Cookie Law: Dead in the Water?

Cookie Consent Widget

At last the Information Commissioner has bowed to the inevitable and further watered down the UK Cookie Law.

As of today websites can officially accept set cookies without asking first, rendering more or less meaningless one of the most pointless – and unenforceable – laws in recent years.

So hopefully that will spell the end for one of the most annoying features ever to have to hit the web: the cookie consent widget.

These annoying little blighters have been springing up on websites for the past year or so – asking everyone if it’s okay to set cookies.

The Cookie Law just annoys people

Some would disappear if you ignored them, others refused to go away and tracked you right through a site and others popped up again as soon as you said yes or no to their insistent demands.

[caption id="attachment_604" align="alignright" width="283"]Cookie Consent Widget Goodbye Cookie Control – We won’t miss you[/caption]

As a website owner, if you set yours according to the letter of the law then your site would not record statistics until the site visitor agreed, and social media add ons like Facebook Like buttons would not work.

So until people agreed you could not measure them, meaning your website statistics only recorded some of the visitors to your site.

We always advocated a lighter approach in our blog posts on the Cookie Law and Complying with the Cookie Law.

To be fair the Cookie Law was the biggest bane on usability since the arrival of Flash websites.

Cookie warning notice

But now it is dead. All you have to do is have a cookie notice on your site – and that’s it. Not even an annoying widget.

It would appear to be a victory for common sense, although the ICO is portraying it as ‘job done’. More likely that it was a totally unworkable piece of legislation that has been nothing but a gigantic pain for everyone as it changed, changed and changed again.

So will you miss the Cookie Law? Was it a good thing? Add your views below.

More information

ICO to change cookie policy to recognise implied consent – Out-Law.com

Changes to cookies on our website – Information Commissioner’s Office

Cookie law made simple – no need to panic

Woman with bag on head

In the last few months alarm has been spreading across the web community and anyone who owns a website.

The reason? A new British law governing privacy and websites, often referred to as the EU Cookie Law because it is derived from a European Directive.

Since this post was first written in July 2012 the interpretation of the law has been relaxed again. See our latest blog post on the issue.

The law affects just about every website, with severe fines of up to £500,000 for non-compliance. Yet most websites did not comply and most website owners were not aware of it.

[caption id="attachment_537" align="alignright" width="300"]Woman with bag on head Sure this is an approach to the Cookie Law, but not the best one[/caption]

As time ticked down towards its introduction on May 26 the fear and paranoia grew – and as ever there were plenty of people only too ready to cash in. That wasn’t helped by a lack of clear guidance from the Information Commissioner’s Office (ICO), who will enforce the law.

So what’s it all about?

Cookies are small files that allow a website to recognise and track users. The vast majority of websites use them – for example to remember what is in your shopping cart or to recognise you when you return to a site. They also allow website owners to track statistics for their sites, allowing them to improve services in a cost effective way.

On the whole they are a good thing that makes using the web easier for everyone.

But some are intrusive, effectively spying on people who visit a website for a long time after they have left it, and without their knowledge or permission.

The law was created to regulate these, after all it’s only right that you should have a choice whether to accept them or not. It’s about online privacy.

The trouble is it targets ALL cookies, not just the intrusive ones, which is why it puts just about everyone in a technical breach. As with all privacy issues, it’s difficult to know where to draw the line. That makes it a major headache for everyone who runs a website.

Enforcement

Much of the fear has been generated around the penalties for not complying with the law and it’s true that website owners can be fined up to £500,000. But don’t expect to see anyone fined for a long, long time.

The ICO is adopting a softly, softly approach of education rather than using a big stick and fines will only be issued as a last resort when:

  • There have been complaints about a site
  • That site is using very intrusive cookies that capture sensitive data, such as medical information, maybe using that info to target advertising or pass on to third parties
  • The site owner explicitly refuses to do anything about it, despite repeated requests from the ICO.

And if you are approached by the ICO, you will be given plenty of chances – and lots of advice – to help you put things right.

That hasn’t stopped consultants and some web firms seeing an opportunity to cash in, often using fear of fines as a way to sell their services, most of which involve over the top solutions – a sledgehammer to crack a nut.

To be fair on some of these, the hazy guidance from the ICO hasn’t helped. Neither has the fact that at the 11th hour the ICO made a small, but very important, change to their advice.

Their first advice was that websites must obtain consent before setting any cookies, therefore disabling analytics, social media or many other site functions until a user agreed. This was technically quite difficult to do. It also meant using intrusive pop ups that block a site from use until a user has consented – or otherwise.

Sometimes the only way to comply would have been to tell people to leave the site.

