EU Cookie Law for UK Websites

Published: 15th Mar 2012 in News

You may have heard about the EU Cookie law which is currently causing much discussion amongst web developers and website owners. Within the UK all websites are now subject to an EU law which states that cookies should not be used unless the website user is provided with clear information about the use of cookies and given his or her consent for the cookies to be set during his/her visit to the website.

What is a cookie?

A cookie is a small file which is downloaded and stored on a website user’s computer (or other device) when they visit certain websites. The cookie is then sent back to the website on each visit. Cookies ‘remember’ your visit between web pages, for functions such as setting options (e.g. change text size for accessibility), logging-in to secure pages, affiliate advertising and for tracking web visitors (e.g. Google Analytics), amongst other things.

Cookies are included in the majority of websites and have done for many years. They do their job much of the time without us even noticing. It is likely that your website uses cookies.

What is this law for?

The law is intended to protect people’s privacy when browsing the web. However, it is very broad and even covers cookies which aren’t being used to collect personal information. It’s a bit like using a sledgehammer to crack a nut.

There are some exceptions to this law but not many. Basically websites will not be required to gain permission from its users to set cookies if those cookies are strictly necessary to provide the service that the user has requested. Therefore e-commerce websites which use a cookie to remember a product added to the shopping basket before proceeding to the checkout do not require permission.

However, cookies used for affiliate adverts and website statistics trackers do need permission.

How does this law affect you?

If you are a website owner in the UK then your website is affected by this law. You will need to be aware of the law, the implications of it and make an informed decision about what to do next.

At this stage there is much debate about the best way to comply with this law and there is still a lot of confusion about how best to approach it without negatively affecting website visitors’ experience and the efficacy of your website.

What does it mean in practice?

The law says that websites need to make information about cookies available and gain the user’s permission before the cookie has been set (or as early as possible). If the cookie is set before the user has been made aware of it and given consent then there are likely to be compliance problems.

Given that not all website visitors will know what a cookie is or even heard of them, this may be quite tricky. Nevertheless the Information Commissioner’s Office states that “The information must be clear, comprehensive and readily available”*

“The website setting the cookies must:
- tell people that the cookies are there
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device.”*

The practical solutions that some websites have opted for already are a message positioned at the top of the screen or pop-up box which appears over the web page.

You can see some examples already in place here:

Some important issues and debates

As you can imagine there has been much discussion and debate about what this law means to businesses, organisations and website visitors. Here are some important issues that have been raised and things to consider:

  • Research shows that consumers’ understanding of cookies, what they are, why they are used and how to manage them is limited. This suggests that a message popping up on a web page asking permission to use cookies would be at best confusing and at worst alarming for website visitors.
  • At the ICO’s own website their visitor statistics (collected via Google Analytics) dropped by 90% after adding the cookie permission message to their website. This suggests that a vast majority of visitors did not give permission for cookies to bet set. Of course this has huge implications on a site’s use of Google Analytics for marketing, any advertising used for revenue and the usability of the site generally.
  • Implementing the rules is going to be major work, especially as there are not yet any clear guides on how to best go about it in terms of user experience, the technology itself and the business interests of the website owner.
  • After giving permission, a cookie may be set to ‘remember’ that the user has said ‘yes’ and therefore do not need to be asked the same question on subsequent visits. However, if a visitor does not give permission then a cookie cannot be used to store their preference. So, on every single visit to the website the visitor must be asked the same question again and again – this could get pretty annoying and lead to visitors being frustrated or not returning.
  • Pop-up messages are often associated with irritating adverts or alarming messages. Messages placed at the top of the screen (as per the ICO website) may easily be missed or ignored. Neither seems like an ideal solution and if styled/positioned differently from one website to another this will lead to more confusion.

Enforcement of the law and penalties

Although the law is currently in place the Information Commissioner’s Office (ICO) have provided a period of time for measures to be implemented at websites and this is by 26th May 2012.

Information from the ICO suggests that a complaint will need to be submitted about an organisation’s website before they begin the enforcement process.

“…in May 2012 the Information Commissioner will consider complaints about cookies in line with his normal approach to complaint handling under the Regulations. This will involve in most cases contacting the organisation responsible for setting the cookies in the first instance asking them to respond to the complaint and explain what steps they have taken to comply with the rules.”*

Enforcement will be carried out by the Information Commissioner as follows:

1.    Information notice – This requires that the organisation (website owner) provides information to the Information Commissioner by a specific time. The ICO do not stipulate what this information will be exactly but we would guess that it would be details about the cookies or similar functions that your website is using.

2.    Undertaking – The organisation is committed to a specific course of action to improve its compliance.

3.    Enforcement notice – The organisation must take the action specified in the notice to bring about compliance with the Regulations. Failure to comply with an enforcement notice can be a criminal offense.

4.    Monetary penalty notice – Requires the organisation to pay a monetary penalty of an amount determined by the Information Commissioner’s Office.

The ICO says about enforcement: “The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers.”*

More information

The information given here is the basics and by no means constitutes legal advice, nor is it meant to panic anyone. There are more details and further explanations of the law, which you can find at the ICO website and specifically their document ‘Guidance on the rules on use of cookies and similar technologies’.

What to do next

The ICO advises that the first steps should be to:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Where you need consent - decide what solution to obtain consent will be best in your circumstances.

For our web design clients we can conduct an audit of your site to carry out steps 1 & 2 above and discuss with you how you may approach step 3 and compliance with the law. To request an audit please do contact us.

* quoted from the ICO document ‘Guidance on the rules on use of cookies and similar technologies’.

More news from Make Hay

New website for Perfect 10 PR
We are very happy to have recently launched the new website for fellow Nottingham based business Perfect 10 PR. Our services included a new... read more
Why use Green Hosting?
As ethically-minded business owners we are always looking to be more responsible in the way we work and in the things we purchase to run... read more
Life Goes On project website
Every so often you're asked to create a website that is just a little different from anything you've done before. The Life Goes On... read more
Online shop for The Flower Deli
You may have seen the colourful website we built for edible flower producer, The Flower Deli. The site was originally created with a flower... read more
New website for PlayWorks
Here is a new website recently launched for PlayWorks, the home of children's play in Nottingham. The scope of PlayWorks'... read more
New website for Aldgate & Allhallows Foundation
It was a real pleasure to create the new Aldgate & Allhallows Foundation website, a charity which provides educational grants to... read more