A beginner's guide to the new cookie law
The law on cookies changes on Saturday within the EU, and designers and website owners are fretting about compliance. Richard Beaumont of The Cookie Collective explains how to keep your site legal
This article appears in the current July 2012 issue (#229) of .net magazine – the world's best-selling magazine for web designers and developers.
EU legislation on the use of cookies changes this Saturday. As a designer or developer, you probably became aware of this issue a while ago, as we did some 18 months back. Our first responses were along the lines of:
- “WTF? Who passed this law?”
- “What do we tell our clients?”
- “What on earth are we going to do?”
Sections of the web community have reacted in various ways. Some are in denial, a lot are angry and confused – and some ‘privacy warriors’ are happy. What is certain is that most of your clients have been blissfully ignorant about cookies, the legislation and how it affects their business on the web.
But as 26 May dawns and the media seizes on the spectre of a ‘cookie time bomb’, ‘cookie crunch’ and ‘the end of the web as we know it’, that will change – fast. Your clients will be panicky. They’ll expect that you’ll understand the change and how it affects their business – and have a plan to get them out of this hole.
We at The Cookie Collective have studied the ins and out of the law, so here I'll help you grasp the implications and set out some steps to getting legal.
Advertisement
What is the ‘cookie law’?
What people refer to as the ‘cookie law’ is a new piece of privacy legislation that requires websites to obtain consent from visitors to store or retrieve any information on a computer or other web-connected device, like a smartphone or tablet. It has been designed to protect online privacy by making consumers aware of how information about them is collected by websites, and enabling them to choose whether or not they want it to happen.
It started as an EU directive adopted by all EU nations on 26 May 2011. At the same time, the UK updated its Privacy and Electronic Communications Regulations, bringing the directive into law.
The UK is effectively leading the way, but every EU member state has done or is doing the same thing. Each has its own approach and interpretation, yet the basic requirements of the directive remain.
Requirements and responsibilities
Many people will be unaware that the law is already in effect in the UK. However, the UK’s regulator, The Information Commissioner’s Office (ICO), gave everybody a one year ‘grace period’ before enforcing it. That grace period will expire on 26 May 2012.
This sounds scary, but nobody will be serving legal papers at 12.01am on 26 May over cookie compliance. In many ways the cookie law is a natural extension of privacy practices websites already use.
Some agencies and developers have taken the stance that as they don’t own a site they build or support, they aren’t responsible for compliance. But buried in the ICO guidance is the following text:
“Companies who design and develop websites or other technologies for other people, must also carefully consider the requirements of these Regulations and make sure the systems they design allow their clients to comply with the law. The Information Commissioner would expect that any development of new software, or upgrades to existing software, would take into account the need to ensure products are compliant with these rules and broader data protection requirements.”
This seems to imply a situation in which agencies share responsibility, in so much as the owner has the requirement to use a developer who understands and can help them comply effectively. The first step on this shared road to compliance is an audit.
The good, the bad and the undead
Cookies are ubiquitous and come in many guises, often shrouded by impenetrable names, which is why you need an audit to identify them and understand what activities they perform. Some of these are vital to making a website work, but others track what users do online and pass that data to third-parties. It’s mainly this latter cookie type that has caused the shift in cookie compliance. There are two key factors to consider:
First, is a cookie first- or third-party (set by a web service you may not be aware of)? First-party cookies are generally ‘good’ – helpful and fairly low risk. It’s third-party cookies that pose the most compliance issues. Examples of ‘bad’ cookies are those used in behavioural advertising, where they identify what you click on and tell advertising websites to display that type of product or service wherever you go afterwards. From 26 May, website owners must disclose or seek permission to use this type of cookie.
Second, the issue with cookies is persistence. When you examine a cookie in an audit, they contain instructions about how long they remain on your machine. Some contain instructions to delete themselves when you leave the website. Some may persist for months or even years. Moreover, some cookies are designed so that even if you use your browser to delete the cookies on your machine, they resurrect themselves the next time you connect to the web.
These so-called ‘zombie’ cookies were considered to be legally questionable before the law came into force and are certainly now seen to be outside the acceptable framework of cookie types.
Here’s a simple breakdown of how to go about categorising cookies:
- Zero compliance risk or ‘strictly necessary’ cookies Always first-party and not persistent. These include functional navigation and user session cookies for shopping baskets.
