EU Cookie Directive - research into compliance in the UK and Ireland - original document at http://www.espiongroup.com/content/resources/Espion_White_Paper_-_EU_Cookie_Directive_-_A_User-Driven_Assessment_of_Online_Compliance_in_the_UK_and_Ireland.pdf
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
EU Cookie Directive Report On Compliance In The UK And Ireland
1. White Paper: EU Cookie Directive - A User-Driven Assessment of Online Compliance in the UK and Ireland
UK and Ireland
EU Cookie Directive:
A User-Driven Assessment
of Online Compliance in the
2.
3. Abstract
This paper discusses research by Espion Group into the current state of EU Cookie Directive compliance among
prominent UK and Irish websites. The findings clearly indicate that there is still great variation in treatment of the
directive. While some sites have taken a proactive and responsive approach to the legislation, a larger majority of
those assessed have yet to comply in a clear and explicit manner. Also, it is clearly evident that UK-based websites
are achieving higher standards of compliance to this directive than corresponding Irish websites at present.
EU Cookie Directive - Background and Context
The 2003 Privacy and Electronic Communications (EC Directive) Regulations (2002/58/EC) cover the use of
cookies and similar technologies for storing and accessing electronic information on computers, mobile devices and
similar equipment. A follow-up 2009 Directive (2009/136/EC) amended this directive to require website owners to
obtain consent when storing cookies on a user’s or subscriber’s device.
Governments across Europe were originally given until 25th May 2011 to transpose these changes into their own
law. The Irish government introduced corresponding legislation alongside several other EU member states on 1st
July 2011 - this is reflected in Section 6 of the Data Protection Commissioner’s guidance note here. The UK
government introduced similar amendments, but website owners were given an additional 12 month period to 25th
May 2012 to comply to guidelines issued by the UK Information Commissioner’s Office (ICO).
Legislation Overview
Key phrasing from both the transposing UK and Irish legislation includes:
“A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user
unless the requirements of paragraph (2) are met.....
(2) The requirements are that the subscriber or user of that terminal equipment- (a) is provided with clear and
comprehensive information about the purposes of the storage of, or access to, that information; and... (b) has given
his or her consent”
The Irish Data Commissioner’s Guidance Notes adds that this “clear and comprehensive” information should be
“prominently displayed”, “clearly accessible”, and “as user friendly as possible”. It also requires that there is “clear
communication to the user as to what s/he was being asked to consent to and a means of giving or refusing
consent to any information being stored or retrieved”.
While most of the discussion has focussed on the standard website context, the legislation also extends to cover
“other situations where information is placed on, or retrieved from, terminal equipment” - mobile applications being
another example.
Stakeholder Reaction to Legislation
Reaction to the legislation among EU-based website owners and technology commentators has indicated much
uncertainty and confusion around handling it in practice. While the directive indicates desired objectives, it is felt
among many that little clarity or guidance is offered with respect to how to comply, particularly at a national level -
as well as having a clear set of standards and metrics to determine when a site is compliant.
EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 1
4. There is also conflict around the perspective of website users - while privacy legislators are intent on increasing
user awareness around use and storage of cookie-related information, site owners claim to have experienced little
or no complaints or issues from patrons, and hence are questioning the necessity of such legislation.
There are also questions around jurisdiction - for example, do non-EU corporations need to comply for within-EU
site sub-domains? Or does consent have to be gained from site users based outside the EU? In particular, the
technical implications around what can be regarded as user consent to cookie use and storage is still a gray area.
For example, some argue that requiring upfront prior consent via pop-up dialogs would impact negatively on site
uptake and use, as well as being technically difficult due to the fact that some cookies (e.g. analytics cookies) have
already loaded prior to users accessing the home landing page and agreeing to, or rejecting the consent message.
Despite these uncertainties among others, fines for non-compliance are severe - for example UK regulators can
enforce fines of up to GBP£500,000 for failing to comply.
