I’ve been a little quiet recently and let my fantastic team do most of the blogging, research on new technologies and all the fun things like that. Now I’m back though and here to tell you all about a new EU law that comes into force on the 26th May 2012. Sounds a bit dull, right? Listen up though because there is the potential to be fined up to £500,000 for non-compliance.

Cookies?

The law is mainly about Cookies (and they are the bit we’re really interested in), no not the ones we love to munch in the office here but rather the small text file types that websites sometimes store on your computer. They are used by millions of sites worldwide to store information about your visit to the site, your preferences and in some cases your login information. Most people will never notice these little files working their magic in the background unless you’ve ever come across a site complaining that your browser settings do not allow Cookies.

Ok tell me more about this Law…

The law was actually passed in May 2011 in the UK in response to a 2009 EU Directive but the Information Commissioners Office (ICO) gave businesses until May 2012 to comply with the new legislation. The main thrust of this law is that website owners simply seek the permission of visitors before a cookie is stored on said visitors machine. The ICO website is actually a perfect example of what we mean here as the first thing you notice at the top of the page is this notice…

The law also states that you should state what type of cookie is to be used and what the cookie will be used for, something that the ICO website does not do, or at least not very clearly.

The specific wording of the law is as follows (courtesy of the ICO website)…

Cookies or similar tracking methods must not be used unless the subscriber or user of the relevant terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b)  has given his or her consent.

[blockquote]One important note about this law is that it applies to businesses based in the UK, not just those sites that are hosted on servers in the UK (or Europe for that matter). What this means is that you cannot simply move your hosting, to a company in the states for example, to escape the law.[/blockquote]

Hang on, my website requires cookies to work, what if visitors choose no?

Are well now this is where the law starts to get a bit wooly, well in my opinion anyway.The ICO website also says this…

The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:

• for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
• where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.

If you read on a little more from the above, it seems to mention that if you use cookies for shopping carts, logging in to websites and the like. Basically anywhere where the user has specifically requested to use said service then this is an acceptable instance where you do not need to seek specific permission from the user because they are implying this permission by wishing to use the service.

What about other issues that could arise?

We can see a few issues that may occur as a result of this law and compliance with it. Those include higher bounce rates to your site, lower usability and ultimately more cost for UK businesses. An article in the Telegraph says that the directive could cost UK businesses £10 billion. Millions of websites also use Google Analytics and other statistic tracking packages on their websites but in principal at least these are lower down the pecking order in terms of enforcement because the data is anonymous and aggregated. This doesn’t mean that you are clear as far as the law goes though, especially as these cookies are not specifically requested by the visitor nor essential to the websites function. My advice is to get some form of policy in place that informs users of the cookies use.

Ok what should I do to make my website compliant?

As with most of these things, the ICO and government in general will not tell you what to do in order for you to be compliant. It’s up to you to make the decision on what changes you implement and why but as usual if you get it wrong I’m sure they will penalize you. Because of the legalities involved, I too cannot tell you what you need to do in this post, although am more than willing to analyze any site on its individual merits.

For now let me leave you with these points to consider…

1. Read the information on the ICO website to get a fuller understanding
2. Ensure your site has a privacy policy and it’s up to date
3. Consult your web company and/or a lawyer with specific expertise in digital issues

Compliance examples

• BT is leading the charge of all the major corprate sites. Not too easy, or cheap, to implement though.
• A much easier solution for the moment is like the one from E-consultancy.

Further resources

• If you have a WordPress site, this plugin may be of use http://wordpress.org/extend/plugins/eu-cookies-plugin/
• A 10 point best practice guide for working with Google Analytics and the EU privacy directive
• A month to go on Cookie Law: Will Google Analytics get a free pass? – The Register
• It’s not about cookies, it’s about privacy on the Cabinet Office website
• If you just want a solution that appears to satisfy all the criteria, Optanon offers a neat one, all be it not for free.

{UPDATED Monday 28th May 2012, 09:50}

Back to work on a Monday morning and we have some new news for you all on this (we actually heard about it last week but wanted to wait for the dust to settle before we shared it with you). It looks like the ICO has made a little U-turn on the way its advising websites to be compliant. They posted on their Blog on 25th May saying they had reconsidered the way in which visitors to sites are considered to have granted permission for cookies to be used. The key points are as follows…

• Consent for cookies is now considered to be granted / implied just when you visit a website
• Explicit consent is no longer required by the law
• This may put the UK out of step with the rest of the EU and could lead to legal battles in UK and EU courts

In light of this news our position on the issue has remained unchanged. We still recommend that you update your sites Privacy Policy, make sure that any cookies you do use are absolutely necessary and tell your users what you are doing with them and their data very clearly. While we are not legal experts and cannot dish out legally sound advice, this is our opinion and therefore the method we are going to follow.

These websites have all clearly spent a little on becoming compliant only to find out now that it’s not needed. It will be interesting to see if they keep their notices or remove them now the law has been updated. We’ll try to keep you updated

DISCLAIMER

Please note that I am not a lawyer and StudioWorks does not have any legal basis on which to offer you advice on how to be compliant with this law. I am simply pointing out my thoughts on the issues and suggest you seek further legal advise. Of course we can advise you on how to implement any changes you wish to make on a technical level.