EU cookie legislation compliance

[Warning: this is a long post! I’ve tried to make it as comprehensive as possible.]

You may or may not have heard of Cookies.  In this context, they’re not yummy biscuits, but small pieces of information that many websites store on your computer, allowing the website to ‘remember’ something.  For example, when you comment on a blog, that blog might set a cookie with your name and email address, so the next time you comment there, you won’t have to re-type the same details.

Cookies are often used by advertisers too, often in ways that some will find slightly disconcerting.  Imagine you’d done a Google search for ‘cheap flights’.  Perhaps later that day you’re looking at another, completely unrelated website.  Have you ever noticed ads for ‘cheap flights’ (or whatever your search term was) displayed on this unrelated website?  Google has set a cookie on your computer relating to the search, and then is using it through its advertising network, to show adverts that are ‘more relevant’ to you (& thus more profitable for Google & it’s advertisers!!)

Traditionally, it has been up to the you to ‘opt-out’ if you do not wish for cookies to be stored on your computer.  This can be done via a setting in your browser.  Last year however, the EU passed a law obliging EU-owned websites to require users to ‘opt-in’ to cookie use.  A 12-month ‘lead in’ period, allowing companies to comply, ends in May 2012.  The problem is, confusion seems to be rife as to exactly what is and isn’t covered by this law, and how compliance could or should be achieved. (No surprise there then?!)

Some browsers already have a ‘Do not track’ setting, which you can use to flag up the fact that you do not want your actions to be tracked/cookies to be stored.  However, for now at least, this is not implemented across all browsers, and it relies on websites listening to & complying with your stated preference.  The Information Commissioner’s Office (ICO) has indicated in its guidance on the matter that relying on browser support is not currently a satisfactory approach.

The ICO itself, along with a number of other organisations, has implemented a very visible method of gaining visitors’ content to cookie use.  Assuming they don’t change it, you can see it for yourself here: http://www.ico.gov.uk/.  According to this blog post (admittedly rather hyped), this method resulted in a 90% drop in the number of users that the ICO could track via Google Analytics – in other words, the vast majority of people did not click to ‘accept’ cookies.  Admittedly, this figure might decrease as users become more used to seeing this kind of message, but still – it’s a pretty harsh statistic.  In addition, it’s a pretty intrusive approach.  It’s not as annoying as the pop up messages that some websites have employed, but it’s there nonetheless.  My gut feeling is that most users will think ‘What? – don’t understand that one/don’t know enough about it to make a decision’ and ignore it.

In a recent blog post on the matter, Neelie Kroes, Vice President of the European Commission, has stated the need for a common standard as to how website owners, companies and organisations should comply with the new law.  Which provides some indication of the fact that although the law was passed back in May 2011, the route to compliance remains unclear & befuddled.

So what is one to do?

So as a concerned website owner or developer, what is one to do? (disclaimer: I am not a lawyer, these are simply my personal thoughts on the matter as it stands currently)

Unfortunately, it can’t simply be ignored.  Despite what I’ve said above, it’s law, online privacy is important and it will become more so.

So firstly, know what cookies your website is leaving on a user’s computer.  If you use Firefox, this is easy – click on the favicon to the left of the address bar.  Click on ‘More Information…’, then on ‘View Cookies’ in the dialog box that pops up.  Perhaps put them all in a table so you can keep track more easily.

Secondly, work out where these are coming from and/or what they are being used for.  Add this to your table.  For example, any site that runs Google Analytics will leave a set of cookies _umta, _umtb, etc (Google it to find out more).  For more information on the sorts of things you should be looking for, see Page 13 of the ICO guideline doc.

Thirdly, assess how intrusive your use of cookies is; add a column to your table for ‘intrusiveness’ – from high to low.  To quote from the ICO guidelines:

“Some of the things you do will have no privacy impact at all and may even help users keep their information safe. Other technologies will simply allow you to improve your website based on information such as which links are used most frequently or which pages get fewest unique views [i.e., to my mind, Google Analytics]. However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity.”

Fourthly, assess what action you will be taking for each of the cookies which your website uses.  My own judgement on this is as follows:

• For intrusive cookies that build up a detailed profile of an individual’s browsing activity (e.g. so you can better target advertising), ideally some sort of prominent notice should be added asking for the user’s agreement to these cookies.  Although in reality, given that a ‘Do not track’ standard is still not agreed, it may also be acceptable to state that you are waiting until this has been agreed before implementing a solution.
• For less intrusive cookies, such as Google Analytics, ensure you have a clearly marked section ‘Cookies Info’ within your footer or similar, linking through to a page explaining the use of cookies on your website.  The ICO guidelines give some example text:

“Our website uses four cookies.  A cookie is a small file of letters and numbers that we put on your computer if you agree.  These cookies allow us to distinguish you from other users of the website, which helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

 The cookies we use are ‘analytical’ cookies.  They allow us to recognise and count the number of visitors and to see how visitors move around the site when they’re using it.  This helps us to improve the way our website works, for example by making sure users are finding what they need easily.  Read more about the individual analytical cookies we use and how to recognise them [link]”

 In addition, it may again be worth noting that you are keeping an eye on the progress of a ‘Do not track’ standard, and if appropriate may implement further measures to gain user agreement when this has been formalised/matured.

• For cookies that are used for specific pieces of functionality on your website, for example for user login or to remember name/email address for blog comments, you could add a note to the relevant login/comment page etc that states that the process uses cookies, and that by continuing with the process, the user implies acceptance of those cookies being placed on their computer.

In summary

For my part, I believe there is a lot of worth in what this law is setting out to achieve.   As with many things, it’s the practicality of it that may yet prove its downfall.  In the meanwhile, I at least am willing to take sensible, proportioned measures to ensure transparency to my users – making the relevant information clearly available (it’s on my to-do list now!)  What I’m not willing to do at the moment is to implement a silly pop-up which will adversely affect user browsing experience, and baffle the vast majority of my visitors.

I’ll be keeping a close eye on the progress of Neelie Kroes so-called ‘Do not track’ standard, and also the Privacy Policy/Cookie Info on sites such as http://www.number10.gov.uk/privacy-policy/ and http://www.parliament.uk/site-information/privacy/.  At the time of writing, there is no Cookie ‘Opt-in’ mechanism in sight.

Watch this space for updates, and if you’d like a hand with implementing any of the above for your own website, please get in touch.