an informa business
Need help? If you need any help or assistance with your order please contact:
Call: +44 (0) 20 7017 5540

Cookie Toolkit

Introduction


This toolkit provides resources for checking and ensuring website compliance with European Union (EU) data protection laws on cookies. It contains:

  • Legal Background - a description of the applicable EU laws;
  • Consent Strategy - recommended strategy for which consent model to apply and when;
  • Consent Mechanisms - guidance on implementing a mechanism for collecting user consent and allowing users to manage cookies, i.e. exercise their choice over whether to continue accepting cookies or disable them at any time. This section includes a template cookie notification banner.

Legal Background


Consent Requirement


The EU e-Privacy Directive requires website operators to obtain user`s consent to the use of cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them. For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the user`s wishes. There is a limited exception for `strictly necessary` cookies, which applies to cookies used for purposes that are required to fulfil a direct user request.Cookies that are fall within this exemption include:

  • userinput cookies (session-id) such as firstparty cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases;
  • authentication cookies, to identify the user once he has logged in, for the duration of a session;
  • usercentric security cookies, used to detect authentication abuses, for a limited persistent duration;
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session;
  • loadbalancing cookies, for the duration of session;
  • userinterface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer); and
  • thirdparty social plugin contentsharing cookies, for loggedin members of a social network.

Nature of Required Consent


As this EU law is a directive, as opposed to a regulation, it needed to be incorporated into national law by the legislature of each EU country in order to take effect. Unfortunately, the laws that were passed are inconsistent with one another. The EU countries adopted one of two different approaches to consent:
  • Implied consent model: an information notice, with the ability to opt-out.
  • Explicit consent model: an information notice, with the ability to withhold consent (i.e. a `strict` opt-in).

Below is a breakdown of which countries require implied consent and which require explicit consent.

Implied Consent Explicit Consent Unknown/Unclear
  • Belgium
  • Bulgaria
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Greece
  • Hungary
  • Iceland
  • Ireland
  • Italy
  • Luxembourg
  • Malta
  • Netherlands
  • Norway
  • Poland
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • UK
  • Croatia
  • Cyprus
  • Germany (unless the data is pseudonymised)
  • Latvia
  • Lithuania
  • Portugal
  • Austria
  • Liechtenstein

The Directive provides that businesses only need to comply with the implementing laws of the EU country where they are based. However, non-EU businesses will be required to comply with the laws set by each of the countries whose subjects it is targeting with its websites. (Examples of a website targeting French subjects would be: (a) a .fr website; or (b) a .com website that is in French or has a French language option.)

New Regulation


The EU Commission and Parliament have already passed the General Data Protection Regulation (GDPR) to replace the Data Protection Directive. To accompany GDPR, they also intend to pass an e-Privacy Regulation in May 2018 to replace the e-Privacy Directive.

The e-Privacy Regulation, which has been published in draft form, appears to remove the need for consent to permit the setting of cookies which are not "privacy intrusive". Also, it suggests that consent for privacy intrusive cookies may be inferred from browser settings and, therefore, it may remove the need for a cookie notification banner. However, the timing of the law being passed is likely to be delayed and the law could be subject to revision as it progresses through the legislative process. Until the final version is published, we need to maintain compliance with the current e-Privacy Directive. This guidance will be reviewed after the Regulation is published.

Consent Strategy


Until the e-Privacy Regulation is passed, where the Informa business operating a website is based in the EU, it should apply the consent model, either implied or explicit, that is required by the laws of the EU country where it is based. Where the relevant country requires explicit consent, then that is the standard to be met. Where the relevant country accepts implied consent, it would be open to Informa to apply the higher standard of an explicit model. However, we do not recommend that strategy.

Where the Informa business is based outside the EU, it has two options for a consent strategy. It could operate:

  • one EU-wide compliance model, set at the level of the most restrictive of the countries laws, i.e. apply an explicit consent model across the board; or
  • two compliance models, i.e. operate an implied consent model in respect of the countries that permit it and operate an explicit consent model for countries that require that higher standard.

We recommend that each Informa division adopts the second strategy it order to take advantage of the less restrictive implied consent model wherever possible.

Consent Mechanisms


Every Informa website that uses cookies must include a suitable cookie consent mechanism. Each website should display a cookie notification banner to achieve either implied consent or explicit consent, depending on the legal requirements and chosen consent strategy. See the above sections on `Legal Background` and `Consent Strategy`.

Cookie Notification Banner - Elements


The cookie notification banner should include the following elements:

  • a simple reference to the fact that the website uses cookies, to notify users of this;
  • a link to the cookie policy, which should provide comprehensive information about the use of cookies;
  • if provided by the website operator, a link to a cookie consent tool for the user to manage cookies, i.e. enabling users to exercise their choice over whether to continue accepting cookies or disable them at any time; and
  • a succinct explanation of what specific action or conduct will amount to consent.

Below are templates for simple, succinct cookie notification banners - one implied consent version and one explicit consent version.

Template Cookie Notification Banner - Implied Consent


"We use cookies to improve your website experience. To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy. By continuing to use the website, you consent to our use of cookies."

Template Cookie Notification Banner - Explicit Consent


"We use cookies to improve your website experience. To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy. By closing this message, you are consenting to our use of cookies."

In order to capture explicit consent, this banner would need to remain visible on the page until the user clicks to close it and no cookies should be set until the user takes that action, with the exception of strictly necessary cookies.

Cookie Notification Banner - Guidance


The notification banner should be displayed clearly the first time that a user visits the website, on whatever page he/she visits first.

The notification banner can be at the top or bottom of the page, provided it is clearly visible above the fold, i.e. the user does not have to scroll down to see it.

You can exercise your discretion over the size, font and colour of the banner wording and the background colour of the banner, provided the notification is clear and prominent enough to be seen and read easily.

The words `Cookie Policy` should hyperlink to the cookie policy of the specific website.

It is best practice for the banner to remain on the screen for as long as the user stays on that page, remaining visible as the user scrolls up and down. It would only be removed when the user takes the specified action or conduct to indicate consent (e.g. clicking to visit another page or closing the banner). It would be possible for the banner to fade away after a set period of time, provided the time period is long enough for Informa to argue convincingly that the user would have seen and had the opportunity to read and interact with the banner.

Cookie Consent Tools


It is best practice to provide users with a cookie consent tool enabling them to see the specific cookies used on the site and, unless they qualify as strictly necessary, exercise their choice over whether to continue accepting cookies or disable individual cookies. There are third party providers who can supply a complete consent solution, including site audits and a cookie consent tool, for example Evidon (https://www.evidon.com/solutions/universal-consent/).

Currently Informa does not provide users with such a tool. Given the uncertainty over the new e-Privacy Regulation, it may not make sense to consider implementing one. However, this should be reassessed when the final Regulation is published.

Audit and Analysis


Each division should set up a system to regularly audit and analyse all cookies (and similar technologies) used on its websites. Such system should:

  • identify all cookies;
  • evaluate how each cookie operates;
  • assess the intrusiveness of each cookie and categorise it as one of the following four types of cookies - `Strictly Necessary` Cookies, `Performance` Cookies, `Functionality` Cookies and `Targeting` or `Advertising` Cookies (see the template Cookie Policy for further description of these types) in order to determine whether consent is required;
  • identify where each of the websites is operating/targeting to determine whether to apply an implied or explicit consent model on the website;
  • implement or update each website`s consent mechanism;
  • ensure each website has a cookie policy based on the template provided below.

Audits should be conducted every 6 months, as a minimum.

We use cookies to improve your website experience. To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.
By continuing to use the website, you consent to our use of cookies.

Accept