- Low compliance risk Always first-party and may be persistent. These cookies include accessibility options for visually impaired users and, arguably, analytics cookies.
- Medium compliance risk Usually first-party and persistent. These might be used to store personally identifiable information, or limited cross-site tracking, in order to present content based on previous visits. Another good example is the Facebook Like button.
- High compliance risk Third-party and persistent. These are mainly used to track and record visitor interests without prior consent, and aggregate this data for use by third-parties, normally advertisers. This also includes cookies set through the provision of embedded content which is not ad-related, such as Google Maps and YouTube videos.
Routes to compliance
So, your responsibility is to help your client take a view on what is the most appropriate action for their website. Lots of people are offering audits as people wake up to the cookie issue, but don’t forget that an audit is the first step to compliance, not the last. You still need a solution to whatever the audit throws up.
Once you have audited, analysed and categorised, there are two routes to take:
- Explicit opt-in/opt-out If your site is heavy with third-party advertising and social media connectors, the safest bet is to seek explicit opt-in from visitors via some kind of intervention, such as a ‘This site uses cookies: allow’ notice on your homepage. Bear in mind that if your adverts come from a variety of ad serving networks and regularly change, you’ll need to update your disclosure statement to reflect any new cookies. You might find analytics numbers dropping. This doesn’t mean people aren’t visiting your site, but if they opt out they won’t be included in your Google Analytics.
- Implied consent via notice If your site doesn’t feature advertising and uses cookies for functional purposes (accessibility, Facebook Like buttons and Google Analytics), then you may be fully compliant if you have a cookie notice displayed clearly on your website referencing details on your privacy page. You will need to make sure this notice remains up to date when new features are added.
Conclusion
It’s vital to comply with regulations, but there’s flexibility built into the UK cookie law enabling various responses to a range of compliance risks. Take practical steps to comply and the chances are you’ll be compliant; it’s that simple. Doing nothing is the worst thing you can do right now.
13 comments
Comment: 1
However the ICO have recently announced that they aren't going to come down on everyone as of Saturday. If you take a look at the BBC and PCPro (see links below), they both state that as long as you are starting to implement something towards compliance, you will be fine.
The law is aiming at people that use tracking / malicious cookies, not the cookies for general use (which most websites have)
Although as you said "Doing nothing is the worst thing you can do right now" - I agree!
References:
BBC - http://www.bbc.co.uk/news/technology-18090118
PCPro - http://www.pcpro.co.uk/news/enterprise/374734/ico-no-fines-for-breaking-...
Comment: 2
Comment: 3
Comment: 4
We are now starting to see many high profile sites asking for permission to store cookies. However, this often has the negative effect of resulting in a significant reduction in website analytics data. This is simply because the majority of website visitors will simply not consent to being tracked by cookies.
Many UK sites are now gathering website analytics in a completely new way.
eVisit Analyst offer a cookie-less analytics system which does not collect any personal information. This helps retain accurate analytics data as it is not reliant upon people opting in to cookies. www.evisitanalyst.com
Other solutions such as Piwik are available, but are open source.
It looks like organisations will have to evaluate a full range of solutions to meet their compliance needs. Trying out cookie-less analytics and opt ins are at least a step towards compliance which is what the ICO are looking for post 26 May.
Comment: 5
Comment: 6
I've tried a lot of plugins over the last few weeks on various sites, the best one I've found so far is probably http://cookiecuttr.com there is a free version and a WordPress version and my clients seem happy with the functionality.
It's just a shame we're having to do this really, hopefully the ICO will provide more clarity over the coming weeks!
Comment: 7
Drawback is that it sets an overlay so silly visitors NEED to accept some god damn cookies before being able to access the site.
Philosophy of this is simple **If a person needs to access your site, they need to accept the fact that the guys in the golden crib 'would like to' track who and what is accessing the website and pages.
Believe it or not folks, some people do actually spank that monkey for some stats.
Currently rebranding our tool for launch ----- WATCH THIS SPACE Ya'll! or check out my twitter for updates
Comment: 8
If "implied consent" is a banner that pops up and goes away after one click - as per the BBC/Guardian (who must be in the top 50 sites the ICO contacted). Then we'll all start consenting to all sorts of things.
If it's an irritating banner that needs a click - people will just click it to make it go away - again, not working.
The implementation of the law sets a very dangerous precedent for website visitors giving consent - the absolute opposite of the intent of the law.
