate they agree.  You can’t just document what cookies you set in an obscure link on your website.  The current guidance is this:

  • you don’t need consent for cookies that are essential to operation of your website (e.g. shopping basket cookies)
  • you can probably reply on ‘implied’ consent for benign cookies such as Google Analytics
  • ‘explicit’ consent is likely to be appropriate for collecting sensitive data and/or advertising cookies

‘Implied’ consent is the type of consent being given when you click on a website banner that says something along the lines of: “.. by continuing to browse our website we will assume that you agree to our use of cookies.”

You can find more information in the very-readable ICO cookies guide.

The Future of Cookie Consent

The number of situations where explicit consent is deemed appropriate seems to be reducing as web users become more familiar with cookies.  We quite like this tongue-in-cheek overview of the current role of explicit consent from Silktide (providers of the “cookie control” plugin that we use).

The EU recently announced proposals to remove the need for cookie banners altogether. New rules could come into play in 2018.   Fingers crossed.