Like it or not, the deadline for complying with the EU cookie directive is drawing very close. No matter how nonsensical this law seems, the sad reality is that it’s the law – and website owners have no choice but to comply. With the deadline for compliance now less than two months away, the aim of this post is to give you all the facts you need to know, including practical suggestions for ensuring that your site is in line with the new regulations. I’ve put my personal opinion at the end; clue: like everyone else, I think this law is ludicrous!
What is the EU cookie directive?
For those not already aware, the supposed aim of this legislation is to increase online security and data privacy, giving users more control over what data can be held about them. It addresses concerns with how personal information is held and used. Some users – albeit a small minority – are concerned with what they see as the development of a ‘Big Brother’ society in which their every move is being recorded.
The legislation forces websites to be transparent about how they are using cookies, detailing exactly what information each cookie holds and how long it will be held, and requires them actively to request permission from their users before cookies can be used.
Previously, the law dictated that websites had to explain how they were using cookies and how users can ‘opt out’. Most sites did so in their Privacy Policies, but this isn’t enough under the new law: users now have to ‘opt in’, having been made fully aware of the implications of doing so.
Who needs to comply with it?
The law applies to all Member States of the European Union. However, even websites outside the EU are required to comply with the law if they are targeting Member States. For example, a site based in the USA that sells products to consumers in the UK, or that has a French-language version of its site aimed at users in France, will still have to comply.
Why do I need to comply with it?
Put simply, because it’s the law! Many have speculated that the law will be hard to enforce, but the penalties for non-compliance could be severe. The maximum monetary penalty for non-compliance is £500,000, which could apply in situations where deliberate contravention of the legislation leads to substantial damage or distress. There are of course less severe penalties for more minor contraventions, including an information notice, undertaking (which commits the organisation to specific actions to ensure compliance) and an enforcement notice.
What does this mean for my website and analytics?
Quite apart from the initial hassle of making practical website changes to comply with the law, websites will face a whole host of possible problems as a result of complying with this legislation. Cookies are used extensively to improve user experience – things like remembering preferences such as font size and language, or what’s in the user’s shopping basket on e-commerce sites. Although webmasters will be allowed to use cookies without permission in instances where it is strictly necessary to do so for the functionality of the website and where that action is explicitly requested by the user (i.e. where a feature requested by the user wouldn’t work without the use of a cookie, such as the shopping basket on an e-commerce site), it’s likely that user experience will suffer for those who say no to cookies.
The good news is that the UK Government has come out and said that the use of analytics is “essential” – see this useful post on Econsultancy for more information. Let’s hope the EU agrees, otherwise analytics is doomed.
When do I need to comply with it?
The law actually came into force last year, on 25 May 2011. However, it was recognised that webmasters need time to bring their websites in line with the law, and a grace period of one year was granted. This means that by 26 May 2012, all websites will have no choice but to comply with the law.
How do I comply with it?
To comply with the new cookie legislation, it will be necessary to make changes to your website to make information about your use of cookies transparent and prominent, and to allow users to give consent to the use of cookies. Note that:
- If you have more than one website, you can gain permission for cookies in one place, providing you make it clear what websites the permission applies to.
- If you change your use of cookies significantly following initial permission, you’ll need to ask for permission again.
It’s a good idea to start by auditing your use of cookies. Look out for the following:
- Ascertain which cookies are being used, their purpose and what data they hold.
- Find out whether they can be linked with personal data such as username, email address etc.
- Establish whether they apply to the session (just that visit) or if they’re persistent (applying to future visits as well).
- Establish how long they last.
- Establish whether they’re 1st or 3rd party, and if the latter, who is setting the 3rd party ones.
- Check that your Privacy Policy includes accurate and clear information on each cookie being used, and in a way that a layman can understand.
Gaining consent can be done in a variety of ways. As the ICO points out, the method you use to gain users’ consent depends on what your cookies are doing and also on your relationship with your users.
Settings-led consent
This involves gaining consent when a user makes a change that affects how the site works for them. For example, this could mean asking the user if they want the website to remember a particular language setting and gaining consent for cookies to be used for this purpose.
Feature-led consent
This applies in instances where cookies are used to remember what content a user viewed the last time they visited the site, to enable content to be tailored to them – for example, remembering what videos they viewed last time they visited. In such cases, your site should make clear to the user that taking a particular action will result in a cookie being used. This could mean, for instance, highlighting cookie use when a user turns on a particular feature and requiring consent before the change is applied.
Consent for functional/analytical cookie use
Cookies used to collect anonymous information about how visitors use your site still need user consent. This is relatively straightforward if a user has to log into your site, but more complicated where they do not. You’ll need to make absolutely clear to users what cookies are being used, what they’re being used for, and asking for consent. Below are some suggestions on how you can go about this.
The practicalities
A number of software solutions are already on the market to allow webmasters to comply with the law without affecting the look and feel of their site. One example is http://civicuk.com/cookie-law/configuration.