Comment: 9
Delight aside, as the (mature and serious) manager of a small suite of public sector websites, I must defend the ICO a bit as we deal with them a lot regarding Freedom of Information requests and I've found them to be a really nice and professional bunch of people, who in general give extremely good and succinct advice.
Unfortunately, they're stuck between a rock and a hard place, namely the aforementioned stupidity which is so badly worded it's the equivalent of a law designed to reduce knife crime which in practice outlaws the use of scissors and knitting needles, and the reality of web development in 2012 which is superficially all a-flutter with mobile-first, content-first, responsive-design coolness, but cannot escape the fact that cashflow is unfortunately still king, and revenues from advertising and hard visitor metrics are absolutely crucial to justify continued capital outlay from clients which keep agencies with web talents far above my own afloat.
Again being fair on the ICO, they have hinted at the soft touch approach for several months (see Boag World 4 Jan 2012) and have said they won't pursue or prosecute sites which only use nice cookies like Google Analytics or those set by the site's CMS, which means my sites are effectively clear. OK. they're not legal in the strict sense, but they are in the practical sense and that's good enough for me.
To reiterate, the ICO are nice human beings (not the Borg) and they will warn you and help you way before they threaten to prosecute, which would happen way before they actually prosecute. So don't worry. Unless you're bad.
If you're still worried (and are good) 1) don't worry too much 2) update your Ts and Cs and 3) watch what's happening to other sites in your sector, 4) if you MUST comply, find a good supported third party solution and 5) (the really hard one) figure out how to explain to your clients why their stats have dropped off a cliff, but they still need to pay the monthly invoice.
NB http://silktide.com/cookielaw has a nice cross-browser solution if you click the get compliant link in the left menu.
Comment: 10
The ICO changed their guidance at the 11th hour which made 'Implied Consent' a much more clearly acceptable solution. However there are clearly many different interpretations of the idea.
Many big media websites went for an approach of saying 'this is what we do with cookies, like it go away' - whether or not this is sufficient for compliance is one issue with this approach, but the bigger question here is what does it say about these website's attitude to their visitors privacy.
The ICO also wrote to a lot of big websites to push them to become compliant. This was actually a good tactic - big websites reach a big consumer audience, and make people more aware of their rights. What those people now ought to to do is exercise those rights.
My prediction is that this issue will shift away from compliance to an agenda of respecting privacy, and brand trust. Those companies that embrace that, and offer visitors choice to not have cookies as they wish - are more likely to win consumer trust in the coming months as awareness continues to grow.
@stopsatgreen - Do Not Track in browsers is one piece of the privacy solution - but it is not compatible with the cookie law as it is currently written, so websites cannot rely on it.
@Ipople - I think we don't yet know what the long term consumer reaction will be, as we are still in the first wave. There is a danger - but it comes from the enforcement rather than the regulations themselves. At some point the ICO will need to make a stand against a site that claims to be complying, but is not really giving either enough information for consent to be informed, or is not giving visitors a choice.
The job of the regulator here is to ensure that consumers are given a chance to choose - then it is up to them to exercise that choice.
@KimS - actually it is incredibly easy to enforce the law - at least at the most obvious level. All you have to do is visit a site and evaluate whether what they have done is compliant. In fact you could produce tools to automate much of this for you. If the ICO chose they could probably really make a lot of money out of it - although of course that is not their prime concern.
If anyone would like to keep up with the latest news, keep an eye on our blog at: http://www.cookielaw.org/blog.aspx
Regards
Richard Beaumont
Comment: 11
following the March update by the ICO we have launched an e-book, free audit, banner and policy pages to provide a light solution - to this mulitfaceted problem and our site and video on the subject can be seen on
http://www.ukcookieslaw.co.uk --------- keep it up Richard.. and we may all eventually get the message across - the Cookie Monster will eventually get you if you do nothing !
Comment: 12
Comment: 13
I did an experiment. I cleared all the cookies stored by Google Chrome. Then I opened just one page, which was the Google homepage. Then I checked with Google Chrome, and it told me that there were two cookies on my computer. Then I visited this article. Then I checked with Google Chrome again, and it told me that there were 26 cookies on my computer.
I didn't click on anything to agree to have cookies on my computer.
Something tells me that the phrase "It’s vital to comply with regulations" at the end of this article is nothing but empty words!