EU Cookie Law for UK Websites
Published: 15th Mar 2012 in News
What is a cookie?
A cookie is a small file which is downloaded and stored on a website user’s computer (or other device) when they visit certain websites. The cookie is then sent back to the website on each visit. Cookies ‘remember’ your visit between web pages, for functions such as setting options (e.g. change text size for accessibility), logging-in to secure pages, affiliate advertising and for tracking web visitors (e.g. Google Analytics), amongst other things.
What is this law for?
The law is intended to protect people’s privacy when browsing the web. However, it is very broad and even covers cookies which aren’t being used to collect personal information. It’s a bit like using a sledgehammer to crack a nut.
There are some exceptions to this law but not many. Basically websites will not be required to gain permission from its users to set cookies if those cookies are strictly necessary to provide the service that the user has requested. Therefore e-commerce websites which use a cookie to remember a product added to the shopping basket before proceeding to the checkout do not require permission.
However, cookies used for affiliate adverts and website statistics trackers do need permission.
How does this law affect you?
If you are a website owner in the UK then your website is affected by this law. You will need to be aware of the law, the implications of it and make an informed decision about what to do next.
At this stage there is much debate about the best way to comply with this law and there is still a lot of confusion about how best to approach it without negatively affecting website visitors’ experience and the efficacy of your website.
What does it mean in practice?
The law says that websites need to make information about cookies available and gain the user’s permission before the cookie has been set (or as early as possible). If the cookie is set before the user has been made aware of it and given consent then there are likely to be compliance problems.
Given that not all website visitors will know what a cookie is or even heard of them, this may be quite tricky. Nevertheless the Information Commissioner’s Office states that “The information must be clear, comprehensive and readily available”*
“The website setting the cookies must:
- tell people that the cookies are there
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device.”*
The practical solutions that some websites have opted for already are a message positioned at the top of the screen or pop-up box which appears over the web page.
Some important issues and debates
As you can imagine there has been much discussion and debate about what this law means to businesses, organisations and website visitors. Here are some important issues that have been raised and things to consider:
- At the ICO’s own website their visitor statistics (collected via Google Analytics) dropped by 90% after adding the cookie permission message to their website. This suggests that a vast majority of visitors did not give permission for cookies to bet set. Of course this has huge implications on a site’s use of Google Analytics for marketing, any advertising used for revenue and the usability of the site generally.
- After giving permission, a cookie may be set to ‘remember’ that the user has said ‘yes’ and therefore do not need to be asked the same question on subsequent visits. However, if a visitor does not give permission then a cookie cannot be used to store their preference. So, on every single visit to the website the visitor must be asked the same question again and again – this could get pretty annoying and lead to visitors being frustrated or not returning.
- Pop-up messages are often associated with irritating adverts or alarming messages. Messages placed at the top of the screen (as per the ICO website) may easily be missed or ignored. Neither seems like an ideal solution and if styled/positioned differently from one website to another this will lead to more confusion.
Enforcement of the law and penalties
Although the law is currently in place the Information Commissioner’s Office (ICO) have provided a period of time for measures to be implemented at websites and this is by 26th May 2012.
Information from the ICO suggests that a complaint will need to be submitted about an organisation’s website before they begin the enforcement process.
“…in May 2012 the Information Commissioner will consider complaints about cookies in line with his normal approach to complaint handling under the Regulations. This will involve in most cases contacting the organisation responsible for setting the cookies in the first instance asking them to respond to the complaint and explain what steps they have taken to comply with the rules.”*
Enforcement will be carried out by the Information Commissioner as follows:
1. Information notice – This requires that the organisation (website owner) provides information to the Information Commissioner by a specific time. The ICO do not stipulate what this information will be exactly but we would guess that it would be details about the cookies or similar functions that your website is using.
2. Undertaking – The organisation is committed to a specific course of action to improve its compliance.
3. Enforcement notice – The organisation must take the action specified in the notice to bring about compliance with the Regulations. Failure to comply with an enforcement notice can be a criminal offense.
4. Monetary penalty notice – Requires the organisation to pay a monetary penalty of an amount determined by the Information Commissioner’s Office.
The ICO says about enforcement: “The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers.”*
What to do next
The ICO advises that the first steps should be to:
- Check what type of cookies and similar technologies you use and how you use them.
- Where you need consent - decide what solution to obtain consent will be best in your circumstances.
For our web design clients we can conduct an audit of your site to carry out steps 1 & 2 above and discuss with you how you may approach step 3 and compliance with the law. To request an audit please do contact us.