Other options suggested by the Information Commissioner’s Office include:
- JavaScript pop-up box – explaining cookie use and offering ‘yes’ and ‘no’ options for consent. This isn’t a very nice solution though, as we all know how much everybody hates pop-ups and most browsers automatically block them anyway.
- Splash page – a big SEO no-no.
- Banner – shown along the top of the page to first time visitors with a tick box to allow users to consent, with cookies disabled until the visitor ticks to indicate consent.
- Footer bar – similar to the banner concept, this would be displayed along the bottom. If they do not click yes or no, but continue to use the site, consent can be inferred because they have seen a clear message but are still continuing to use the site. A smaller message could be maintained throughout the site in such instances, to remind users of the fact that the site is using cookies.
- Remember preferences – enhance the wording of your ‘remember preferences’ such as language or font size to ensure that it’s clear that a cookie will be required to do so.
- Flag changes to terms and conditions – an option where users have to log into their account. They would need to give ‘specific and informed’ consent to these pages, so consent cannot be assumed just by changing the terms and conditions they agreed to when they signed up. You’ll need to get a positive indication that consent has been granted, as they log in and before they are able to proceed to their account.
In addition to this, the law also requires you to make your privacy policy more prominent, rather than hiding it away. This could be a question of making the font bigger, moving it from the footer to the header, or changing the wording to indicate that it includes information about cookie use.
BT.com has implemented quite a comprehensive response to the cookie law today, if you’re in need of some more inspiration…
My opinion
Researching this law in detail, I found myself becoming rather angry at what I see as a pointless bit of European bureaucracy that has little real value and, on the contrary, is disruptive to both users and webmasters. From a user perspective, one might pose the question: how many people are so concerned about data protection that they take the time to read a website’s privacy policy? From being able to use a website without interruption, the user will now find themselves faced with information about cookies that the vast majority are likely to have no wish to read, and will be forced to state their agreement to the use cookies that enable features that most would rather happened as a matter of course.
There will of course also be users who react the opposite way; if the information about cookie usage is not worded carefully, it risks sparking paranoia in some, who will then not agree to cookie usage and their user experience of a website will be lessened. This introduces frustration into what might otherwise have been a seamless user journey, and that in turn means that they may be less likely to come back.
What does the future hold?
The hope is that in time, the Government will work closely with browsers such as Firefox to find a way around the issue of having to ask for consent. Ed Vaizey, Minister for Culture, Communications and Creative Industries, has confirmed that the Government is already liaising with browser manufacturers over how to enhance browsers to provide information on cookies as well as user-friendly settings. But at the moment, he says, browsers simply aren’t sophisticated enough to assume consent. Furthermore, an increasing number of users are browsing the web through mobile devices, without using a browser, so it’s likely that we’re heading towards an international standard of online privacy that applies to mobiles as well.
Further reading and useful resources
- Guidelines from the Information Commissioner’s Office provide in-depth information about the law and what it means for webmasters.
- The full legislation can be viewed here.
- Information on the monetary penalties for non-compliance can be found at www.ico.gov.uk.
- Google Analytics and the EU Cookie Law – http://www.cookielaw.org/google-analytics-eu-cookie-law.aspx
Complete and utter f****** nuts!!
From the list above it sounds like the footer bar could be the most user friendly version.
Please could someone pass a law that states that advertisers can’t show me anything on television, in magazines and in newspapers that I haven’t expressed an interest in? By doing so they are invading my privacy…..
A little birdy told me that some of the main players do not think this will be enforceable i.e. it will go to court and get thrown out for being so ludicrous….
yeah the ico are kicking up a fuss about this and bt are the few who are actually seeming to do something but even then it’s a option to opt out not opt in which is what the ‘law says’.
To be honest lets look at a few sites and see what they do.
Ok, the ICO – it still has 1 cookie so they aren’t fulfilling there side of the law.
I’ve looked at Dave Cameron’s site – he’s not bothered and I would guess the same applies to almost all other mps, parties, schools, local councils etc..
So government want to pass a law outlawing your own sites – bring it!
Now lets go to another gov site the government digital services.
http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/
So they say tracking cookies are essential and seem to have their head screwed on – I’ve had word from the ico that they aren’t! Time for a showdown!
Also while I’m here just a quick head nod towards companies like this.
http://www.cookielaw.org/
Who seem to be trying to scare a few people and make a quick buck – just stop.
I’ve seen other companies wanting to do an audit on cookies for £100 (50%) off.
Stop it!
Also just like to say that I would guess that 90% of people don’t know what cookies are and those that do use your browser if you are that worried.
Just as a final spice to the mix google this women neelie.kroes here is a post to her cv.
http://ec.europa.eu/commission_2010-2014/kroes/about/cv/index_en.htm
Yep fair enough lots of economic and politics and charity ok.