Phased Enforcement and Implementation
While a stated legal yardstick exists, policy developers at EU and national levels have stressed that cookie-related
compliance is a moving process, and hence should also involve a continued, phased campaign of improvements in
cookie-related policy enforcement over time, driving corresponding refinements and improvements in websites and
applications by technology stakeholders.
As mentioned, an important overarching objective of the legislation is to increase consumer understanding about
cookies and online privacy in general. More specifically, this includes alerting users to cookie use, explaining to
them how they work, and ensuring that even the most non-technical users can access clear information on how
they are applied on an individual case basis for the websites and applications that they use. Issues around cookie
use (and similar technologies) are viewed by policy developers as a core element in allowing users to feel in control
and comfortable about their overall privacy online.
In response, website and application guardians will need to provide ever-increasing transparency over their data
collection and usage in relation to cookies and similar technology use going forward. While the present compliance
bar is levelled at providing consumer access to clear information, future pipelined legislation amendments could
attempt to address more challenging aspects of cookie compliance such as:
Greater emphasis around issues such as how individual cookie types will be audited.
Ensuring that cookies are used appropriately in applications in a way that is minimally invasive and
respects user rights and online privacy.
Achieving more explicit and effective approaches to user consent.
Leveraging more enhanced support for cookie compliance at the browser-level. For example, despite
industry resistance, Microsoft has shown increased desire to disable user tracking features, the recent
Internet Explorer 10 launch being one example.
Assessing Existing Website Treatment of Cookie Compliance
Following the recent completion of the 12-month grace period for cookie compliance in the UK, Espion carried out a
high-level analysis of the current state of compliance among influential, high-traffic websites, both in the UK, and
also across a similar sample of key Irish-based websites for comparative purposes. In tandem with the core policy
thrust of increased consumer privacy awareness and understanding, this analysis focussed on assessing cookie-
EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 2
5. related content and its availability to site patrons, both technical and non-technical users. Hence, while Espion has
carried out detailed cookie audits on a per-site basis for individual clients, such analysis represents other
advanced, “back-end” compliance considerations that was not the core focus for this analysis.
Key assessment goals included:
To understand the current overall status of cookie compliance among influential websites.
To assess the accessibility of cookie-related info, i.e. is it “readily available”, “prominently displayed”, and
“easily accessible” in line with legislation wording.
To understand and rate the quality of the cookie-related information provided - i.e. is it “clear and
comprehensive”, and “as user friendly as possible”. Also, understanding if it is clearly categorised for
technical and non-technical user audiences.
To understand if and how websites are achieving user consent - either via prior (explicit) consent or implied
consent methods.
To get an overall understanding of cookie types and categorisations being reported in cookie statements.
Other key study methodology details include:
100 websites assessed as part of study
o 50 of these were domestic UK-based sites, 50 were domestic Irish-based.
o By “domestic” this means that the study excluded UK or Irish domain subsidiaries of foreign sites (e.g.
google.co.uk, or ebay.ie). Similarly, it excluded Irish subsidiaries of UK parents and vice versa (e.g.
ulsterbank.ie whose parent is UK-based RBS).
o All the 100 sites were chosen on the basis of having to comply with the directive. While almost all
prominent commercial sites use cookies to the extent that they would need to comply, a small number
of exception sites claimed to not use cookies, or at least “strictly necessary” cookie types only, hence
they were excluded.
o Websites were chosen using the UK and Irish “Top Sites” rankings provided by Alexa
(www.alexa.com).
o Assessment was carried out on 28th/29th May 2012 using Google Chrome web browser (Version 19).
Cookie Information Quality Grading: To assess the quality of the cookie-related information provided, each
website was given an arbitrary A, B or C-Grade rating based on inclusion of the following details in their
cookie-related information
o Explicit mention that the site uses cookies.
o Clear, non-technical explanation of what cookies are.
o Clear and categorised explanation of cookies types used on site, including:
High-level, non-technical categorisations such as those suggested in ICO guidance
documentation (e.g. “strictly necessary”, “functionality”, “performance”, “browser experience”-
related, “analytics”, “advertising/targeting”, “session vs. persistent” and so on).
