Cookie Law: Dead in the Water?

Cookie Consent Widget

At last the Information Commissioner has bowed to the inevitable and further watered down the UK Cookie Law.

As of today websites can officially accept set cookies without asking first, rendering more or less meaningless one of the most pointless – and unenforceable – laws in recent years.

So hopefully that will spell the end for one of the most annoying features ever to have to hit the web: the cookie consent widget.

These annoying little blighters have been springing up on websites for the past year or so – asking everyone if it’s okay to set cookies.

The Cookie Law just annoys people

Some would disappear if you ignored them, others refused to go away and tracked you right through a site and others popped up again as soon as you said yes or no to their insistent demands.

[caption id="attachment_604" align="alignright" width="283"]Cookie Consent Widget Goodbye Cookie Control – We won’t miss you[/caption]

As a website owner, if you set yours according to the letter of the law then your site would not record statistics until the site visitor agreed, and social media add ons like Facebook Like buttons would not work.

So until people agreed you could not measure them, meaning your website statistics only recorded some of the visitors to your site.

We always advocated a lighter approach in our blog posts on the Cookie Law and Complying with the Cookie Law.

To be fair the Cookie Law was the biggest bane on usability since the arrival of Flash websites.

Cookie warning notice

But now it is dead. All you have to do is have a cookie notice on your site – and that’s it. Not even an annoying widget.

It would appear to be a victory for common sense, although the ICO is portraying it as ‘job done’. More likely that it was a totally unworkable piece of legislation that has been nothing but a gigantic pain for everyone as it changed, changed and changed again.

So will you miss the Cookie Law? Was it a good thing? Add your views below.

More information

ICO to change cookie policy to recognise implied consent – Out-Law.com

Changes to cookies on our website – Information Commissioner’s Office

The easy way to comply with the EU Cookie Law

The Cookie Monster

There has been much talk about the EU Cookie Law, which came into force in the UK in May this year, as well as scaremongering about big fines for non-compliance.

Since this post was first written in July 2012 the interpretation of the law has been relaxed again. See our latest blog post on the issue. But the position changes repeatedly, so see webdevlaw.uk for the latest updates.

The truth, while a little hazy at times, is somewhat simpler and a lot less intimidating. It’s really not that difficult to set yourself on the road to compliance, which is what the authorities are looking for.

[caption id="attachment_611" align="alignright" width="300"]The Cookie Monster Cookie Monster[/caption]

The following is our interpretation of how to put yourself on the road to complying with the new EU Cookie Law and should work for you as long as you are not using any overly intrusive cookies that gather sensitive data.

It is not intended as definitive advice and if you need that you should consult the Information Commissioner’s Office(ICO) directly or see a lawyer. For full advice see the ICO’s latest guidance (PDF download)

The law is far from clear and it’s early days yet. The position may change but right now complying with the law – or at least avoiding unwanted attention from the ICO – is relatively straightforward for most of us and should not involve a great deal of work.

Remember that the ICO will be satisfied if you are ‘working towards compliance’ and to do that you need to follow the steps below. The good news is this need only take an hour.

Do a cookie audit

As a website owner, you need to understand what cookies your website is setting and what they do.

The way to do this is to use a free tool that checks your site. There is no need to spend a fortune on doing this – or even any money at all.

If you use Google Chrome a simple free browser extension is available from Attacat. Full details and the extension itself are available on this page: http://www.attacat.co.uk/brain/cookie-audit-tool-v2#axzz1xOHSYlZ1

You don’t have to register to get it, and it will also give you an indication as to how instrusive any cookies you use are.

Another solution, especially if you use Mozilla Firefox, is the Firefox web developer toolbar, which includes a cookie auditing tool. The extension is available here: https://addons.mozilla.org/en-US/firefox/addon/web-developer/

Remember, it’s not an exact science and a cookie audit may not pick up everything your site generates. You only have to show that you are taking steps towards complying in full.

When you have done your audit you need to assess each cookie and what it does. If there’s anything you don’t understand you will need to talk to your web design company.

You can also Google the name of the cookie to find out what it does.

Publish the information

It’s actually been law to publish cookie information on your site since 2003, something that many people have ignored.

It’s usually hidden in the site’s Privacy Policy (if you have one) but now you have to make it easier to find.

It should also be in plain English and easy to understand, so there’s no room for legal jargon and geek speak.

You will need to create a new page for your Cookies Policy. You need to tell people what cookies you use (not necessarily naming them all) and what each one does.

It’s helpful to point people to instructions on how to turn cookies off using their browser controls. This page at aboutcookies is useful.

This page at whoishostingthis.com offers a comprehensive guide for the lay person and the developer.

Consent

The ICO’s line on this is clear – you must have consent. But that seems to extend to implied consent, where you can assume consent has been given, so long as you make it easy for people to withdraw their consent and not accept cookies.

But while the law makes no distinction between ‘good’ cookies and ‘bad’ ones, in practice the ICO will. So for many sites that do not collect sensitive information, covering the first three steps should be enough for now at least.

What are others doing?

It’s a good idea to look at what the big boys do. If you have visited any of the sites below before, clear your cookies first before using these links.

The BBC went live with their cookie advice a few days before the May 26 deadline, but when the emphasis went to implied consent they scaled it back. The banner appears only once and assumes consent.

ITV is doing even less. Its cookie statement is in their website footer, and again assumes consent.

BT uses lots of cookies and therefore spent a lot of time and money on developing their solution, with a sliding scale where users can set their preferences, but even they are assuming consent has been given.

John Lewis adopt the same approach, with a subtle banner at the top that disappears once you move to another page.

See The Cookie Law made simple – for more background on the law.

photo credit: nettsu via photopin cc