SiteVisibility

You Are Viewing

A Blog Post

The Cookie Law: Crumbs!

On the 26th May 2011 the enforcement of DIRECTIVE 2002/58/EC was deferred for one year in the UK. Many of us wondered if it would all just go away… it didn’t, and Cookie Day* is almost upon us.

SiteVisibility has written a Privacy and Cookie policy which all site visitors should read.

How the cookie law crumbles

The ‘Cookie Law’, a tastier synonym of DIRECTIVE 2002/58/EC, is aimed at protecting individuals against the hitherto unregulated use of user behaviour tracking online.

In short the law means that we must now ensure that users are not just aware of the tracking information, such as cookies, that we plan to store on their computers but also that they consent explicitly to us storing that information.

Some cookies are fruitier than others

The controversy around this law stems from the fact that browser cookies are all but essential to the modern web experience, many sites simply wouldn’t function without cookies to remember certain information about the user, such as the contents of an e-commerce basket.

Oreo

Thankfully the cookie law recognises that some cookies are more necessary and less intrusive than others. Roughly, cookies can be categorised into 3 groups:

Cookies Necessary for Website Functionality

Cookies essential to the smooth running of a modern website are currently exempt from the changes to privacy regulations. Examples of necessary, ‘unintrusive’ cookies include:

      Cookies that prevent multiple form submissions

      Cookies that maintain load balancing

      Transaction specific cookies such as e-commerce basket item tracking

Minimally intrusive cookies

Cookies used to anonymously track user behaviour on a website or those used to store previous configuration may be described as minimally intrusive. Examples of minimally intrusive cookies include:

      Cookies used to effectively gather web analytics data

      Cookies used to save personalised content or interface options

Minimally intrusive cookies are, strictly speaking, covered by the cookie law and should not be stored on a user’s computer without explicit consent. There does however seem to be some room for interpretation in the ICO’s guidelines and many businesses seem to be settling with a clear notice that they will be setting minimally intrusive cookies unless a user requests otherwise via browser settings.

Moderately intrusive cookies

Moderately intrusive cookies include those that track user behaviour across a number of sites and use this information to deliver unsolicited personalised advertising & content.

Examples of moderately intrusive cookies include:

      Embedded third-party content and social media plugin cookies

      Advertising campaign optimisation cookies

These cookies will be a top priority for the ICO in terms of regulation and enforcement. If your site is setting moderately intrusive cookies you should ensure that you follow the ICO guidelines carefully.

Can I have my cookie and eat it?

What if you decide to ignore all of this? At worst you could be hit with a £500,000 for serious breaches of the Data Protection Act 1998 (DPA) so it’s probably worthwhile taking at least some steps to ensure you are compliant (or, if you take the stance of many businesses, make sure you are not the least compliant).

What you should be dough-ing to remain compliant

The ICO’s guidelines can be simplified to 3 steps

Ascertain what information your site stores on your user’s computers through a cookie audit

Gauge the intrusiveness of each cookie from necessary through  to moderately intrusive

Choose a suitable solution to gain user consent to set these cookies

If you sense some ambiguity here you are not alone and although there are a number of suggestions on how you might implement consent mechanics many website owners are still balancing the need to comply with the potential damage that comes from opt-in consent forms interrupting their user’s journey.

Although it is tempting to wait to see what everyone else does in response to the new law it is clear that the ICO will deal with cases on a business by business basis. As such it is up to you to assess the impact of your site’s cookies and to ensure your users are both aware of and consent to you storing information though their browsers.

So what should I actually do??

Make sure your business and its stakeholders are fully aware of the new law

If available, your legal team should be briefed. Many businesses are hiding their heads in the sand. Make sure you are not one of them!

Perform a full cookie audit

To understand the full impact of your cookies you need to know what cookies your site is currently setting.

There are 3 types of cookies to identify:

Client side cookies – e.g. Google Analytics tracking tag

Your web team will be able to use browser privacy settings to identify these cookies. These cookies are often minimally intrusive.

Server Side Cookies – e.g. Shopping basket tracking

Your website developers should be able to provide you with a list of server side cookies. These cookies are often necessary.

3rd Party container tags – e.g. DoubleClick Advertising Tracking

Your web marketing team should be aware of any services that rely on 3rd party cookies. These are often the most intrusive cookies.

Provide a privacy policy with a breakdown of the cookies you use

Your audit should be wrapped up in an easy to identify policy. There are a number of templates available online for this step. For example:

http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1076142085&type=RESOURCES

Provide some way for users to consent to cookie usage

As discussed this is the tricky bit! There has been discussion that this mechanism should be on the shoulders of the web browsers rather than the individual site but for the time being this functionality is not ready at browser level.

As stated, the only way to fully comply with the new laws is to refrain from setting any cookies which are not entirely necessary until you have the explicit ‘opt-in’ consent of your users.

However many businesses are using less obstructive methods, especially when no ‘moderately intrusive’ cookies are being set.

One common approach seems to be to explain to users within the privacy policy that by not changing the cookie preferences on their browser they are consenting to the use of cookies. This approach often includes instructions on how to turn cookies off. The BBC currently seems to use this method:

http://www.bbc.co.uk/privacy/bbc-cookies-policy.shtml

Another similar approach and one that is perhaps more in the spirit of the law is to include the same information in a more prominent position on the site, often in a footer or pop-over dialogue. BT provide an excellent example of this method:

http://www.bt.com/

Whilst these approaches seem popular, even with some very high profile sites, it is also fair to say that they not fully compliant with the new law as they still rely on an opt-out mechanism.

Saying that if you are transparent in your cookie usage and go to some measure to help users of your site understand the impact of the information that you store it might be worth taking the risk. You will be in good company!

Have you made a move to comply with the new laws?

Related Posts Plugin for WordPress, Blogger...
3 Comments
  • Graeme Benstead-Hume on May 11, 2012

    OK, sorry about all the puns! Especially the dough-ing one…

  • Pete Morris on May 13, 2012

    Just wanted to say thanks for this article. Everyone is busy writing about about Penguin’s at the moment, and as a result this is going under the radar.

    I’ve gone and got this whole cookie thing buried on my to-do-list and I completely forgot about it! Just 2 weeks left, so I’d better get it to the top of the list.

    Must say, it’s all a bit confusing. I’m wondering whether I need to mention every site that I link to that might drop a cookie, or if an all encompassing ‘sites we link to’ statement would be enough. If the former, that’s going to get boring very quickly!

  • Graeme Benstead-Hume on May 18, 2012

    Hi Pete,

    As far as I understand your cookie audit / policy need only apply to your own site. I’m not sure you even need worry about adding a ‘sites we link to’ section.

    If you wish to thorough you might add a statement to the effect of ‘We link to sites that may use cookies’. This would make sense in conjunction with instructions for disabling cookies as mention above.

    I hope that is useful!

    Many thanks

    Graeme

Leave a Reply