This is a working guide to the EU Cookie Law and what it means to Website Owners within the UK. It is meant to document my research and understanding of the Law and hence my responsibilities as a website owner. It is not meant as legally binding advice for any other website owners although I hope it does help you draw your own conclusions. I would welcome any feedback and thoughts from other webmeisters or legal minds I am not a legal expert and cannot / will not provide such advice and you should discuss your requirements with a EU Specialist Lawyer.
The Cookie Law
On 26 May 2012 the UK’s Information Commissioner’s Office (ICO) imposes an EU directive designed to protect internet users’ privacy.
- Tell people that the cookies are there
- Explain what the cookies are doing
- Obtain visitors’ consent to store a cookie on their device
What is a Cookie?
If you do not know what a cookie is then I really recommend this youtube video:
Silktide, the company behind the video, also have a page explaining more about cookies and the law.
What should you do?
For starters, don’t panic!
As reported by BBC News [BBC#1] – 95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month.
You will also appreciate from your own browsing experience and a probable complete lack of knowledge about this law that many website owners have either no knowledge themselves or have just elected to ignore the law.
Ignoring the law, although a common approach it is probably not a legally sound one.
Read up on the topic
There is a lot of guides to the Cookie Law online and even more blog posts claiming to explain it.
- Information Commissioners Office (ICO) – Guide to Cookies
- Cookie Law website - http://www.cookielaw.org/ (Commercial Website)
There appear to be three types of Cookie that should be addressed to ensure a website is compliant with the law:
Operational but Non-Essential Cookies
Non-Essential (Tracking) Cookies
Non-Essential Cookies particular of the tracking kind (Google Analytics/Statcounter) are where the problems really start and at the time of writing the guidance is varied and contradictory.
How to make your website compliant?
Find out what Cookies your Website uses.
There are a few tools on the web which will tell you what Cookies your website is storing such as this Chrome extension by AttaCat. If you are going to use Attacat take care as it will scan all tabs and all cookies available. So my report was not contaminated I installed this onto Chrome running inside a Virtual Machine but here are screenshots from the report for this site:
There are already commercial companies setting themselves up to provide this service at a cost e.g. CookieLaw.
Essential Cookies and Operational Cookies
You should advise visitors that they can turn off cookies within their browser settings and ideally provide links to the appropriate help pages for common browsers. The About Cookies Organisation maintain a page providing such information for most major browsers.
Non-Essential Tracking Cookies
Until very recently the default response to the law and the issue of tracking cookies is that some form of Opt In/Out system must be implemented. However, looking at the current wave of reporting online it would seem that this is not the case.
StatCounter who provide an alternative but similar service to Google Analytics have posted their response to dealing with Tracking Cookies which acknowledges the UKs practical approach to this law.
As reported on E-Consultancy the Government doesn’t seem particular worried about this type of Cookie when used in relation to Web Analytics (e.g. Google Analytics)
The government’s argument: The Government Digital Service (GDS) takes the view that web analytics are “essential to the effective operation of government websites” and that “at present the setting of cookies is the most effective way of doing this”. Further, they feel that web analytics cookies are “minimally intrusive” and that “their usage tends to be controlled by the first-party”.
A Personal Conclusion
Good luck to anyone trying to decide on a policy for their company and/or website at this time. The information seems varied and I get a feeling there is a good chance it will go the way of browser control and rely upon public awareness. Obviously companies exploiting Cookies and using them to gain information that is not considered ‘normal’ for the operation of a modern website will get nailed in the legal sense.
References (may or may not be included within page text)
- BBC – 18th April 2012 – http://www.bbc.co.uk/
- SILKTIDE - http://silktide.com/
- ICO – privacy and electronic communications – the guide to cookies