How to comply with the EU Cookie Law
Last year the EU introduced a piece of legislation that limited how websites could collect data about their visitors. Primarily aimed at improving privacy, it requires website owners to gain consent before they can store or retrieve information from their visitors' devices.
The practical implication of this has focused on cookies, however, the law can refer to any means of identifying or profiling a user by storing something directly on their browsing device. This could refer to flash local stored objects, HTML5 local storage and other client side storage techniques.
You can think of cookies as providing a "memory" for the website, enabling it to recognise a user and respond appropriately.
Within the UK these changes are reflected within the Privacy and Electronic Communications Regulations and will be policed by the Information Commissioner’s Office (ICO). The ICO deferred enforcing the regulations by a year. The new legislation therefore comes into effect 26th May 2012.
Unfortunately, confusion reigns as there are a large number of ways that the law can be interpreted, with variation and possible exemption for cookies that are essential for a site to function and reduced risk of enforcement for those that do not pose privacy concern.
Key points set out by the ICO:
- The advice states that clear guidance must be given to users detailing which cookies (or other storage methods) are being used by the website and what these are being used for.
- The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
- The guidance explains that some first party cookies used for online shopping baskets, user experience and cookies that help keep user data safe may be exempt from complying with the ‘opt in’ requirement.
- Cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
There are some who argue that the ICO can’t actually enforce the new regulations and companies that do take some steps in compliance won’t have to worry about being penalised. In a December press release the ICO stated, “The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.” It’s no surprise then that many companies are waiting to see what the impact actually is and how the law will be enforced.
The ICO guidelines state:
“Although the ICO cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them with clear details of how to make choices.”
The onus is therefore on providing adequate information to inform users about cookies and clear details on how to make cookie choices.
What does this mean for your website? Initially the expectation was that every single cookie would have to be explained and accepted by a user. In practice this is widely considered unworkable and the general public is unlikely to understand the intricacies of how cookies affect a website and their experience of using it, so might well instinctively opt out resulting in an impaired experience on the site and complete lack of analytical data for the website owner.
However, this is something which isn’t going to go away and the requirements also apply to cookies set on mobile devices and other terminal equipment such as internet enabled televisions.
So what do we suggest you do?
- Ultimately the choice of asking for consent and whether this takes the form of an opt-in or opt-out option is up to you as the decision will have an effect on your website or service.
Get in touch
If you would like assistance in complying with the new legislation which comes into effect 26 May 2012 or want to discuss it further, please get in touch:
0191 261 9799