Wheredidthetigergo - Web Design & Web Development

The cookie law

Image relating to The cookie law

A resource for website owners on the Privacy and Electronic Communications Regulations 2011

On 25 May 2012, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 come into force. The amended regulations include the European Directive concerned with the protection of privacy on the web, especially something called 'cookies' (which is why it is nicknamed the 'cookie law'). If you own or manage a website, it is almost certain that you will need to do something to ensure your site is compliant. With a maximum penalty of £500,000, it is definitely worth at least reading up on the issue so you can make an informed decision on what action to take.

What are cookies?

Cookies are small files stored on your computer containing a small amount of text specific to you which are created by websites. Cookies are used to remember things about you as you browse a website, for example whether you are logged in, the contents of your shopping cart and your preferences.  They are also used to help website owners improve their website, for example by tracking your visit or for showing different versions of a page to different users to determine which is best (A/B testing).

Sounds harmless? It mostly is. However cookies can also track the pages you visit between sites, usually to allow advertisers to work out what you are interested in so they can show you more relevant adverts ('behavioural advertising'). The same mechanism can also however be used by spyware to store and access information or trace your activities for criminal purposes or by organisations like Facebook and Google. The new law tries to address the privacy concerns that this tracking (for legitimate business or criminal activities) is done without any consent.

The law

The law basically means that, with the exception of strictly necessary cookies required to provide functionality requested by the user (i.e. shopping carts etc), you must get consent from a user before using cookies and you must provide clear and comprehensive information about the purposes of the cookies (the law is not just about cookies, but this is the part that will effect most websites).

Consent? Yes - think pop up boxes or nagging messages (accordions) at the top or bottom of the screen. For a light-hearted extreme example of what this could mean for the internet take a look at this example. To quote this entertaining video, 'the stupid EU cookie law in (and why it should die)' - the law is a bit like banning music to stop Justin Beeber from releasing a new album. But still, it is law (although there is a campaign to get it changed).

Unfortunately the ICO (Information Commission's Office) has confirmed that analytic tools (including Google Analytics, which is used by the majority of websites) are not 'strictly necessary' and therefore consent is required.  If your site uses web analytics, social media share buttons, embedded content (for example from YouTube), affiliate links, A/B testing, or advertising from a third-party, you almost certainly will be in breach of this law.

Although an extreme view, QuBit (who sell a cookie consent solution) has estimated that the new law could cost UK business over £10 billion if the law is fully implemented - this includes loss of new visitors put off by cookie consent, reduction in visitor numbers, loss from recommendations and cross selling opportunities, loss from business migration outside the EU, loss from affiliate marketing and loss of data from web analytics

In an ideal world

In an ideal world, you could rely on 'informed consent'. In other words users would know what cookies are, what they are used for and how to turn them off, and browsers would have the capabilities for users to manage global settings for different types of cookies. Informed consent would mean that a user consents to your cookies according to their browser settings.

Amazon's current cookie policy appears to use this approach (N.B. I do not know whether this will be their policy when the law actually comes into effect):

Visiting Amazon's websites with your browser settings adjusted to accept cookies tells us that you want to use Amazon's products and services and that you consent to our use of cookies and other technologies to provide them to you as described in this notice and in our Privacy Notice. See below for information on how to modify the settings in your browser to notify you when you receive a new cookie and disable cookies altogether. amazon.co.uk: Cookies & Internet Advertising

Unfortunately the ICO do not feel that most browsers offer the control on cookie settings required for informed consent and, whilst they are working with browser vendors, it will be a while before this functionality will be available across the board. There is also a lack of user knowledge - in an online (so web users) survey of 1000 individuals in February 2011, 41% were unaware of the different types of cookies and whilst 13% fully understood how cookies work, 37% had heard of cookies but did not understand how they work.

In the future you may be able to rely on the user's browser settings for satisfying consent to set cookies, but for now browser settings alone will not be sufficient.

UPDATE: The ICO has updated it's position regarding implied consent. "Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies." This suggstions that you may just need to make it clear (and obvious) to visitors that your site uses cookies, their purpose, and provide information on how to turn off cookies in browser settings. 

In reality

Whilst there is a maximum fine of £500,000, this would only be used for the most serious cases where contravening the Regulations is likely to cause substantial damage or distress. The other options the ICO has is to request information ('information notice'), commit an organisation to a particular course of action ('undertaking') or to compel an organisation to comply ('enforcement notice').

At the very least, you should:

  • identify what cookies are used on your site and what they are used for (there is a useful free Google Chrome plugin to help)
  • ensure your website has a privacy and cookie policy that details the cookies used and what they are used for
  • ensure the link to your privacy and cookie policy is prominent (this is covered in a bit more detail shortly)

Beyond that, it is down to how risk adverse you are, your operational requirements and other factors as to what you should do to comply.

Please note the following disclaimer - I am not a lawyer and the following should not in any way been seen as formal advice. The aim is to give you a start at gathering information to enable you to make your own informed choice and, if necessary, obtain legal advice. This information is tailored to my customer base, who are limited users of advertising and affiliate networks.

In general terms, gaining consent is likely to be a bad idea for your website. No one likes pop-ups and notifications, and, unless you are very sly with your wording (which the ICO will be unimpressed with), many (if not most) people will not opt-in anyway. There is also a cost implication to add the functionality to ask for consent. Before asking for consent, work through the cookies used on your site and see if they are actually needed and whether you need consent. Here is a bit more on the two areas that will cause most websites to not comply with the new law: Google Analytics and Social Media.

Google Analytics

If you use Google Analytics (the most popular analytics tool, but this applies to any other tool which uses cookies), the first thing to ask yourself is "do I actually need analytics". If you do not currently, or plan to in the future, actively use the data, then why have it there in the first place?