Detailed categorisations focussing on individual cookie identifiers and related explanatory info.
o Clear instructions on how to opt-in or opt-out of cookie tracking
EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 3
6. Findings
Overall, the results clearly indicate that prominent UK-based websites are achieving higher standards of
compliance to the Cookie Directive than corresponding Irish websites at present, with much diversity in
implementation of the directive.
Provision of Cookie information
As mentioned, all the chosen sites to be tested were required to comply with the directive. While all UK-based sites
tested provided at least some form of cookie information, there were four Irish sites that failed to provide any
cookie-related information at any level (Figure 1).
Irish Sites UK Sites Ireland (%) UK (%) Overall (%)
Required to comply? 50 50 100% 100% 100%
Cookie information provided? 46 50 92% 100% 96%
Figure 1 - Provision of Cookie Info (Irish and UK Sites), Summary
Cookie information “clearly accessible, prominently displayed”?
In line with key legislation wording and guidance, Figures 2 and 3 summarise the degree to which provided cookie
information was “clearly accessible” and “prominently displayed” throughout the sites tested. Figure 2 summarises
the site location of such information, with only one-third of websites providing an explicit Cookie Policy Statement.
Another 58% provided cookie information nested as part of the site’s Privacy Statement. A small minority (4%)
included cookie info as part of the Terms and Conditions section. However there was a significant difference on a
regional basis - only two of the Irish sites (4%) provided explicit cookie statements, compared to 31 of the UK sites
(62%).
Irish Sites UK Sites Ireland (%) UK (%) Overall (%)
Explicit Cookie Statement 2 31 4% 62% 33%
Nested in Privacy Policy 40 18 80% 36% 58%
Nested in Terms & Conditions 3 1 6% 2% 4%
None Provided/Not Applicable 5 0 10% 0% 5%
Totals 50 50 100% 100% 100%
Figure 2 - Location of Cookie Info, Summary
The findings in Figure 3 involved examining the number of user actions necessary to find cookie information from
each site’s landing page (with necessary clicks or scrolling actions counting as individual user actions). Only a
quarter of sites overall provided access within one action (Figure 3), with the majority requiring either two or three
user actions. Most Irish sites (78%) provided access via privacy statements located at the bottom of landing pages,
requiring three separate scroll-click-scroll actions to locate cookie information. UK sites fared better, with 46% (23
sites tested) providing the most direct accessibility to the information.
EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 4
7. Irish Sites UK Sites Ireland (%) UK (%) Overall (%)
Accessible within one user action 2 23 4% 46% 25%
Accessible within two user actions 5 16 10% 32% 21%
Accessible within three user actions 34 8 68% 16% 42%
Four or more user actions 4 3 8% 6% 7%
Not Applicable 5 0 10% 0% 5%
Totals 50 50 100% 100% 100%
Figure 3 - Accessibility of Cookie Information from Landing Page, Summary
Quality of information provided - “user friendly, clear and comprehensive”?
This assessment involved grading the clarity and comprehensiveness of cookie-related information provided based
on the information categories mentioned earlier (Figure 4). Sites achieving a Grade A rating provided all of the
following information below (based on subjective Espion criteria aligned to the legislation wording):
Explicit mention that site uses cookies.
A non-technical explanation of what they are.
Clear non-technical categorisations of cookie types used.
Detailed itemised technical explanation of individual cookie IDs provided.
Clear opt-in/out information provided.
Irish Sites UK Sites Ireland (%) UK (%) Overall (%)
Grade A 1 14 2% 28% 15%
Grade B 6 28 12% 56% 34%
Grade C 38 8 76% 16% 46%
Not
5 0 10% 0% 5%
Applicable
Totals 50 50 100% 100%
Figure 4 - Cookie Information Quality Ratings, Summary
Most of the sites with Grade B ratings were rated lower on the basis of providing less clear categorisations - either
providing high-level categories without detailed information of individual IDs, or vice versa where detailed ID-level
technical information was provided without more intuitive, non-technical, categorisations. Most Grade C sites failed
to provide any attempt at comprehensively detailing the cookies used and providing any form of clear
categorisation.
