Are you ready for the Cookie Law?

Profile photo of Marcus J Wilson By Marcus J Wilson
27 April 2012

On May 26th 2012, the new EU Cookie regulations come into force in the UK. The legislation is aimed at protecting the privacy of people visiting the websites of EU based businesses. But what does that mean for your website?

 

What are cookies?

Cookies are small files that a website places on the computer or mobile device of the end user. They can be used to provide useful functionality for the user of the website, for instance to keep them logged in to the website, or to keep track of items in their shopping basket for online shops. WordPress will use Cookies in both of these instances.

Cookies are sometimes used to provide personalisation for the website user, storing a user’s preferences for certain types of content, so the most relevant information can be presented to them.

Google Analytics uses Cookies to track users’ behaviour on a website so that the site owners can assess impact and improve user experience on the site.

In some cases, Cookies can be used to “harvest” user data – i.e. tracking the content viewed or search for by an individual for the purposes of advertising to them or selling this data to third party sites or advertisers.

So, Cookies can be used to enhance a visitor’s experience of website, and sometimes for more nefarious purposes.

Stopping using Cookies is not an option for most websites, as Cookies are currently the best and in some cases the only way to achieve analytics, ecommerce and other functionality online.

 

What is the Cookie Law?

The Cookie regulations are being introduced to protect consumers’ privacy. The legislation will place limits on what data stored through Cookies can be used for without the consumer’s knowledge and consent.

The Cookie regulations oblige businesses (a) to provide website users with full details of all the Cookies used by the website and, (b) to provide the user with the option to “Opt In” before any Cookie is placed on that user’s device that is not essential to providing the functionality that the user has requested of the website or which could be considering to intrude upon the user’s right to privacy.

The UK Information Commissioner’s Office states that:

“… the intention behind this Regulation is … to reflect concerns about the use of covert surveillance mechanisms online. Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.”

 

Who does the legislation apply to?

All UK businesses will need to comply with the EU Cookie regulations in accordance with the UK legislation.

 

How to ensure our websites comply with regulations

In the case of Cookies used for core website functionality such as logins and ecommerce, it should be sufficient to provide clear information for users on the website to explain the use of these Cookies. Most websites should have “Terms and Conditions”, “Privacy Policy” and/or “Frequently Asked Questions” sections, and you should be sure to include information on your website’s use of Cookies clearly within these pages.

Cookies used for Analytics purposes, whilst not “strictly necessary to provide the services requested by the user”, are likely to fall outside of the scope of the elements of the regulation that will be enforced in the UK. The Information Commissioner states:

“We are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.”

Even the UK Government’s own Digital Services division argues that web analytics are both:

“essential to the effective operation of government websites … [and] … minimally intrusive for end users.”

As a result, it should again be sufficient to clarify your website’s use of Cookies for Analytics purposes within the general information provided on your website.

As with similar legislation, the key will be for websites to interpret the legislation in a way that safeguards website users from the worst excesses of Cookie use (i.e. Cookies that seriously infringe on the privacy of the user for commercial or other more questionable ends).

The key will be for websites to clearly alert the user to any Cookie usage that impacts significantly on user privacy, requiring the user to “Opt In” to these Cookies as appropriate, whilst providing accessible and clear information about the website’s more general use of Cookies for improved user experience of the site’s core functionality.

 

What you should do right away

Here are the three things that you should do immediately:

  1. Find our what Cookies your website uses. If you need information on the Cookies used on your own website, please contact us directly and we will be pleased to provide you with details of: (a) what Cookies are stored on your website visitor’s devices, (b) when is the Cookie stored, and (c) what for.
  2. Tell your users what Cookies your website uses and why. Ensure that your site contains clear information about all the Cookies used on your website. These could be included within your Terms and Conditions, Frequently Asked Questions, Privacy Policy or at the points on your website when Cookies are required (i.e. on the user login screen, when the user places an item in their online shopping basket, etc.).
  3. Stay within the regulations for Cookies that have privacy implications for your users. For any Cookies used on your website that are not strictly required to provide either services requested by the user or Analytics data, consider carefully whether you need to be using that Cookie. If you do, you will most probably need to give the user the option of explicitly “Opting In” to such cookies being stored on their device – otherwise you could fall foul of the regulations.

 

Further Reading:

Information Commissoner’s Office: Information on Cookies and Cookie Legislation
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

ICC UK Cookie Guide: http://www.dma.org.uk/sites/default/files/PDF/Cookies/20120402%20ICC%20Cookie%20Guide%20v3.pdf

Culture Sparks article by Cameron Leask of Escrivo Internet Consulting on the UK Cookie Regulations:
http://www.culturesparks.co.uk/intelligence/information/uk-website-cookie-regulations