There has been much talk about the EU Cookie Law, which came into force in the UK in May this year, as well as scaremongering about big fines for non-compliance.
Since this post was first written in July 2012 the interpretation of the law has been relaxed again. See our latest blog post on the issue. But the position changes repeatedly, so see webdevlaw.uk for the latest updates.
The truth, while a little hazy at times, is somewhat simpler and a lot less intimidating. It’s really not that difficult to set yourself on the road to compliance, which is what the authorities are looking for.
[caption id="attachment_611" align="alignright" width="300"]
The following is our interpretation of how to put yourself on the road to complying with the new EU Cookie Law and should work for you as long as you are not using any overly intrusive cookies that gather sensitive data.
It is not intended as definitive advice and if you need that you should consult the Information Commissioner’s Office(ICO) directly or see a lawyer. For full advice see the ICO’s latest guidance (PDF download)
The law is far from clear and it’s early days yet. The position may change but right now complying with the law – or at least avoiding unwanted attention from the ICO – is relatively straightforward for most of us and should not involve a great deal of work.
Remember that the ICO will be satisfied if you are ‘working towards compliance’ and to do that you need to follow the steps below. The good news is this need only take an hour.
Do a cookie audit
As a website owner, you need to understand what cookies your website is setting and what they do.
The way to do this is to use a free tool that checks your site. There is no need to spend a fortune on doing this – or even any money at all.
If you use Google Chrome a simple free browser extension is available from Attacat. Full details and the extension itself are available on this page: http://www.attacat.co.uk/brain/cookie-audit-tool-v2#axzz1xOHSYlZ1
You don’t have to register to get it, and it will also give you an indication as to how instrusive any cookies you use are.
Another solution, especially if you use Mozilla Firefox, is the Firefox web developer toolbar, which includes a cookie auditing tool. The extension is available here: https://addons.mozilla.org/en-US/firefox/addon/web-developer/
Remember, it’s not an exact science and a cookie audit may not pick up everything your site generates. You only have to show that you are taking steps towards complying in full.
When you have done your audit you need to assess each cookie and what it does. If there’s anything you don’t understand you will need to talk to your web design company.
You can also Google the name of the cookie to find out what it does.
Publish the information
It’s actually been law to publish cookie information on your site since 2003, something that many people have ignored.
It should also be in plain English and easy to understand, so there’s no room for legal jargon and geek speak.
You will need to create a new page for your Cookies Policy. You need to tell people what cookies you use (not necessarily naming them all) and what each one does.
It’s helpful to point people to instructions on how to turn cookies off using their browser controls. This page at aboutcookies is useful.
This page at whoishostingthis.com offers a comprehensive guide for the lay person and the developer.
The ICO’s line on this is clear – you must have consent. But that seems to extend to implied consent, where you can assume consent has been given, so long as you make it easy for people to withdraw their consent and not accept cookies.
But while the law makes no distinction between ‘good’ cookies and ‘bad’ ones, in practice the ICO will. So for many sites that do not collect sensitive information, covering the first three steps should be enough for now at least.
What are others doing?
It’s a good idea to look at what the big boys do. If you have visited any of the sites below before, clear your cookies first before using these links.
The BBC went live with their cookie advice a few days before the May 26 deadline, but when the emphasis went to implied consent they scaled it back. The banner appears only once and assumes consent.
ITV is doing even less. Its cookie statement is in their website footer, and again assumes consent.
BT uses lots of cookies and therefore spent a lot of time and money on developing their solution, with a sliding scale where users can set their preferences, but even they are assuming consent has been given.
John Lewis adopt the same approach, with a subtle banner at the top that disappears once you move to another page.
See The Cookie Law made simple – for more background on the law.
photo credit: nettsu via photopin cc