Overall, 25% of the sample provided at least some information of individual cookie IDs (Figure 5). 15% achieved
Grade A ratings (Figure 4) – this included 14 UK sites and just one Irish site from the sample. A further one-third of
the sample were Grade B, with over half achieving Grade C or lower.
EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 5
8. Irish Sites UK Sites Ireland (%) UK (%) Overall (%)
Yes 4 21 8% 42% 25%
No 46 29 92% 58% 75%
Totals 50 50 100% 100% 100%
Figure 5 - Provision of Info at Cookie ID Level, Summary
Approaches to Acquiring Consent
The majority of sites assessed resorted to achieving implied consent via URL links (with the words “consent” used
liberally in such cases) (Figure 6). 12 UK-based sites were more explicit, providing clearly visible banner or pop-up
notifications of cookie usage to users - typically on the first site visit and removing the notification on later visits.
None of the assessed sites adopted a prior consent notification.
Irish Sites UK Sites Ireland (%) UK (%) Overall (%)
Implied consent via banner or pop-up 0 12 0% 24% 12%
Implied consent via URL link 42 38 84% 76% 80%
Prior consent (pop-up) 0 0 0% 0% 0%
None/Not Applicable 8 0 16% 0% 8%
Totals 50 50 100% 100% 100%
Figure 6 - Approaches to Achieving Consent, Summary
Compliant or Not?
While definitively determining some aspects of compliance to the directive is still a grey area to an extent, Espion
combined some of the discussed metrics to define a simple arbitrary metric to determine levels of compliance
among the sample, at least from the user perspective. In order to be rated as compliant, sites had to meet both of
the criteria below:
Provided cookie information (either via Privacy Policy or explicit Cookie Policy statement) is accessible
within two user actions or better from site landing page
Quality and comprehensiveness of cookie-related information is rated to be of Grade A or Grade B
standard
Irish Sites UK Sites Ireland (%) UK (%) Overall (%)
Compliant* 1 33 2% 66% 34%
Not Compliant 49 17 98% 34% 66%
Figure 7 - Rate of Compliance to Directive*
* Based on subjective Espion metric calculation. Also assumes that Cookie statement information provided on each site has been audited and
corresponds accurately with underlying web application
It is clearly evident that compliance rates among UK sites is much higher based on this calculation (figure 7) two-
thirds of this set achieve compliance based on this criteria, whereas only a single Irish site (2% of sample) is
compliant - equating to 34% compliance across the entire sample.
EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 6
9. Conclusion
Clear distinctions exist at present between prominent UK and Irish websites in relation to compliance to the Cookie
Directive. Despite Irish legislation wording, and its intent that it is not sufficient to solely provide the required
information in a statement of terms and conditions or a privacy policy, the overwhelming majority of Irish-based
sites assessed have yet to go beyond this. On the other hand, corresponding UK-based sites have paid greater
attention to legislation wording and requirements and many have reflected these more clearly in their
implementation of the directive. Greater attention to the directive across UK media sources, the allowance of a
more explicit grace period, and the availability of assistive compliance guidelines appear to have contributed to
compliance efforts there.
More Info
For more information on this research, contact Seamus Galvin, Espion Research at +353 (1) 210 1711, or
seamus.galvin@espiongroup.com
For more information on Espion’s cookie compliance and Information Security services, contact us at +353 (1) 210
1711, or info@espiongroup.com
EU Cookie Directive: A User-Driven Assessment of Online Compliance in the UK and Ireland Page | 7
10.
11. About Espion
Espion are Corporate Information
specialists. We work with
organisations across all industries
and business functions to provide
advice and assistance relating to
the holistic compliance, protection
and management requirements of
their most valuable asset –
information. This allows our clients
to focus on their core business and
ultimately achieve greater success.
Espion Headquaters
The Penthouse, Block 2
Deansgrange Business Park
Deansgrange, Co. Dublin
Ireland
+353 (01) 2101711
www.espiongroup.com