Whilst the ICO have specifically stated that Google Analytics is not classed as 'strictly necessary' and require consent, they have also stated:

Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices. Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action.

The Government Digital Service however, in 'Implementer Guide to Privacy & Electronic Communications Regulations' for public sector websites takes the view that web analytics are "essential to the effective operation of government websites" and that "at present the setting of cookies is the most effective way of doing this" (source: econsultancy.com).

A common implementation seems to be to avoid asking for consent for Google Analytics, but ensuring there is sufficient information available in the site's cookie policy, as well as a link to a tool provided by Google for users to opt-out of Google Analytics across all websites. This policy also fits with the recommendations from the International Chamber of Commerce (see below).

It is worth noting that Google Analytics uses several cookies - most of these cookies are first-party (they can only be accessed by your website), however a third-party cookie (accessible by Google) is added if you have chosen to allow Google to anonymously track website metrics to 'benchmark' your site against related sites. If you choose to not gain consent for Google Analytics, then you probably want to consider turning this setting off.

There are alternatives to Google Analytics which do not use cookies - these will provide less information but may be viable alternatives if you wish to comply to the regulations without prompting for consent.

Social Media

Social media share plug-ins and embedded media usually use cookies, the default YouTube player, for example, uses a third-party cookie (although there is a new setting to enable you to embed a video without cookies). Facebook, Twitter and Google+ widgets all use third-party cookies, primarily to see if the user is logged into that service, but they are also used to track your movements across other websites that also contain the widgets (which is what the law especially wants consent for).

For media services, like YouTube, that offer a 'privacy enhanced mode', you can easily switch over the code, but otherwise, to be compliant without consent, you will need to change services. It is quite likely however that other providers will follow YouTube's example and allow cookie-free versions, so it is worth checking with your provider on their plans.

For social media share plug-ins, one alternative is to just replace them with static share links - the main services offer url (link) based solutions which do not need cookies (although to a slight detriment to the user experience). It is possible that, in the future, updated widgets will become available that do not include tracking cookies.

Here is an example of a site that has taken the view to not ask consent for social media plug-ins:

There’s so many great free toys you can add to websites these days and rarely can we resist – anything from Twitter buttons to software that power’s blog comments.  Collectively they make our website more interesting to you as a site visitor (and hopefully beloved customer). Sadly most of these come with cookies – that’s the “price of free”. We are working hard to work out what they all do but we are pretty confident that they all collect data anonymously unless you are already logged into their service.  They probably just collect details of pages visited, anonymise it, aggregate it with  several thousand or million others people’s anonymous data and then look at pretty graphs. attacat.co.uk's cookie policy (via @clivewalker)

This does not comply with the law, so the only current compliant alternative if you wish to have social media widgets is to ask for consent.

International Chamber of Commerce (UK)

The ICC UK have produced a cookie guide to help website operators obtain informed consent from their visitors and comply with the new rules governing the use of cookies.

The guide breaks down cookies into four types:

  • Category 1: strictly necessary cookies - including shopping carts and logins
  • Category 2: performance cookies - including web analytics, affiliate tracking and testing designs
  • Category 3: functional cookies - remembering settings
  • Category 4: targeting or advertising cookies - including cookies placed by advertising networks to collect browsing habits

The guide implies (with a disclaimer that this is for guidance only) that category 1 does not need consent, category 2 consent comes from functional use (with a line in your cookie policy), category 3 consent comes from either functional use (with a line in your cookie policy) or consent when a user chooses a function, and only category 4 should have clear, informed, opt-in consent. '

PC Pro see this as the most practical guide to the cookie regulations and is the result of a lot of research and the ICO publically stated: "Today’s ICC UK guidance provides organisations with a good starting point from which they can work towards full compliance", which could be seen as an endorsement.

Implementation

If you have cookies, but are not asking for explicit consent, it is clear that you need to ensure your cookie policy is prominent, here are a few possible ideas:

  • Include a link or button in your website template (towards the top) to your cookie policy
  • Add an unobtrusive 'cookie' button to appears in the corner of your website (a free one is available at attacat)
  • Add a more obtrusive (but potentially more compliant) one-time message alerting users that your website uses cookies with a link to your cookie policy

Another solution to the problem, used by BT, is to assume implied consent, but to then prompt the user (once) to confirm the settings. A slider allows the user to select what level of settings to have and what features will be unavailable. At any time this can be modified using a link at the bottom of the page.

If you wish to gain consent, there are various off-the-shelf solutions, including one from CookieQ for an annual fee based on traffic. CookieQ also offer a free self-hosted version for small sites.

Certain software packages, for example Wordpress or Magento, have modules or updates available which either include the functionality to ask for consent to use cookies, or notify users that you are using cookies.

Some resources

Sales Pitch

The information in this post should hopefully help you in deciding how you want to comply with this law and give you the tools you require. If you need any further help or technical assistance, I can help, so please get in touch.

Our Charity Promise

Read our promise to charities & voluntary/community groups, and find out what we can do to help your organisation.

READ MORE

TIGER CONTACT

Find out more about simple, low cost email marketing

SUPPORT

Login to our support portal to manage your website's support tickets

(Help! I don't know what to enter here!)

Wheredidthetigergo is situated between Northampton and Milton Keynes.

We provide web design and development services locally in Northamptonshire and Buckinghamshire, as well as further afield - we have customers thoughout the country from the South coast, London and as far North as Middlesbrough.

Professional Indemnity

Professional Indemnity
provided via Simply Business

Public Liability : £2,000,000
Professional Indemnity : £250,000

View our policy details