Chances are you’ve heard about the ‘EU Cookie Law’. If you have, you might very well be confused or worried about its implications and what exactly you should be doing about it. If you haven’t, and you own or run a company’s website within the EU, then you need to take note and you probably need to take action (but don’t panic, because it’s not as bad as you might think).
The EU Cookie Law as it’s being called is actually part of a European E-Privacy Directive. It was brought in by those helpful people at the EU to protect your privacy. They think people don’t know what cookies are or what they do (which is probably fair) and that the way to tackle this is to get every website to ask their users to opt in to the use of cookies. Although, browsers allow you to change your privacy settings, apparently this is not enough. There have been a lot of people throwing their toys out of the pram about it (also probably fair), because its most severe interpretation would have every website presenting new users with a big banner asking for their permission to use any cookies (and then only using them if the user ticks ‘yes’).
Chances are it does. Every site we’ve created here at vclever is hooked up to Google Analytics. That uses cookies to gather data about your visitors, used for tracking purposes. There may also be cookies served by third party plugins used on your site and where there’s a Facebook ‘like’ button or a ‘tweet’ button, there’s usually a cookie involved. You may also be using first party cookies (i.e. your own) for things like logins or shopping baskets.
Although everyone is talking about it like it’s going to happen, it has already happened! It’s been law for nearly a whole year, but because it was so controversial and difficult to interpret let alone implement, there has been a lead-in period, and the UK Information Commissioner only starts ‘enforcing’ it now (26 May 2012).
You need to take action. The law starts to be enforced from today. This means you should be making visitors to your site aware that your site uses cookies and by the letter of the law, you should be getting them to ‘opt in’ to their use.
As you’ve no doubt noticed, not an awful lot seems to have changed when you visit UK websites (with the exception of the ICO’s one!). It looks as if a fairly pragmatic approach is being adopted. By this, I mean that rather than slapping a big banner on the top of the page to get users to opt in (and preventing cookies until the user explicitly agrees by ticking a box), it looks like a more sensible approach of amending your privacy policy to explain which cookies you use and how you can opt out of them will do the job nicely (or ‘implied consent’ by another name). Why do we think this? Well, there’s a great article where Econsultancy talked to the Group Manager for Business & Industry at the ICO which reassures us: Econsultancy.com – Dave Evans on EU cookie law compliance. Since I initially wrote this, the ICO has changed its formal guidance to reflect that implied consent is acceptable. You can download their (lengthy) guidance here: ICO Cookies Guidance v3 or check out this article in the Guardian about 11th hour changes: Cookies law changed to introduce implied consent.
Well, although the law starts to be enforced today, don’t panic because the Information Commissioner seems to be taking a fairly responsible approach and they have better things to be doing than slapping fines on small businesses that need a few days to get their websites sorted out to comply (as long as you’re not actually up to no good with your cookies).
That means as soon as you can, you should check which cookies your site uses and amend your privacy policy. How do you check which cookies are in use? The easiest way I know of is using Google Chrome – right click on a web page, choose ‘inspect element‘ from the menu, then click on the ‘resources‘ tab, and lastly choose ‘cookies‘ from the resources listed on the left. All first and third party cookies will be listed here along with their domains and expiry dates.
We’ve been looking around at different approaches being taken by various sites and it seems that good practice is to call the link to your privacy policy ‘privacy and cookies’. If you want to be well-covered, then it’s worth drawing attention to the change in your privacy policy, by making the link more prominent (maybe bolder or underlined) or by creating a news post to say what you’ve done.
If you’re looking for an example of a privacy policy that talks about cookies, then feel free to check ours out. Its fairly simple as we really don’t collect much personal information, but even on a simple site like ours, Google Analytics, WordPress, Facebook, Twitter and Youtube are all using cookies, so we need to make users aware.
There are a fair few scare-mongers out there suggesting some very severe solutions, but its our view that the ICO look to be taking a very sensible approach to policing what is quite a bizarre piece of legislation. Its early days and as long as you’re demonstrating a willingness to comply, it seems unlikely you’ll come unstuck if your intentions are good. That said, we’ll be keeping a close eye on how other sites attempt to comply and will continue to monitor the views of the ICO to see if we’re going in the right direction.
The usual disclaimers apply to everything we’ve written here. We’re not lawyers (thank god!), we’re just expressing an opinion based on our own experience and what we’ve been reading, so any action you take is entirely at your own risk. If you think what we’ve written is helpful, do feel free to comment, and if you feel we’re way off the mark, please let us know. We’re just trying to comply with the law in a way that doesn’t impact our businesses (or those of our clients) too much while trying to ensure our users are having a decent experience.
Filed under: All, Articles, Industry news, News | No comments yet