In the last few months alarm has been spreading across the web community and anyone who owns a website.
The reason? A new British law governing privacy and websites, often referred to as the EU Cookie Law because it is derived from a European Directive.
Since this post was first written in July 2012 the interpretation of the law has been relaxed again. See our latest blog post on the issue.
The law affects just about every website, with severe fines of up to £500,000 for non-compliance. Yet most websites did not comply and most website owners were not aware of it.[caption id="attachment_537" align="alignright" width="300"] Sure this is an approach to the Cookie Law, but not the best one[/caption]
As time ticked down towards its introduction on May 26 the fear and paranoia grew – and as ever there were plenty of people only too ready to cash in. That wasn’t helped by a lack of clear guidance from the Information Commissioner’s Office (ICO), who will enforce the law.
So what’s it all about?
Cookies are small files that allow a website to recognise and track users. The vast majority of websites use them – for example to remember what is in your shopping cart or to recognise you when you return to a site. They also allow website owners to track statistics for their sites, allowing them to improve services in a cost effective way.
On the whole they are a good thing that makes using the web easier for everyone.
But some are intrusive, effectively spying on people who visit a website for a long time after they have left it, and without their knowledge or permission.
The law was created to regulate these, after all it’s only right that you should have a choice whether to accept them or not. It’s about online privacy.
The trouble is it targets ALL cookies, not just the intrusive ones, which is why it puts just about everyone in a technical breach. As with all privacy issues, it’s difficult to know where to draw the line. That makes it a major headache for everyone who runs a website.
Much of the fear has been generated around the penalties for not complying with the law and it’s true that website owners can be fined up to £500,000. But don’t expect to see anyone fined for a long, long time.
The ICO is adopting a softly, softly approach of education rather than using a big stick and fines will only be issued as a last resort when:
- There have been complaints about a site
- That site is using very intrusive cookies that capture sensitive data, such as medical information, maybe using that info to target advertising or pass on to third parties
- The site owner explicitly refuses to do anything about it, despite repeated requests from the ICO.
And if you are approached by the ICO, you will be given plenty of chances – and lots of advice – to help you put things right.
That hasn’t stopped consultants and some web firms seeing an opportunity to cash in, often using fear of fines as a way to sell their services, most of which involve over the top solutions – a sledgehammer to crack a nut.
To be fair on some of these, the hazy guidance from the ICO hasn’t helped. Neither has the fact that at the 11th hour the ICO made a small, but very important, change to their advice.
Their first advice was that websites must obtain consent before setting any cookies, therefore disabling analytics, social media or many other site functions until a user agreed. This was technically quite difficult to do. It also meant using intrusive pop ups that block a site from use until a user has consented – or otherwise.
Sometimes the only way to comply would have been to tell people to leave the site.
But just before the May 26 deadline the advice changed. The new version allows for implied consent – so it’s ok to set cookies so long as you tell them what they are and how to block them. This makes all the difference.
Many web companies have invested a lot of time and money into producing solutions that – while being intrusive – complied with the law as it stood.
Unfortunately, the change to implied consent has made these solutions look like overkill. You can’t blame these companies for persisting with them when they have spent a lot of time and money developing their solution, only to see it obsolete.
The truth is that complying with the law – or at least avoiding unwanted attention from the ICO – is relatively straightforward for most of us and should not involve a great deal of work.