Tues, 12 June 2012 | Tristan Neagle, founder and director of Just Recruitment Websites
On 26 May 2012, the Information Commissioner’s Office (ICO) started to enforce the revised EU e-Privacy Directive (AKA 'The EU Cookie Law').
In a nutshell, this is what’s changed:
Before: The law simply stated that websites should be clear about how they use cookies (small pieces of data which help websites identify specific users). Most websites did this by including this information in a Privacy Policy.
After: The law now states that websites must specifically gain consent from users before using cookies that are not "strictly necessary". Websites also have the option of implementing an “Implied Consent” solution, whereby in using a website, users are in effect giving their consent for that site’s use of cookies.
The reason for the change is sound: it aims to tackle certain privacy concerns about the way cookies are used on websites, including their ability to enable targeted marketing.
Importantly, this means the new EU e-Privacy Directive is not limited to cookies alone as it also includes “any similar technologies”. However, the new legislation has been incorrectly dubbed “The EU Cookie Law” which is confusing and has led many to believe that the law applies to cookies only.
This is one of several reasons why compliance with the new law is not straight forward. On a technical level, there is no ‘catch all’ solution – it depends on exactly how the website was developed, how it uses cookies (and other similar technologies) and what cookies are ‘strictly necessary’.
Furthermore, businesses that fully comply with the new law may lose visitors or severely limit the functionality of their website. Ironically, this will disadvantage them against companies that choose to ignore the law or those that take a more relaxed attitude towards compliance.
Due to the potential costs and business risks involved, response to the legislation has been mixed. In summary though, website owners are left with three main options:
•Option 1 is to do nothing, deliberately contravene the new law and to wait and see how the situation unfolds before investing the resources necessary to deal with the legislation.
•Option 2 is to take a moderate amount of action, which would put the business in a defensible position should any action or investigation take place. For some websites, this could take the form of so-called ‘implied consent’ – a solution which the ICO has recently confirmed as a possible route for compliance.
•Option 3 is to accept the risks and disadvantages of full-compliance and to prevent the use of cookies and any similar technologies until specific opt-in permission has been gained from each visitor. According to the ICO’s latest guidance, this might remain the only option, which would result in ‘regulatory certainty’ for some websites.
The maximum penalty for breaking the new EU e-Privacy Directive stands at £500,000. However, many industry professionals have been sceptical about whether it will be practical or possible to enforce the law and the ICO itself has stated that financial penalties are a long way off.
Nevertheless, enforcement is well underway with the ICO initially choosing to write to 50 of the UK’s busiest websites to ask for information about what steps have been taken.
To date, it appears that the vast majority of websites (including most of the UK’s 20 largest recruitment websites) have yet to respond to the new law. Reed and Guardian Jobs are notable exceptions, both choosing to implement an ‘Implied Consent’ solution. However, many other websites appear to have taken little (or no) direct action.
Nevertheless, the situation is changing day by day as the ICO begins to enforce the new law and more companies unveil their solution on this difficult issue. As such, all recruitment website owners are urged to make an immediate and conscious decision relating to the new legislation.
