The EU Cookie Crisis Explained
The Privacy and Electronic Communications (EC Directive) Regulations 2011 was introduced into the UK last May as a response to wider European legislation on Internet Privacy, specifically around the use of cookies.
What are cookies?
Cookies are small text files stored on users computers that allow websites to retain a variety of pieces of information. Cookies allow websites to remember users login status, shopping carts contents and any preferences for the current ‘state’ of a web page. They are also used to help target advertising based on behaviour patterns and power tracking tools like Google Analytics.
Oh, so this applies to my site then?
Yep! And it caused quite a stir at the time of launch until the Information Commissioner’s Office (ICO), who will enforce the law, gave companies until 26 May 2012 to ensure their websites were compliant.
At the time many of us hoped that this issue would be taken up at a browser level and therefore not impact websites directly but as we cannot guarantee that users will use the latest versions of these it would be impossible to implement the law across the board. IE 6/7/8 strikes again!
So from 26 May website owners must supply users with information about the cookies on their websites, and crucially, must seek their implied consent to place them.
Some key facts
- The location of your hosting is irrelevant. The location of your company or organisation is what matters.
- The law does not cover cookies “strictly necessary for a service requested by a user� so if the lack of cookie breaks your website functionality you are probably fine. We are talking about logging in, shopping carts etc. here. However this does not cover anything relating to tracking or advertising.
- You are responsible for identifying and gaining consent for cookies placed by 3rd parties such as Google on your website. More on that later.
- Realistically no one will get fined for cookie consent breaches under the current UK law. Despite the headlines the threshold for monetary fines under UK data protection law is high. This doesn’t mean you can ignore it though. You will eventually be pursued by the ICO to become compliant.
- I would advise you ignore any alarming “scam� emails you get on this issue unless they are from the ICO, the government, your customers, your lawyer… or me.
- Adding the words “By using this site you agree to...� to your privacy policy will NOT be enough.
- Consent is required on a website-by-website basis.
Implied (or Informed) Consent
The big grey area in all of this has been around how you gain user consent. Thankfully terms like “opt-in� or “express� are not contained within the law so we don’t need to worry about tick boxes or other such nonsense.
Consent does mean that it must be obvious to the average user what is happening, which in practice means that a visible and clear notice must be displayed and made available long enough to be seen and digested. This could be in the form of modal box (new style of pop up) that fades after a while or is clicked, an accordion bar (at the top or bottom of the browser) that the user dismisses or several other options.
Amusingly the ICO themselves implemented a compulsory tick box strategy accompanied by a pervasive message which severely dented traffic to their site. Even the implementers don’t really get it.
(source: http://privacylawblog.ffw.com/2012/three-truths-about-cookie-consent)
A word on 3rd party analytics tracking cookies
As mentioned earlier you are as liable for cookies placed by 3rd parties as you are for those created by your own website. Typically these are placed for analytics tracking and advertising. If your website has any cookies at all they are likely to be for tracking. Once you have identified which 3rd party cookies you have you need to research them and communicate their purpose back to your users.
But do not panic! A recent statement on tracking cookies from the ICO said:
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.
(source: http://www.theregister.co.uk/2012/04/05/eprivacydirectiveweb_analytics/)
So what should we do?
At the bare minimum we recommend that if your website uses cookies, you should:
- Perform a Cookie Audit of your website. Here is a chrome plugin that will help you audit the cookies on a website.
- Include a link to your cookie policy on all pages.
- Explain in your policy how and why you use cookies and what their names are with short descriptions.
- Include a link in your policy to www.aboutcookies.org so that your visitors can access instructions on deleting and controlling cookies.
(source: http://www.out-law.com/page-5486)
In as much as the above will probably keep the gaze of the ICO off your business it is unlikely to pass the rigors of compliance. You will need to think of a way of drawing users attention to it as well without confusing them or putting them off.
The example being lauded as good practice is BT who fade in a small but noticeable modal window with clear message and calls to action. If it isn’t clicked on it fades after about 6 seconds, implying consent.
Here is a pretty handy 3 minute video that summarises most of the above.
Thanks for reading this all the way through. Because you did I am going to give you a killer tip. Check out this open source Cookie Consent tool from the guys at Silktide.
Comments
I like the last solution :)
Add your comment
Avatar pulled from twitter or gravatar