Warning: Cookie Monster Arrives in the UK

Submitted by David on Wed, 05/23/2012 - 10:43
Cookie Monsters

Guidance on the New Cookie Law in the UK from David Van der Velde at Consult and Design International.

Our clients have been asking us a lot of questions lately about the new cookie law and what it means for their web sites. We hope this article will answer most of those questions. Please note that our guidance is for information only. Website owners are responsible for ensuring their own compliance with the law.

The new ‘Cookie Law’ came into effect on May 26th 2011. Following a period of one year’s grace, all UK website owners are now required to comply with this law or they could face hefty fines.

Don’t Panic

Although this law affects pretty much every web site owner, the main reason for its existence is to protect people’s privacy from aggressive e-marketing tactics. Unless you are deliberately flouting the regulations and trying to avoid getting informed consent from web users you are unlikely to find yourself in trouble anytime soon.

For most web site owners taking a few simple steps (see ‘What Action Should I Take?’ below) should ensure that you continue your online operations without falling foul of the new law.

The BBC reports that most of the government’s own web sites have failed to meet the deadline for compliance and that ‘no action will be taken by the Information Commissioner's Office (ICO) over the deadline miss - provided they were "showing a commitment" to eventually make changes’.
[http://www.bbc.co.uk/news/technology-18090118]

Background to the ‘Cookie Law’

The cookie law is part of the amended Privacy & Electronic Communication Regulations (PECR), which protects personal information. It has come about because of concerns about the way that websites can place tracking files and users’ personal information on users’ computers, without their knowledge. Although, there is particular concern about ‘spyware’ (data that is stored on a user’s computer without their knowledge to gain access to information, store information or trace the activities of the user often with a criminal intent), most legitimate online activities are also affected by the new law.

Guidance has been published by the Information Commissioners Office in the UK and various other public sector bodies outlining some simple and not so simple measures that should be taken by website owners. We have summarised the key points below. [See also http://alphagov.files.wordpress.com/2012/03/gds-cookies-implementer-guide.pdf]

What is a Cookie?

To make them simpler to use, web sites often place small files on the user’s computer. These are known as cookies. They improve the user experience by remembering information you provide so that you don’t have to keep entering it.

By storing cookies on your computer, websites you visit are able to show you information, services or products based on information you have given (eg. Your postcode or gender) as well as gather useful information about how people are using the website (such as how you found the site, which pages you clicked on and how long you spent on each page).
For more information see: http://www.allaboutcookies.org/

Does This New Law Affect My Website?

The simple answer to this is yes. If you have a website then it is highly likely that it currently places and retrieves cookies on user’s computers (or other web connected devices). The new law requires you to make significant changes to your site in order to obtain informed consent from all EU visitors before the site can store or retrieve this information. For example, nearly every website has tools to track how the site is used (such as Google Analytics) and these operate by placing cookies on the users computer.

An interesting exemption is for cookies (and related technology such as HTML5 local storage) that are deemed ‘strictly necessary’ for a service requested by the user. What this exemption means is that if for example your site has a shopping cart (which can only function by using cookies to remember the products in your basket) then those cookies are exempt from the legislation. The Information Commissioners Office (ICO) in the UK has taken the view that cookies for web site analytics cannot be considered as part of this exemption.

What Action Should I Take?

Consult and Design international has outlined three simple steps most web site owners can take now. It might sound complicated but for most small to medium sized websites this should represent no more than 2-3 hours work.

Step 1: Auditing use of cookies on your web site

If the ICO were to receive a complaint from a user about use of cookies on your website, the first thing they would want to look at is how cookies are used. A good starting point for you in demonstrating that you are working towards compliance is to know the answer to that question yourself.

An audit of the cookies on your site should give you information about all the cookies that are used, what information they hold, why they are used and how long they are set to persist for (some cookies last only the length of the user session, whilst others are set to stay on the user’s computer for months or even indefinitely.)

From your audit you should be able to identify which if any of the cookies you use but don’t really need. Which ones are essential to the working of the site and which ones (more likely to get you in trouble with the ICO) are used purely for information gathering purposes and persist on users’ computers. It is for this last group in particular that you will need to show informed consent of users. (See step 3 below).

If you would like us to do an audit on your site then drop us a line and we'll work with you to understand how they're being used.

Step 2: Resolve problems with reliance on cookies

Work with your web agency to see if there is an alternative to some of the more ‘risky’ uses of cookies on your web site.

At the same time over the coming months, government will be working with producers of browser software to try and develop ‘browser based’ solutions where a user is asked to ‘opt in’ to cookies when they first set up their web browser. As these solutions are rolled out, web site tools will have to be updated to communicate with the new browsers and only send appropriate cookies to user computers.

Step 3. Make sure the information you provide to users is clear and put in place specific measures to obtain consent

A good start is to make sure you have an up to date privacy statement on your site and that it includes information about how you use cookies and why. A link to your cookie audit (above) would be helpful here. For a sample cooie statement see - https://www.gov.uk/help/cookies.

Over the coming months, you will start to see increasing use of pop ups and cookie ‘opt in’ check boxes in prominent positions on major websites – for a not particularly attractive example see -http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

At Consult and Design International, we can provide ‘design friendly’, integrated cookie opt in tools to all our clients as required. Contact us if you would like more information.

»