EU Cookie Law – Are you compliant?
We’ve had a few queries (and an awful lot of discussion!) about the Privacy and Electric Communications Directive, also known as the EU cookie law recently. We’ve tried to write a blog post on it four times and four times we’ve ripped it up as it made no sense, and that’s kind of how we feel about the law… It makes no sense!
Where shall we start… Before we go any further this article is not legal advice, it’s comment on the current situation and a nudge to get people to take notice of what is happening…
What are cookies?
Cookies are a small text file placed on a vistors computer (or alternative device) designed to overcome the fact that web pages are ‘stateless’ having no memory and so struggle to pass information from one page to another, imagine a shopping cart that forgot what you put in the basket, or a website that forgot if you were logged in so never logged you in – that’s life without cookies!
Aside from functionality, cookies are used by site owners to track your visits around their sites to improve their sites and the user experience for their visitors, they can also be used to track between websites to identify your interests and tailor web pages to you (this is the one that tends to annoy people – known as ‘behavioural advertising’).
In general cookies aren’t a bad thing and actually make the internet more than just the flat pages of a book on your screen!
What does the EU Cookie Law say?
The law actually came into effect in May 2011 but a years grace period was given, meaning people are only starting to look at this now. It’s best if you read it yourself as we don’t want to go down the route of interpreting the law for you, essentially it says that for all but the most necessary cookies (neccesary is defined as to make a site work e.g. our shopping cart example) before the cookie is set you have to gain consent from the user (the definitions of consent have also come under scrutiny as part of this).
How does this affect my site?
Cookies come in a range of categories with varying levels of privacy intrusion, and the guide defines these, however the big one that’s playing on most business/website owners minds is the use of analytics (mostly Google Analytics), Analytics are a great way to track your visitors (their data is anonymized) to improve your site and a lot of sites use them.
Unfortunately when given the choice to not accept cookies before entering a site many users will decline consent and site owners will be left completely in the dark about their visitors, or users faced with a barrage of questions from a site about what they do and don’t consent to will simply go elsewhere.
The Information Commissioner, Christopher Graham stated that the enforcement of analytics cookies is not the “top priority for the ICO”, that said it could be one day and you’re still breaking the (current) law if you don’t gain consent for them.
Whilst as a user this is all going to sound great for your privacy, if every website you visit asks you whether you want to accept cookies then you’re soon going to get pretty bored with not being able to see what you want to see on a site until you agree to cookies!
Why should I do anything?
This is an interesting one, for the most part the general course of action we’ve heard from most people is that they will do nothing and wait to see what happens. It’s an interesting approach as this is law and has been since 26 May 2011, the ICO will be responsible for checking cookie compliance and are able to impose fines of up to £500,000.
The law was deferred for one year in recognition of the technical challenges involved in compliance, and the ICO has said they expect websites to start moving towards being compliant before the new deadline of 25 May 2012, and when looking at complaints, they will take into account whether or not organisations have tried to become compliant ahead of the deadline.
The UK government seemed to hope that this could all be done through browser controls (setting your web browser to not allow cookies etc), this simply isn’t in place and is a long way off given the amount of old web browsers that are out there. The government has also pointed out that it doesn’t wholly agree with the EU directive but has passed the law anyway, and the EU has already said it’s not going to accept countries simply ignoring the rules.
There’s some fairly widespread “noise” on why the law makes no sense, one of the biggest being No Cookie Law we recommend keeping an eye on the news in the coming weeks as this is changing very regularly!
How do I get compliant?
There isn’t an easy answer to this, and nor (currently) is there a single piece of software you can install to make your site compliant (for most sites), do a cookie audit (try Firefox: View cookies, Chrome: Attacat, TRUSTe Cookie Audit or Tagcert for a start) work out what cookies you are setting and then start to look at solutions for the type of software you use.
Note: This is a regularly changing situation
One particularly important piece of information appeared last month(and it didn’t come from the ICO!) this came from the International Chamber of Commerce who have produced the ICC UK Cookie Guide, like us they are quick to point out that their guide is not legal advice, but it does say about Category 2 performance cookies (which providing no re-targeting is done analytics fall into) that consent could we gained in the terms and conditions of the site, so if you’re just using analytics you may be able to use Terms & Conditions to gain consent.
The ICC UK Cookie Guide is really good providing case studies and methods of consent for each of the four categories of cookies.
Where does all this leave us? In a bit of a mess really, the law is pretty much unworkable in it’s current form and because of that most people will choose to ignore it, those that do comply face putting visitors off their website!