But just before the May 26 deadline the advice changed. The new version allows for implied consent – so it’s ok to set cookies so long as you tell them what they are and how to block them. This makes all the difference.

Many web companies have invested a lot of time and money into producing solutions that – while being intrusive – complied with the law as it stood.

Unfortunately, the change to implied consent has made these solutions look like overkill. You can’t blame these companies for persisting with them when they have spent a lot of time and money developing their solution, only to see it obsolete.

The truth is that complying with the law – or at least avoiding unwanted attention from the ICO – is relatively straightforward for most of us and should not involve a great deal of work.

See the easy way to comply with the EU Cookie Law

The easy way to comply with the EU Cookie Law

The Cookie Monster

There has been much talk about the EU Cookie Law, which came into force in the UK in May this year, as well as scaremongering about big fines for non-compliance.

Since this post was first written in July 2012 the interpretation of the law has been relaxed again. See our latest blog post on the issue. But the position changes repeatedly, so see webdevlaw.uk for the latest updates.

The truth, while a little hazy at times, is somewhat simpler and a lot less intimidating. It’s really not that difficult to set yourself on the road to compliance, which is what the authorities are looking for.

[caption id="attachment_611" align="alignright" width="300"]The Cookie Monster Cookie Monster[/caption]

The following is our interpretation of how to put yourself on the road to complying with the new EU Cookie Law and should work for you as long as you are not using any overly intrusive cookies that gather sensitive data.

It is not intended as definitive advice and if you need that you should consult the Information Commissioner’s Office(ICO) directly or see a lawyer. For full advice see the ICO’s latest guidance (PDF download)

The law is far from clear and it’s early days yet. The position may change but right now complying with the law – or at least avoiding unwanted attention from the ICO – is relatively straightforward for most of us and should not involve a great deal of work.

Remember that the ICO will be satisfied if you are ‘working towards compliance’ and to do that you need to follow the steps below. The good news is this need only take an hour.

Do a cookie audit

As a website owner, you need to understand what cookies your website is setting and what they do.

The way to do this is to use a free tool that checks your site. There is no need to spend a fortune on doing this – or even any money at all.

If you use Google Chrome a simple free browser extension is available from Attacat. Full details and the extension itself are available on this page: http://www.attacat.co.uk/brain/cookie-audit-tool-v2#axzz1xOHSYlZ1

You don’t have to register to get it, and it will also give you an indication as to how instrusive any cookies you use are.

Another solution, especially if you use Mozilla Firefox, is the Firefox web developer toolbar, which includes a cookie auditing tool. The extension is available here: https://addons.mozilla.org/en-US/firefox/addon/web-developer/

Remember, it’s not an exact science and a cookie audit may not pick up everything your site generates. You only have to show that you are taking steps towards complying in full.

When you have done your audit you need to assess each cookie and what it does. If there’s anything you don’t understand you will need to talk to your web design company.

You can also Google the name of the cookie to find out what it does.

Publish the information

It’s actually been law to publish cookie information on your site since 2003, something that many people have ignored.

It’s usually hidden in the site’s Privacy Policy (if you have one) but now you have to make it easier to find.

It should also be in plain English and easy to understand, so there’s no room for legal jargon and geek speak.

You will need to create a new page for your Cookies Policy. You need to tell people what cookies you use (not necessarily naming them all) and what each one does.

It’s helpful to point people to instructions on how to turn cookies off using their browser controls. This page at aboutcookies is useful.

This page at whoishostingthis.com offers a comprehensive guide for the lay person and the developer.

Consent

The ICO’s line on this is clear – you must have consent. But that seems to extend to implied consent, where you can assume consent has been given, so long as you make it easy for people to withdraw their consent and not accept cookies.

But while the law makes no distinction between ‘good’ cookies and ‘bad’ ones, in practice the ICO will. So for many sites that do not collect sensitive information, covering the first three steps should be enough for now at least.

What are others doing?

It’s a good idea to look at what the big boys do. If you have visited any of the sites below before, clear your cookies first before using these links.

The BBC went live with their cookie advice a few days before the May 26 deadline, but when the emphasis went to implied consent they scaled it back. The banner appears only once and assumes consent.

ITV is doing even less. Its cookie statement is in their website footer, and again assumes consent.

BT uses lots of cookies and therefore spent a lot of time and money on developing their solution, with a sliding scale where users can set their preferences, but even they are assuming consent has been given.

John Lewis adopt the same approach, with a subtle banner at the top that disappears once you move to another page.

See The Cookie Law made simple – for more background on the law.

photo credit: nettsu via photopin cc