On the 26th May 2011 the enforcement of DIRECTIVE 2002/58/EC was deferred for one year in the UK. Many of us wondered if it would all just go away… it didn’t, and Cookie Day* is almost upon us.
How the cookie law crumbles
The ‘Cookie Law’, a tastier synonym of DIRECTIVE 2002/58/EC, is aimed at protecting individuals against the hitherto unregulated use of user behaviour tracking online.
In short the law means that we must now ensure that users are not just aware of the tracking information, such as cookies, that we plan to store on their computers but also that they consent explicitly to us storing that information.
Some cookies are fruitier than others
The controversy around this law stems from the fact that browser cookies are all but essential to the modern web experience, many sites simply wouldn’t function without cookies to remember certain information about the user, such as the contents of an e-commerce basket.
Thankfully the cookie law recognises that some cookies are more necessary and less intrusive than others. Roughly, cookies can be categorised into 3 groups:
Cookies Necessary for Website Functionality
Cookies essential to the smooth running of a modern website are currently exempt from the changes to privacy regulations. Examples of necessary, ‘unintrusive’ cookies include:
Cookies that prevent multiple form submissions
Cookies that maintain load balancing
Transaction specific cookies such as e-commerce basket item tracking
Minimally intrusive cookies
Cookies used to anonymously track user behaviour on a website or those used to store previous configuration may be described as minimally intrusive. Examples of minimally intrusive cookies include:
Cookies used to effectively gather web analytics data
Cookies used to save personalised content or interface options
Minimally intrusive cookies are, strictly speaking, covered by the cookie law and should not be stored on a user’s computer without explicit consent. There does however seem to be some room for interpretation in the ICO’s guidelines and many businesses seem to be settling with a clear notice that they will be setting minimally intrusive cookies unless a user requests otherwise via browser settings.
Moderately intrusive cookies
Moderately intrusive cookies include those that track user behaviour across a number of sites and use this information to deliver unsolicited personalised advertising & content.
Examples of moderately intrusive cookies include:
Embedded third-party content and social media plugin cookies
Advertising campaign optimisation cookies
These cookies will be a top priority for the ICO in terms of regulation and enforcement. If your site is setting moderately intrusive cookies you should ensure that you follow the ICO guidelines carefully.
Can I have my cookie and eat it?
What if you decide to ignore all of this? At worst you could be hit with a £500,000 for serious breaches of the Data Protection Act 1998 (DPA) so it’s probably worthwhile taking at least some steps to ensure you are compliant (or, if you take the stance of many businesses, make sure you are not the least compliant).
What you should be dough-ing to remain compliant
The ICO’s guidelines can be simplified to 3 steps
Ascertain what information your site stores on your user’s computers through a cookie audit
Gauge the intrusiveness of each cookie from necessary through to moderately intrusive
Choose a suitable solution to gain user consent to set these cookies
If you sense some ambiguity here you are not alone and although there are a number of suggestions on how you might implement consent mechanics many website owners are still balancing the need to comply with the potential damage that comes from opt-in consent forms interrupting their user’s journey.
Although it is tempting to wait to see what everyone else does in response to the new law it is clear that the ICO will deal with cases on a business by business basis. As such it is up to you to assess the impact of your site’s cookies and to ensure your users are both aware of and consent to you storing information though their browsers.
So what should I actually do??
Make sure your business and its stakeholders are fully aware of the new law
If available, your legal team should be briefed. Many businesses are hiding their heads in the sand. Make sure you are not one of them!
Perform a full cookie audit
To understand the full impact of your cookies you need to know what cookies your site is currently setting.
There are 3 types of cookies to identify:
Client side cookies – e.g. Google Analytics tracking tag
Your web team will be able to use browser privacy settings to identify these cookies. These cookies are often minimally intrusive.
Server Side Cookies – e.g. Shopping basket tracking
Your website developers should be able to provide you with a list of server side cookies. These cookies are often necessary.
3rd Party container tags – e.g. DoubleClick Advertising Tracking
Your web marketing team should be aware of any services that rely on 3rd party cookies. These are often the most intrusive cookies.
Your audit should be wrapped up in an easy to identify policy. There are a number of templates available online for this step. For example:
Provide some way for users to consent to cookie usage
As discussed this is the tricky bit! There has been discussion that this mechanism should be on the shoulders of the web browsers rather than the individual site but for the time being this functionality is not ready at browser level.
As stated, the only way to fully comply with the new laws is to refrain from setting any cookies which are not entirely necessary until you have the explicit ‘opt-in’ consent of your users.
However many businesses are using less obstructive methods, especially when no ‘moderately intrusive’ cookies are being set.
Another similar approach and one that is perhaps more in the spirit of the law is to include the same information in a more prominent position on the site, often in a footer or pop-over dialogue. BT provide an excellent example of this method:
Whilst these approaches seem popular, even with some very high profile sites, it is also fair to say that they not fully compliant with the new law as they still rely on an opt-out mechanism.
Saying that if you are transparent in your cookie usage and go to some measure to help users of your site understand the impact of the information that you store it might be worth taking the risk. You will be in good company!
Have you made a move to comply with the new laws?