Slowly but surely we’re getting a picture of what is expected of website owners (and indeed application providers) in respect of the Swedish response to the EU directive on online-privacy.
The Cookie Law
Most of us are calling it The Cookie Law, but it’s broader than that. The Swedish Electronic Communications Act covers (amongst other things) the storage and reading of information on a terminal device and how you must obtain consent from the user prior to reading or writing such information.
A terminal device isn’t just a desktop or a laptop computer – it could also be, for example, a mobile phone, tablet, internet TV, or even a game console.
For the majority of websites, the data the law refers to is in the form of HTTP cookies, but it also includes Flash cookies, Silverlight cookies, HTML5 web storage, and other similar types of data transferred back and forth across the internet.
Some cookies are excluded from the law. These are cookies (or other such information) that are essential for the provision of the service you are accessing.
The most straight forward example is that of a shopping cart on an e-commerce site. You’ll have to come to your own conclusion about what is essential and what isn’t on your website.
What’s the response so far?
At the time of writing, most websites are either saying nothing or following the previous law from 2003, SFS 2003:389, which required website owners to declare that they used cookies.
A relatively small number of sites have taken steps to comply to the new law. The ways in which they have tried to comply varies from token gestures through to large consent banners covering the prime real-estate of the website.
Screenshot of polisen.se featuring an opt-in banner
An onslaught from PTS?
PTS have a fair bit of information on their website to assist website owners. There’s no need to panic, the PTS isn’t going to jump on websites and close them down. Their normal routine, if they receive a complaint, would be to communicate in writing with the website owner, containing some advice and the chance to correct the situation.
During the 8 year lifetime of the previous Cookie law, only a handful of websites were warned, and no website was prosecuted. I expect it will be a similar situation this time round too.
The Swedish trade organisation, IAB Sweden, has produced guidelines as to how to comply to the law. It was stated during the preparation of the new law that best practice should be developed by website owners, the IAB’s recommendation is an expression of such best practice.
The IAB recommendation
All cookies, including third party cookies, should be explained. Information should also be given explaining how the user can withdraw the consent (by disabling cookies in their browser).
Audit, be transparent, explain
So, if you are a Swedish company or organisation, targeting a Swedish audience, then you pretty much know what to do – audit your cookies, be transparent, and explain the choices.
You should also do your best to tidy up and remove any scripts and features that you don’t need. (This is not only good housekeeping, but it also helps improve performance and speed of your website.)
It’s even a good chance to check the effectiveness of certain website features? Put measurements in place and assess them (if you don’t already). That Facebook like-box might not actually be worthwhile after all…
Targeting countries outside of Sweden
Sounds simple so far? Well, what complicates matters is that each EU country is putting in place their own interpretation of the EU directive. Some countries are going to have much stricter interpretations of it than Sweden.
European law firm Field Fisher Waterhouse has produced a really useful table giving a country by country implementation status and a synopsis of the legal requirements.
If you are actively targeting people in other EU countries, then you will almost certainly need to comply with the relevant cookie laws in those countries.
Visits from non-targeted countries?
Visits from people in countries that you are not actively targeting are, in my opinion, a bit of a grey-zone.
Technically, you are transmitting and storing data on the user’s computer if you are using cookies – but having a website that specifically complies to all the laws in all other EU countries is going to be awkward at best, impossible at worst.
Nordic and Baltic countries
For Swedish companies, one positive thing to note is that most of the countries neighbouring Sweden – namely Denmark, Finland, Estonia, have implemented the law in a way that is no more strict than the Swedish law. The exceptions to this are Latvia and Lithuania, where a strict prior opt-in (not implied by browser settings) appears to be required.
Red require strict opt-in, Green via browsers settings.
Norway is not an EU country and is therefore not required to implement the EU directive. That said, Norway often implements them anyway – but at the moment, no formal proposal has been made, and no change of law has been implemented.
Business with integrity
Suffice to say, the Swedish cookie law isn’t out to get normal, honest, websites. It’s there to catch the abusers; the less honest. So those of us running businesses with a fair dose of integrity have nothing to worry about.
Of course, the content of this blog post is just my opinion, you should obtain specific legal advice for your own company.
It would be great to hear in the comments section below what your company has decided to do to be compliant…