<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=938007909631131&amp;ev=PageView&amp;noscript=1">

The EU cookie law - not so tasty!

The time is now upon us, and the 'grace period' for implementing site changes to comply with the new EU Cookie Law has come to an end, some site owners are still scratching their heads as to what exactly is the 'EU Cookie Law' and what needs to be done to comply with it. So we thought we would try to iron out any questions you may have.

What are Cookies?

Taking it right back to basics, a cookie is a small file (usually textual) containing a string of characters that is sent to your computer when you visit a website. This is usually implemented so that when you visit the website again, the cookie allows that site to recognise your browser. For example, a remembered login, search preferences or Google Analytics. You can choose to reset your browser to refuse all cookies or to indicate when a cookie is being sent. However, some website features or services rely on cookies and therefore may not function properly without them. Many cookies are useful and aid either the user or the site owner in ensuring a better online experience, however some are classed as 'aggressive' or 'intrusive', these can remain on the user's computer and are the main target of the EU Cookie Law.

What is the EU Cookie Law?

In May 2011 the EU put into place a 'Cookie Law' that effectively stated that all 'non-essential' cookies needed to be 'opt in' and that websites needed to update their privacy policies to explain which cookies were to be used on a site and why. Essential cookies were considered those that were required for the day to day use of a site - for example, a shopping basket on an ecommerce site. All other cookie types fell under the title of 'non-essential cookies' which unfortunately also included the likes of Google Analytics (and many other analytics programs). While many marketing specialists would class this as essential to the running of the site, the site will still function without it.

How do I know if my site uses cookies?

There are a variety of tools on the web which will help you determine what cookies are in place on your website and run a 'cookie audit' - something which is very much encouraged as a great starting point to becoming compliant. One of the simplest is by using Chrome, opening up your website and right clicking and selecting 'inspect element', this should open up a screen at the bottom of the browser. Look at the tabs along the top of this screen and select 'resources', on the new left hand side menu you will see 'cookies' click on the arrow next to it and select your site, this will then display all cookies used.

The upper cookies are all set by WordPress and include a mixture of 'session' cookies (only used whilst the browser is open) and long life or 'persistent' cookies which have an expiry date in the future. As can be seen in the screenshot above, a cookie has been used to determine that I am logged into the Space 48 WordPress system (very handy for me as it means that I don't need to keep entering my details every time I want to change a page or update information across the site).
The lower four cookies are set by Google Analytics, and aid us in tracking who visits the site, via what means and how they interact with the site (although never on a single user basis - all Google Analytics cookie data is anonymous).

OK, my site uses cookies, now what do I do?

Looking around the web, it seems not everyone is opting for full compliance (at least not yet) but we have already seen some of the bigger names, the likes of BT, Virgin and the ICO taking the lead:

ICO Site - Top of the page check box

BT - Lower right hovering popup

Virgin - Top of page popup

There are also a number of other sites which have implemented nice opt in options which don't look out of place with the site, the Silktide Blog is one example (footer banner).

In order to be compliant with the new law, websites must not set non-essential cookies without the user having agreed to opt in (whether this is via a button, tick box or some other means). The website's privacy policy must also be updated to include information about cookies, what they are and why they are used.


However there is one major drawback to implementing something like this, namely that users are (rightly so) cautious about what they do and do not allow when browsing the internet these days, and by default the majority of them will choose to opt out - thus rendering your analytics blind. When the ICO implemented their compliant opt in strategy, they saw a 90% drop in tracked traffic - which is more than a little disturbing for marketers!

Are there any other options?

Well of course there are!

Ultimately it is up to a company how far it goes to try and conform, but by not implementing a fully compliant strategy, a company could face fines of up to £500,000. As shocking as that sounds, the ICO have also stated that they are more likely to go after companies that use moderately intrusive cookies (as opposed to the minimally intrusive ones for analytics), so if you are only using cookies in the form of Google Analytics to improve site performance, you are not going to be considered high on the hit list.

A quote from David Smith the deputy commissioner and director of data protection when speaking to David Moth from Econsultancy:

Businesses have to make their judgements and take their decisions, and in doing that the more intrusive a cookie is the more likely it is to engage our attention. If all they’ve got is website analytics it’s not all that likely that they will end up facing enforcement action from the ICO as we have a lot of other priorities before we’d ever get to them, but what I can’t say is that that would be legally compliant, but they have to make their decisions.

It was also suggested that even if complaints are made, and companies who haven't complied get targeted, that they will have a chance to rectify the situation before a punishment is served, so in the very least make sure you review your Privacy Policy to make sure it's clear what's being tracked using cookies and why, and ensure there's a reasonably prominent navigation link to the Policy.

To sum up...

As of the 26th of May 2012, the ICO will begin looking at websites and their use of cookies, potentially targeting those using moderately intrusive cookies. The following are a list of suggestions for compliance, the choice as to how far a site complies resting ultimately with the company themselves:

Full compliance

Add an 'opt in’ system to the site which is triggered before any non-essential cookies are implemented, and amend privacy policy to include all cookies used on site and any additional information about cookies and why they are used.

  • Pros - Full compliance means no action will be taken against the company
  • Cons - Potential loss of 90% tracking data

Partial compliance

Alter the privacy policy on site to include all cookies used and any additional information about cookies and why they are used.

  • Pros - The company is seen to be doing something positive, and should a complaint be made against them, it shows willing, no potential loss of tracking either
  • Cons - The possibility of complaints or action against the company (though many believe that a company will be offered a chance to comply)

Non compliance

Do nothing, leave things as they are and see what happens.

  • Pros - No potential loss of tracking and the site continues without any change for the user
  • Cons - The possibility of complaints or action against the company (though many believe that a company will be offered a chance to comply)

A handy guide from the UK government.

If you have any questions regarding the EU Cookie Law, or want a hand implementing a compliance strategy, why not get in touch?

THE AUTHOR

We win awards.

Magento SEO Audit

It's in our DNA.

See all of our awards

Think we could be the right partner for your business?

Tell us about your project

Excellent, we can’t wait to hear from you.