The cookie law
A resource for website owners on the Privacy and Electronic Communications Regulations 2011
On 25 May 2012, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 come into force. The amended regulations include the European Directive concerned with the protection of privacy on the web, especially something called 'cookies' (which is why it is nicknamed the 'cookie law'). If you own or manage a website, it is almost certain that you will need to do something to ensure your site is compliant. With a maximum penalty of £500,000, it is definitely worth at least reading up on the issue so you can make an informed decision on what action to take.
What are cookies?
Cookies are small files stored on your computer containing a small amount of text specific to you which are created by websites. Cookies are used to remember things about you as you browse a website, for example whether you are logged in, the contents of your shopping cart and your preferences. They are also used to help website owners improve their website, for example by tracking your visit or for showing different versions of a page to different users to determine which is best (A/B testing).
Sounds harmless? It mostly is. However cookies can also track the pages you visit between sites, usually to allow advertisers to work out what you are interested in so they can show you more relevant adverts ('behavioural advertising'). The same mechanism can also however be used by spyware to store and access information or trace your activities for criminal purposes or by organisations like Facebook and Google. The new law tries to address the privacy concerns that this tracking (for legitimate business or criminal activities) is done without any consent.
The law basically means that, with the exception of strictly necessary cookies required to provide functionality requested by the user (i.e. shopping carts etc), you must get consent from a user before using cookies and you must provide clear and comprehensive information about the purposes of the cookies (the law is not just about cookies, but this is the part that will effect most websites).
Consent? Yes - think pop up boxes or nagging messages (accordions) at the top or bottom of the screen. For a light-hearted extreme example of what this could mean for the internet take a look at this example. To quote this entertaining video, 'the stupid EU cookie law in (and why it should die)' - the law is a bit like banning music to stop Justin Beeber from releasing a new album. But still, it is law (although there is a campaign to get it changed).
Unfortunately the ICO (Information Commission's Office) has confirmed that analytic tools (including Google Analytics, which is used by the majority of websites) are not 'strictly necessary' and therefore consent is required. If your site uses web analytics, social media share buttons, embedded content (for example from YouTube), affiliate links, A/B testing, or advertising from a third-party, you almost certainly will be in breach of this law.
Although an extreme view, QuBit (who sell a cookie consent solution) has estimated that the new law could cost UK business over £10 billion if the law is fully implemented - this includes loss of new visitors put off by cookie consent, reduction in visitor numbers, loss from recommendations and cross selling opportunities, loss from business migration outside the EU, loss from affiliate marketing and loss of data from web analytics
In an ideal world
In an ideal world, you could rely on 'informed consent'. In other words users would know what cookies are, what they are used for and how to turn them off, and browsers would have the capabilities for users to manage global settings for different types of cookies. Informed consent would mean that a user consents to your cookies according to their browser settings.
Unfortunately the ICO do not feel that most browsers offer the control on cookie settings required for informed consent and, whilst they are working with browser vendors, it will be a while before this functionality will be available across the board. There is also a lack of user knowledge - in an online (so web users) survey of 1000 individuals in February 2011, 41% were unaware of the different types of cookies and whilst 13% fully understood how cookies work, 37% had heard of cookies but did not understand how they work.
In the future you may be able to rely on the user's browser settings for satisfying consent to set cookies, but for now browser settings alone will not be sufficient.
Whilst there is a maximum fine of £500,000, this would only be used for the most serious cases where contravening the Regulations is likely to cause substantial damage or distress. The other options the ICO has is to request information ('information notice'), commit an organisation to a particular course of action ('undertaking') or to compel an organisation to comply ('enforcement notice').
At the very least, you should:
- identify what cookies are used on your site and what they are used for (there is a useful free Google Chrome plugin to help)
Beyond that, it is down to how risk adverse you are, your operational requirements and other factors as to what you should do to comply.
Please note the following disclaimer - I am not a lawyer and the following should not in any way been seen as formal advice. The aim is to give you a start at gathering information to enable you to make your own informed choice and, if necessary, obtain legal advice. This information is tailored to my customer base, who are limited users of advertising and affiliate networks.
In general terms, gaining consent is likely to be a bad idea for your website. No one likes pop-ups and notifications, and, unless you are very sly with your wording (which the ICO will be unimpressed with), many (if not most) people will not opt-in anyway. There is also a cost implication to add the functionality to ask for consent. Before asking for consent, work through the cookies used on your site and see if they are actually needed and whether you need consent. Here is a bit more on the two areas that will cause most websites to not comply with the new law: Google Analytics and Social Media.
Whilst the ICO have specifically stated that Google Analytics is not classed as 'strictly necessary' and require consent, they have also stated:
Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices. Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action.
The Government Digital Service however, in 'Implementer Guide to Privacy & Electronic Communications Regulations' for public sector websites takes the view that web analytics are "essential to the effective operation of government websites" and that "at present the setting of cookies is the most effective way of doing this" (source: econsultancy.com).
It is worth noting that Google Analytics uses several cookies - most of these cookies are first-party (they can only be accessed by your website), however a third-party cookie (accessible by Google) is added if you have chosen to allow Google to anonymously track website metrics to 'benchmark' your site against related sites. If you choose to not gain consent for Google Analytics, then you probably want to consider turning this setting off.
For media services, like YouTube, that offer a 'privacy enhanced mode', you can easily switch over the code, but otherwise, to be compliant without consent, you will need to change services. It is quite likely however that other providers will follow YouTube's example and allow cookie-free versions, so it is worth checking with your provider on their plans.
For social media share plug-ins, one alternative is to just replace them with static share links - the main services offer url (link) based solutions which do not need cookies (although to a slight detriment to the user experience). It is possible that, in the future, updated widgets will become available that do not include tracking cookies.
Here is an example of a site that has taken the view to not ask consent for social media plug-ins:
This does not comply with the law, so the only current compliant alternative if you wish to have social media widgets is to ask for consent.
International Chamber of Commerce (UK)
The guide breaks down cookies into four types:
- Category 1: strictly necessary cookies - including shopping carts and logins
- Category 2: performance cookies - including web analytics, affiliate tracking and testing designs
- Category 3: functional cookies - remembering settings
- Category 4: targeting or advertising cookies - including cookies placed by advertising networks to collect browsing habits
PC Pro see this as the most practical guide to the cookie regulations and is the result of a lot of research and the ICO publically stated: "Today’s ICC UK guidance provides organisations with a good starting point from which they can work towards full compliance", which could be seen as an endorsement.
- Add an unobtrusive 'cookie' button to appears in the corner of your website (a free one is available at attacat)
Another solution to the problem, used by BT, is to assume implied consent, but to then prompt the user (once) to confirm the settings. A slider allows the user to select what level of settings to have and what features will be unavailable. At any time this can be modified using a link at the bottom of the page.
- Sitebeam - EU Cookie Law eBook (a definitive guide to EU Cookie Law although last updated on 9th June 2011)
- International Chamber of Commerce (UK) Cookie Guide
- Information Commissioner's Office - Cookies
- Information Commissioner's Office - Guidance on the new cookies Regulations
- The Cookie Collective
- Google's tool for opting out of Google Analytics globally
- Campaign against the Cookie Law
- Google Chrome extension for auditing cookies
The information in this post should hopefully help you in deciding how you want to comply with this law and give you the tools you require. If you need any further help or technical assistance, I can help, so please get in touch.