This is a working guide to the EU Cookie Law and what it means to Website Owners within the UK. It is meant to document my research and understanding of the Law and hence my responsibilities as a website owner. It is not meant as legally binding advice for any other website owners although I hope it does help you draw your own conclusions. I would welcome any feedback and thoughts from other webmeisters or legal minds I am not a legal expert and cannot / will not provide such advice and you should discuss your requirements with a EU Specialist Lawyer.
On 26 May 2012 the UK’s Information Commissioner’s Office (ICO) imposes an EU directive designed to protect internet users’ privacy.
If you do not know what a cookie is then I really recommend this youtube video:
Silktide, the company behind the video, also have a page explaining more about cookies and the law.
As reported by BBC News [BBC#1] – 95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month.
You will also appreciate from your own browsing experience and a probable complete lack of knowledge about this law that many website owners have either no knowledge themselves or have just elected to ignore the law.
Ignoring the law, although a common approach it is probably not a legally sound one.
There is a lot of guides to the Cookie Law online and even more blog posts claiming to explain it.
There appear to be three types of Cookie that should be addressed to ensure a website is compliant with the law:
Non-Essential Cookies particular of the tracking kind (Google Analytics/Statcounter) are where the problems really start and at the time of writing the guidance is varied and contradictory.
There are a few tools on the web which will tell you what Cookies your website is storing such as this Chrome extension by AttaCat. If you are going to use Attacat take care as it will scan all tabs and all cookies available. So my report was not contaminated I installed this onto Chrome running inside a Virtual Machine but here are screenshots from the report for this site:
There are already commercial companies setting themselves up to provide this service at a cost e.g. CookieLaw.
You should advise visitors that they can turn off cookies within their browser settings and ideally provide links to the appropriate help pages for common browsers. The About Cookies Organisation maintain a page providing such information for most major browsers.
Until very recently the default response to the law and the issue of tracking cookies is that some form of Opt In/Out system must be implemented. However, looking at the current wave of reporting online it would seem that this is not the case.
StatCounter who provide an alternative but similar service to Google Analytics have posted their response to dealing with Tracking Cookies which acknowledges the UKs practical approach to this law.
As reported on E-Consultancy the Government doesn’t seem particular worried about this type of Cookie when used in relation to Web Analytics (e.g. Google Analytics)
The government’s argument: The Government Digital Service (GDS) takes the view that web analytics are “essential to the effective operation of government websites” and that “at present the setting of cookies is the most effective way of doing this”. Further, they feel that web analytics cookies are “minimally intrusive” and that “their usage tends to be controlled by the first-party”.
Good luck to anyone trying to decide on a policy for their company and/or website at this time. The information seems varied and I get a feeling there is a good chance it will go the way of browser control and rely upon public awareness. Obviously companies exploiting Cookies and using them to gain information that is not considered ‘normal’ for the operation of a modern website will get nailed in the legal sense.