If you own a website then you should be aware of the EU Cookie Law that came into effect as far back as May of last year (2011). In the past the EU has been accused of creating lakes of wine and mountains of beef, but this time there is no food involved, but rather a bit of a hash of legislation about relatively innocuous text files.
What exactly is a cookie?
There is a rather long description of cookies over at Wikipedia, but in essence a cookie can be described as follows:
A cookie is a small text file placed on your computer by a web browser that allow a website to identify your computer every time is access the site.
Good old Aunty Beeb has a nice page on the subject.
Do cookies hold personal information?
Very rarely. The typical data held in a cookie is a unique ID (normally a random sequence of letters and numbers), the address of the website to which it pertains, and an expiry date after which the browser will normally delete the cookie. That information is then used to hold relevant information on the website’s back-end database.
Why are they used?
All sorts of reasons, but frequent uses include:
- Website analytics, so that, for example, all pages viewed during a single visit to the site can be grouped as a single visitor’s ‘session’.
- On shopping sites, the contents of a shopping cart are normally managed using cookies so that your basket isn’t suddenly emptied when you leave a page.
- Maintaining user preferences (e.g. language) from one visit to the next.
There have also been some uses that have been considered less than above board. Facebook, we’re looking at you.
So what’s changed now?
The EU have decreed that member countries need to introduce legislation obliging all website owners to ensure that their websites obtain consent from users to add cookies to their PCs. There are exceptions for cookies that are essential to the functionality of the website (such as shopping basket cookies), but otherwise nothing should be stored if consent hasn’t been gained.
Consent cannot be implied through the use of such as a privacy policy, as you cannot guarantee that the policy will be read before cookies are set. Neither can you assume that the user will have ensured their browser cookie settings have been reviewed, and thus imply acceptance from that.
The ICO have recently issued a guidance document to try to clarify matters.
It’s important, right now, to realise that the UK are currently within a 12-month grace period as far as applying the necessary changes to their website. So you have until 25th May to ensure your websites are compliant.
What should I do?
That really depends on your website. If you do not use cookies then you do not have to do anything. If you only use ‘essential’ cookies then again you are OK, apart from needing to ensure that your website contains details of those cookies somewhere accessible – preferably a separate page.
The biggest dilemma is what to do if you use a website analytics service that relies on cookies to be set, such as the ever popular Google Analytics. At the moment the ICO Guidance document linked to above states that analytics are not ‘essential’ and so consent must be gained.
Unfortunately that is likely to completely negate the effectiveness of the anaytic data gathered.
To illustrate, the ICO themselves released information on the impact of gaining consent on their website analytics. The visitor figures, which were very consistent leading up to the implementation, subsequently dropped by 90%! That doesn’t mean that visitors numbers actually decreased, simply that only 10% of visitors agreed to implement cookies. Suddenly, the ICO have a lot less data about their website visitors with which to inform their marketing.
As a developer I know that many businesses live or die by the effectiveness of their website, and use analytic data as the means of measuring the effectiveness of various online (and offline) marketing efforts. However, I cannot recommend that a legal requirement be ignored, especially when the ICO have explicitly stated that consent should be gained for analytic cookies.
What I would instead recommend is:
- Determine which cookies your website creates. The simplest way would be to look at your browser’s cookies having visited the site and carried out all the relevant tasks possible on the site. It would probably be sensible to use a separate browser install (e.g. use IE for the test if normally you use Chrome for browsing) so that you can clear all cookies first and ensure the browser settings don’t block any cookies.
- Don’t rush into changes. Nothing will happen before 25th May, so you should plan any changes for implementation before then. Since there is likely to be an impact on the effectiveness of your website, its best to make the change as late as possible. Don’t assume, though, that your web developer will be free in the run up to that date…best to book their time early.
- Form your own view. Become familiar with the legislation and make sure you’re comfortable with the chosen course of action. Ultimately, its your website, so you carry the can if its deemed to be non-compliant.
- Question your analytic provider’s efforts. Analytics stand to be hard hit by this legislation, so it would be sensible for them to change the product so that it does not require cookies. Google’s Analytics Blog has yet to confirm or deny rumours that they will alter their product, but the smart money is on them doing so, or putting pressure on the EU to exempt analytics cookies.
Here at Four Lakes we are keeping a close eye on the legislation and also on solutions that may minimise the impact on analytics, particularly for WordPress-based websites.
Good article!
We’ve been working on a compliance solution which is available here: http://www.civicuk.com/cookie-law.
The aim is to provide a consent solution that works regardless of your approach to compliance.
As a consent solution it’s pretty lightweight – we’ve tried to make it as unobtrusive as possible.
Thanks Mark. I have seen your solution, and it’s very nice. I think any website owner should definitely consider it on their shortlist of compliance fixes.
I live in hope that this will not be needed for analytics, as anything that significantly reduces the amount of data an analytics service can gather is going to compromise the whole premise of analytics. After all, if you know that only 10% or 20% of your visitors are being recorded, and aren’t even sure that’s a representative sample, then can you trust what your analytics are telling you?
Thanks Colman for a very informative article. I knew nothing about the upcoming EU Cookie Law. Thanks for keeping me informed.