The EU cookie law: taking the biscuit?

You may have heard a lot of hoo-ha recently about the ‘cookie law’ – the latest round of changes to the EU’s Directive of Privacy and Electronic Communications. The changes introduce a legal requirement for website owners to obtain users’ consent before using cookies on their machine. This has big implications for every website that uses cookies – in practice, just about all of them.

What are cookies?

Cookies are little text files that websites put on users’ computers to track their visits and store information. The cookie means that when you come back to the site, it knows you’ve visited before.

Have you ever been looking at a product you wanted to buy, and then been surprised to see banner ads for that product on other sites? This is because a cookie has stored the fact that you viewed the product. Banner ad providers can use this information to display ads targeted to you.

Cookies are also used to store analytics data. Analytics tools allow website owners to see how their websites are performing and make improvements.

The EU directive deals with any information that websites store on users’ computers, so it’s about more than just cookies. If your site features local storage through HTML5 or Flash, or any other method where data is written to the user’s machine, then the law will apply to your site.

What the law says

What the law says is actually fairly straightforward:

  • Visitors should be asked to confirm that they want to receive cookies – not just given the opportunity to opt out.
  • Cookies are treated differently depending on what they are for – if they’re needed for the site to work, site owners don’t need to gain users’ consent (see Types of cookies below).

The tricky part is knowing exactly what you have to do to comply with the law. The Information Commissioner’s Office (ICO), which is responsible for enforcing these rules in the UK, is hedging its bets:

“We don’t know what compliance will look like in a year’s time. There are lots of gaps here and we want people to fill them with good practice, then we can point to examples of this and everyone will have a greater understanding of what is required.”
Dave Evans, ICO (interview with Econsultancy)

Types of cookies

Most sites rely on cookies to work properly – it’s not just about tracking what users do. Cookies are used, for example, to keep track of what’s in a user’s shopping basket as they go through the checkout process. The good news is that cookies identified as ‘necessary’ to make the site work are exempt – you don’t have to ask users to opt in. The bad news is that pretty much all other types of cookies are covered by the directive.

If you use analytics on your site, it will use cookies to count visitors and track the paths they take through your site. If you carry third-party ads, they will use cookies to measure how effective those adverts are. Taking these features away – except where users have explicitly given their permission – means your website begins to look a bit puny. If your advertisers don’t know it was your site that triggered a sale, you won’t get paid for it. If analytics are missing out the majority of visitors, the data won’t be much use.

Opt-ins and opt-outs

Some sites have already chosen the route of implied consent, which basically means the user gets the chance to opt out and if they do nothing, the site takes that as permission to deploy all its cookies. Despite not complying with the letter of the law, this may be enough to satisfy the ICO – as long as the site also provides clear information about what the visitor is agreeing to.

The ICO itself places a consent form at the top of its homepage, asking you to confirm that you will accept cookies. You can’t decline: if you continue to browse the site, the message persists on each page that you visit (presumably without setting any cookies). It seems this will be a common tactic: asking new visitors for blanket permission to set cookies.

BT has gone for a more sophisticated solution, implementing a ‘cookie settings panel’ that uses a slider to allow the user to select the level of cookies they will allow:

  • Strictly necessary and performance
  • Functional (adding features such as automatic login and chat support)
  • Targeting (adding features such as social sharing and targeted ads)

Don’t panic!

With conflicting information about what compliance looks like, and the ICO saying it will start to consider complaints from the end of May 2012, you could be forgiven for wishing you had looked into this a bit sooner. But even if you haven’t yet acted, a few things are in your favour:

  • The ICO is interested in what efforts site owners are making towards compliance, rather than just whether their sites are complying. And even after a complaint, you are likely to be given time to make changes. So you probably have a bit more time than you think.
  • You are unlikely to end up with a fine unless you’re openly abusing users’ privacy. Until best practice emerges or the ICO brings some test cases, website owners probably just need to be seen to be making an effort, rather than worrying about what full compliance actually means.
  • ICO investigations are triggered by complaints. The ICO will respond by checking two things: what the cookie is doing, and what the user could have done to stop it being used (eg changing their browser settings). This suggests that site owners will only get into trouble if they refuse to make any effort towards compliance, or mislead visitors about what their cookies are doing.
  • In time, browser functionality should catch up with these developments, giving users easier ways to control what sites are allowed to do with cookies, and removing some of the difficulties for site owners.

So, things aren’t as bad as they might initially seem. But every site owner does need to take action.

Audit your cookies

This is an important starting point. You need to know exactly what cookies your site is using before deciding what changes (if any) you need to make.

You will need to walk through your whole site, including the full sales process, to be certain that all cookies are being triggered. Don’t forget that cookies used on your site can be set by third parties, so be sure to include cookies from social networks, analytics tools and advertising networks.

Once you have a list of all your cookies, you will need to evaluate the impact of each one on the user’s privacy. Where a cookie contributes to creating a detailed profile of an individual’s browsing activity, it obviously impacts on their privacy, so you will need to think about gaining their consent.

The ICO suggests thinking in terms of a ‘sliding scale’ – with essential, ‘privacy neutral’ cookies at one end and more ‘intrusive’ uses at the other. You would then focus your efforts, in terms of offering information and detailed choices, at the more intrusive end of the scale.

The ICO advises that any cookies considered ‘strictly necessary’ for the operation of your website do not require the user’s consent. Bear in mind, however, that ‘strictly necessary’ refers to the site working functionally and technically – ads may be ‘necessary’ to pay for your site, but that won’t meet the ICO’s definition.

Once you have full details of your site’s cookies, you can list them on your site in the interests of transparency, as we have done here. You’ll see that we have separated out ‘first party’ cookies (the ones that only send information to the servers on our site – this includes those set by Google Analytics) and ‘third party’ cookies (those being set from different domains – as used by social media plug-ins and for ad-targeting purposes).

As well as being generally a worthwhile exercise, a cookie audit will show the ICO that you are making an effort to get to grips with the law, should the need arise.

Need help?

If the cookie law has caught you off guard, we can help by:

  • Auditing your cookies: We can identify what cookies your site is using, and what they’re doing. We’ll then advise on the best strategy to make your site compliant.
  • Assessing the business risk: We’ll weigh the changes needed to comply with the updated legislation against the likely business impact – full compliance may lead to an increase in bounce rate or drop in sales.
  • Helping you with content updates: The ICO advises that sites should explain what cookies they are using and why. They should also provide general information about what cookies are and why they are used. This information should be findable – not tucked away behind a link they would never think to click. You should also think about context – providing information at the appropriate time to allow users to make an informed decision without compromising their experience.

We’ll also document exactly what we’ve done – giving you the evidence that shows the efforts you have made towards compliance.

What next?

If you’d like to read more, this topic has been covered in detail over at Econsultancy. There’s also information and guidance available from the ICO site.

If you’d like help and advice from our technical and usability experts on cookies, and the implications of these changes, please get in touch.