Cookie Law Compliance: Update
The deadline for businesses to implement the new EU cookies law (26th May) is fast approaching, so time for a quick update on this issue (you can read my previous post on the matter here: https://www.hexagonwebworks.com/2012/eu-cookie-legislation-compliance/).
Statements from both the Information Commissioner’s Office (ICO – the UK’s data protection watchdog) and also from Ed Vaizey (Culture Minister) indicate that although the new requirements are law, and should be taken seriously, a common-sense approach will be taken when it comes to enforcement. So far so good.
ICC Guidance
The International Chamber of Commerce (ICC) UK has just (April 2012) issued new guidance (PDF doc) on cookies, which has apparently been welcomed by the ICO. The guide categorises cookies into four groups, and includes wording that website owners can use when asking for cookies consent.
The categories are as follows:
- Category 1: Strictly necessary cookies (enable services the user has specifically asked for)
- Category 2: Performance cookies (collect anonymous information on the pages visited – e.g. Google Analytics)
- Category 3: Functionality cookies (remember choices the user makes to improve experience – e.g. remembering user’s name when they leave a comment – so they don’t have to enter it again next time they visit)
- Category 4: Targetting cookies or advertising cookies (collect information about user’s browsing habits in order to target advertising)
Analytics Cookies
With reference to Analytics cookies in particular (e.g. Cookies used by Google Analytics to track visitors to your website), the the ICO has stated that:
“We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.”
“In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”
What you need to do
Having read through a number of further articles on the subject, and also the speech given by Ed Vaizey recently, my feelings are now as follows:
One
You DO need to take this seriously, and establish what cookies your website uses.
Two
It is important that you make this information available to users on your website – and make it accessible and clearly labelled (‘Cookies Info’ for example)
Three
You should then assess the most appropriate way to gain user consent to cookies. The approach you take will depend on the type of cookie. The ICC guidance document seems to suggest the following:
- For cookies in Category 1 – no consent is required
- For cookies in Category 2 – obtain consent by functional use, i.e. on your Cookies page, state something akin to the following: ‘By using our website, you agree that we can place these types of cookies on your device’.
- For cookies in Category 3 – obtain consent as for Category 2, or by obtaining ‘function’ or ‘setting’ led consent, i.e. at the point where the user uses the function which sets the cookie (e.g. WordPress comment form), state something like ‘When you choose to use this form, you agree that we can store cookies on your device’ (you may wish to be more explicit about what the cookies are stored for – or link through to your Cookies page with this info).
- For cookies in Category 4 – obtain consent in a more obtrusive manner, perhaps via a pop-up or distinct notice with opt-in checkbox.
If you are struggling with this and would like further advice or the above implemented on your website, let me know!
Sources/Further Reading:
- Blog post from Pinsent Masons law firm: http://www.out-law.com/en/articles/2012/april/enforcement-of-cookie-consent-rules-for-analytics-not-a-priority-ico-says/
- Ed Vaizey speech: http://www.culture.gov.uk/news/ministers_speeches/8992.aspx
- ICC Blog post: http://www.international-chamber.co.uk/blog/2012/04/02/launch-of-icc-uk-cookie-guide/
- ICC Guide: http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf
Great simple article. I am trying to find out how to deal with Cookies and WordPress in particular. Your post has cleared up a lot of my questions.
So, the comments section on a WordPress site does not need a Pop-Up for approval by the use, just a message near the Submit button and possibly a link to a page/pdf with more info on how cookies are used on the site. Is this correct?
I have always thought that you would need consent for using GA cookies though, using a Pop Up for example. Is this the case still?
Thanks
Huw – thanks for your comment, and sorry for the delay in replying.
I think it very much depends on your interpretation! I personally feel that if you have a clearly labelled Cookies page, listing in plain English all your cookies & what they do, and for the Comments form have a note in the template, as you say, near the Submit button, which explains that using the form constitutes acceptance of the cookies it uses, you should be ok. Having said that, I am a web designer not a lawyer!
Of course, if you are using plugins/cookies (advertising cookies for example) which are more intrusive and facilitate tracking of behaviour/user searches across multiple sites, I do think you need a different solution – a pop up or the like.