So what’s her part in this – well she helped draft this crazy law. A women cracking into her 70′s is talking about computers – sorry that’s a little ageist but a women who hasn’t got a qualification about computers knows anything about how the internet works is writing legislation on it.
Just a quick link again to a fellow site who feels the same way.
http://techcrunch.com/2012/02/06/hey-neelie-kroes-maybe-you-could-return-our-calls-about-this-eu-cookie-law-2/
Ah well in 2 months no one will care.
They have this stuff in the eu and no one cares over there either! I think Germany tried to ban google analytics and that didn’t work.
So everyone keep calm and carry on
Richard
Rachel, Thanks for the excellent article.
The most cost effective method to implement the EU Cookie Law would be to make it a requirement for Browser ‘Manufacturers’ to provide EU Cookie compliant versions of the browsers probably through an add-ins. That way, the consumer who cares about privacy can download the addin/plugin and be protected. And those consumers that do not care about their browsing habits being tracked will not have to suffer the impending ‘cookie popup spam’ that will become the norm from May 26th 2012.
Also this sensible approach of making the browser manufacturers responsible for implementing the law rather than website owners, will save millions of small businesses spending time and money on compliance to a law that is well-meaning but ill-conceived and extra-ordinary badly implemented.
It is another example of EU officials with jobs for life, tax free salaries and gold-plated pensions being completely out of touch with the real world. They are just so good at spending our money. The cost /benefit analysis of the EU Cookie Law Directive is going to make the CAP (Common Agricultural Policy) look good. If the EU really cares about privacy, Facebook and other social media sites would be a much better place to start. The privacy issue is NOT about cookies; it is about what data is stored about the individual and how it is used.
I had hoped that before May 26th, that common sense would prevail and the law would just be scrapped or at least postponed until something sensible like the ‘browser-based’ solution could be implemented.
Rachel, what are your plans for this site. A header bar? a footer bar?
To show it could be even crazier – I was thinking about who could be affected; or more precisely how not to be affected. Sounds simple, remove all analytics using cookies and do no advertising.
Or is it?
I was reading the latest update on the ICO site trying to figure out some of the rubbish on there when I came across a (frequently changing) page that said that if you link to another site then you as the linking site have a responsibility to notify your visitor of the fact that 3rd party cookies could be used even though they will only be set if you visit the next website.
The idea seems to be primarily to do with advertisers/affiliate marketing where cookies are used to say where their lead came from.
HOWEVER, where does that leave you with linking to a website, just a normal link, no advertising or anything involved, that takes someone to a site that uses cookies for whatever purpose? Will you still need to notify your site visitors?
So if I link to a useful blog and they have advertisers on their pages that use cookies the minute you visit the page am I responsible?
What happens is I link to a site and it LATER adds cookies?
And.. well, I could go on with little snippets of wording that worry me as to what they mean, but I wont; sufficed to say that like many on here I have grave concerns about this IF it really is agressively
I must say, I like Richard Housham comment back there.
Also, I find it quite hilarious that Neelie Kroes’s page has dropped 7 cookies on my PC and no mention that this was going to happen, nor any request for consent.
So, until her page (and the whole of ec.europa.eu) is compliant. I’m not giving two hoots to this directive.
Over the last few weeks I’ve been looking into this and becoming more and more frustrated by how unclear it is, although thank you for a very clear explanation.
Something I feel is going to be important is webmasters actually getting on board whether they agree with this law or not and trying to explain what cookies they use in a very clear manner, if it’s not clear than people will be more inclined to say no, where as you make it simple and clear then maybe more people will allow the use of cookies. But if some webmasters don’t bother to take the effort to clearly lay this out in layman’s terms then it is going to increase to people opting out when ever they see a request.
But I do have one question. Is this a blanket law, as in if you run a website and you are within the EU, are you still going to have to show the cookie opt-in to those visitors from outside the EU or can you use GEO location scripting to chose which countries you show it to?
@Andy, most solutions out there are using geo-scripting – that way the EU directive will have zero impact on non EU residents
I can’t believe that your average website owner on the street is going to have the skills to create some kind of script that first asks for permission, then either serves up cookies or does not serve up cookies, depending on the visitor’s choice.
This leaves the choice of not bothering at all, or paying over the odds for the handful of solutions made available that will inevitably cash in on this.
If the big players are ignoring this, I think everyone else will too!
@James
April 18, 2012 at 5:06 pm ·
“Also, I find it quite hilarious that Neelie Kroes’s page has dropped 7 cookies on my PC and no mention that this was going to happen, nor any request for consent.
So, until her page (and the whole of ec.europa.eu) is compliant. I’m not giving two hoots to this directive.”
It’s just the same today (28 May) after the deadline has come in. I’m with you, on this one, James!
I believe that this law will either bring more business to web developers or can destroy them!
Will this configuration and maybe some programming be paid from the website owners or their web developers?