That new EC Cookie Directive law thing
EC Cookie Directive
Lots of fear, uncertainty and doubt about the new EC Cookie Directive… and lots of wrong information out there, too.
Here’s the only information you ought to read, direct from the ICO. Basically, in a nutshell, you can’t drop a cookie onto someone’s machine without asking first. No – letting the user opt-out isn’t acceptable. They must consent first.
Open “private browsing” or “incognito mode” on your browser, and visit bt.com to see apparently a “good way of doing it”. A pop-up DIV at the bottom-right of the screen, basically saying “if you go any further, we’ll drop cookies on your system, or you can control them all here if you want”.
A lot’s been written about the pointlessness of this EU law – not least “how can we remember if a user doesn’t want a cookie dropped on their machine without using, er, a cookie”. It will do nothing other than damage EU online businesses.
For Zoo Design, my own online business, I’ve decided to do four things:
1. Make it really clear when you log in that you are consenting to a cookie being put on your machine, so we can tell who you are.
2. Make it really clear what other cookies we use on our website.
3. Not ask for consent for those that do not contain personal information. Which includes Google Analytics, any advertising beacons, and even Google/Twitter/Facebook buttons. None of these contain personal information – merely anonymous information about all internet users who use your machine. (Unless, of course, you log into Twitter, Facebook etc).
4. Make it really clear how you can opt out of everything – by repeating the simplest advice of using “incognito” mode, or “private” mode, on your web browser: which removes cookies every time you use it, and automatically signs you out of everything.
That third thing is probably rather contentious: it’s a very liberal reading of what’s going on. But the ICO is primarily concerned with personal information and personal data – and I’m registered under the Data Protection Act and take personal data very seriously. However, Google Analytics and AdSense cookies, etc, are anonymous, and will only ever contain personal information if you deliberately log in to Google services (and even then Google claims not to link Analytics or AdSense with your Google account anyway). The same goes for Twitter and Facebook too. And the ICO go out of their way to say, in their advice: Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
As I say in the final paragraph of our cookie information: “we also want to make sure that we know what you like so we can do it more often, and that advertising messages are relevant and useful for you, rather than an irritation.”
The cookie directive is madness, nonsensical and dreadfully thought out. As has already been proved, users don’t understand what cookies are, and 90% of them actively block Google Analytics and the like, if they’re given a confusing opt-in message.
I’ll be interested to see how the rest of the industry approaches the issues it kicks up.
Like it or not, the deadline for complying with the EU cookie directive is drawing very close. No matter how nonsensical this law seems, the sad reality is that it’s the law – and website owners have no choice but to comply. With the deadline for compliance now less than two months away, the aim of this post is to give you all the facts you need to know, including practical suggestions for ensuring that your site is in line with the new regulations. I’ve put my personal opinion at the end; clue: like everyone else, I think this law is ludicrous!
What is the EU cookie directive?
For those not already aware, the supposed aim of this legislation is to increase online security and data privacy, giving users more control over what data can be held about them. It addresses concerns with how personal information is held and used. Some users – albeit a small minority – are concerned with what they see as the development of a ‘Big Brother’ society in which their every move is being recorded.
The legislation forces websites to be transparent about how they are using cookies, detailing exactly what information each cookie holds and how long it will be held, and requires them actively to request permission from their users before cookies can be used.
Previously, the law dictated that websites had to explain how they were using cookies and how users can ‘opt out’. Most sites did so in their Privacy Policies, but this isn’t enough under the new law: users now have to ‘opt in’, having been made fully aware of the implications of doing so.
Who needs to comply with it?
The law applies to all Member States of the European Union. However, even websites outside the EU are required to comply with the law if they are targeting Member States. For example, a site based in the USA that sells products to consumers in the UK, or that has a French-language version of its site aimed at users in France, will still have to comply.
Why do I need to comply with it?
Put simply, because it’s the law! Many have speculated that the law will be hard to enforce, but the penalties for non-compliance could be severe. The maximum monetary penalty for non-compliance is £500,000, which could apply in situations where deliberate contravention of the legislation leads to substantial damage or distress. There are of course less severe penalties for more minor contraventions, including an information notice, undertaking (which commits the organisation to specific actions to ensure compliance) and an enforcement notice.
What does this mean for my website and analytics?
The good news is that the UK Government has come out and said that the use of analytics is “essential” – see this useful post on Econsultancy for more information. Let’s hope the EU agrees, otherwise analytics is doomed.
When do I need to comply with it?
The law actually came into force last year, on 25 May 2011. However, it was recognised that webmasters need time to bring their websites in line with the law, and a grace period of one year was granted. This means that by 26 May 2012, all websites will have no choice but to comply with the law.
How do I comply with it?
- If you have more than one website, you can gain permission for cookies in one place, providing you make it clear what websites the permission applies to.
- Ascertain which cookies are being used, their purpose and what data they hold.
- Find out whether they can be linked with personal data such as username, email address etc.
- Establish whether they apply to the session (just that visit) or if they’re persistent (applying to future visits as well).
- Establish how long they last.
- Establish whether they’re 1st or 3rd party, and if the latter, who is setting the 3rd party ones.
Gaining consent can be done in a variety of ways. As the ICO points out, the method you use to gain users’ consent depends on what your cookies are doing and also on your relationship with your users.
This involves gaining consent when a user makes a change that affects how the site works for them. For example, this could mean asking the user if they want the website to remember a particular language setting and gaining consent for cookies to be used for this purpose.
This applies in instances where cookies are used to remember what content a user viewed the last time they visited the site, to enable content to be tailored to them – for example, remembering what videos they viewed last time they visited. In such cases, your site should make clear to the user that taking a particular action will result in a cookie being used. This could mean, for instance, highlighting cookie use when a user turns on a particular feature and requiring consent before the change is applied.
Consent for functional/analytical cookie use
Cookies used to collect anonymous information about how visitors use your site still need user consent. This is relatively straightforward if a user has to log into your site, but more complicated where they do not. You’ll need to make absolutely clear to users what cookies are being used, what they’re being used for, and asking for consent. Below are some suggestions on how you can go about this.
A number of software solutions are already on the market to allow webmasters to comply with the law without affecting the look and feel of their site. One example is http://civicuk.com/cookie-law/configuration.
Other options suggested by the Information Commissioner’s Office include:
- Splash page – a big SEO no-no.
- Banner – shown along the top of the page to first time visitors with a tick box to allow users to consent, with cookies disabled until the visitor ticks to indicate consent.
- Footer bar – similar to the banner concept, this would be displayed along the bottom. If they do not click yes or no, but continue to use the site, consent can be inferred because they have seen a clear message but are still continuing to use the site. A smaller message could be maintained throughout the site in such instances, to remind users of the fact that the site is using cookies.
- Remember preferences – enhance the wording of your ‘remember preferences’ such as language or font size to ensure that it’s clear that a cookie will be required to do so.
- Flag changes to terms and conditions – an option where users have to log into their account. They would need to give ‘specific and informed’ consent to these pages, so consent cannot be assumed just by changing the terms and conditions they agreed to when they signed up. You’ll need to get a positive indication that consent has been granted, as they log in and before they are able to proceed to their account.
BT.com has implemented quite a comprehensive response to the cookie law today, if you’re in need of some more inspiration…
There will of course also be users who react the opposite way; if the information about cookie usage is not worded carefully, it risks sparking paranoia in some, who will then not agree to cookie usage and their user experience of a website will be lessened. This introduces frustration into what might otherwise have been a seamless user journey, and that in turn means that they may be less likely to come back.
What does the future hold?
The hope is that in time, the Government will work closely with browsers such as Firefox to find a way around the issue of having to ask for consent. Ed Vaizey, Minister for Culture, Communications and Creative Industries, has confirmed that the Government is already liaising with browser manufacturers over how to enhance browsers to provide information on cookies as well as user-friendly settings. But at the moment, he says, browsers simply aren’t sophisticated enough to assume consent. Furthermore, an increasing number of users are browsing the web through mobile devices, without using a browser, so it’s likely that we’re heading towards an international standard of online privacy that applies to mobiles as well.
Further reading and useful resources
- Guidelines from the Information Commissioner’s Office provide in-depth information about the law and what it means for webmasters.
- The full legislation can be viewed here.
- Information on the monetary penalties for non-compliance can be found at www.ico.gov.uk.
- Google Analytics and the EU Cookie Law – http://www.cookielaw.org/google-analytics-eu-cookie-law.aspx