What the EU Cookie Law Means for Your Website

Image Credit: Google

On 26th May 2012, the “new” EU Cookie Law will finally be enforced in the UK. The law was first brought into power across the EU last year on 26th May 2011. However, enforcement was delayed for a year to give UK businesses time to fully comply with the rules and regulations set out by the legislation.

So, what is this law?

The new cookie law sets out to try and solve the privacy problems that legislators feel users are currently encountering on the web. It sets out to try and protect users and consumers by making them aware of the information that is collected about them through the use of cookies. Cookies are used in many ways, often to remember information about a visitor or visitor preferences. Examples of this can include cookies set for analytics (such as Google Analytics), user logins, adverts, social sharing buttons and more.

Why does this apply to me?

Anyone based in the EU and currently running a website on which cookies are utilised has to comply with the regulations set out by the new law. This comes down to either stopping the usage of cookies altogether or asking users for their permission for cookies to be used, also explaining what cookies are being used and why.

First things first…

 

The first thing you need to do is to run a cookie audit to find out just what cookies your website uses. A couple of useful tools we’ve found during our research include:

What’s next?

Once you’ve found what cookies are present on your website, you need to categorise them. There appear to be four types of cookies – essential (strictly necessary) cookies, performance cookies, functionality cookies and targeting or advertising cookies. Although cookies that are essential to the running of your website don’t have to be consented to, it is still a requirement that you explicitly explain what these cookies are and why they are used.

Once you have categorised your cookies, you need to make sure that each cookie is explained in your privacy policy in a transparent and easy-to-understand manner. Explain what each cookie is for and why it is used. The idea here is to let the user know the real reasons cookies are used and to educate them on why it is a good thing – and not something to be scared of.

There is a useful guide from the ICC that explains more about categorising cookies and what each category means.

Okay, I’ve categorised my cookies – what now?

Once you’ve categorised your cookies and clearly explained them in your privacy policy, the next thing is to decide on a consent mechanism. This is basically a way of asking the user for their permission to use the cookies and giving them a way of opting-out (turning the cookies off) if they wish to do so.

You have two options here: enabling cookies by default and giving the user a way to opt-out or asking the user’s permission before enabling cookies. The advantage of the first option is that you don’t have to turn off cookies by default as you’re assuming the user will be okay with it – though you still give them an opt-out if they don’t want the cookies to be used. This then means that you won’t automatically lose the statistics you might gain, for example, via analytics.

Once you’ve decided on the approach you want to take, you then need to decide on a consent mechanism to use. This will be the way that you tell the user about the cookies you use and how to consent or opt-out.

The three most popular types of content mechanism are a notification bar, a modal overlay and a pop-up overlay box.

The first is a bar at the top of the page that overlays the content and gives brief information about the cookies on your website, with a link to more detailed privacy information on the cookies. There is usually a checkbox that the user has to tick to approve cookie use on the website.

The modal overlay follows the same structure; however, it could be described as being a little more intrusive as the idea is to completely overlay the content on the website upon first load.

The pop-up overlay box should follow the same style as the modal overlay, though it is less intrusive as it generally just overlays a certain area of the page (such as a corner).

The idea behind these mechanisms is to be intrusive and disrupt the flow of the website so that they get the user’s attention, but to ensure that you educate the user and try and gain their permission to use the cookies rather than scare them away.

A couple of useful solutions we’ve found for consent mechanisms include:

  • Cookie Control – a configurable solution that adds an overlay to (for example) the bottom of the page. It displays a configurable message about the cookies on your website and allows users to opt-in. The website also offers advice on existing items you use that may use cookies and how to adapt them to work alongside Cookie Control – http://www.civicuk.com/cookie-law/index (free)
  • CookieCuttr – a WordPress plugin that offers configurable messages and adds a notification bar to the top of your website – http://cookiecuttr.com/wordpress-plugin/ (£5+VAT)

Good examples of cookie consent mechanisms

Let’s end with some good examples of cookie consent mechanisms across the web:

  • Silktide – www.silktide.com
    Silktide also released an eBook explaining the cookie law and what we can do to tackle it. Their consent mechanism is good as it allows you to choose between the types of cookies you would allow to be used – you can choose all, one or none of the types of cookies.
  • BT – www.bt.com
    BT has a modal overlay that simply pops up in the corner of the screen instead of overlaying all of the content. BT have gone for the option of allowing all cookies and then letting the user decide what cookies they would like to turn off. What is really great about BT’s consent mechanism is the way that you can change what cookies are used. Not only is it visually lovely, but it makes it really easy for a user to see what types of cookies are used and where, as well as seeing what cookies are turned off depending on the level of “cover” a visitor decides to opt for.
  • The Guardian – http://www.guardian.co.uk/technology/2012/apr/13/new-law-cookies-affect-internet-browsing
    The Guardian currently use an image overlay on a specific cookie-related article to explain what cookies are used, where they are used and why they are used. This is an interesting approach as it shows the user directly what cookies are used and what they relate to.

There are many resources available regarding the cookie law, and those listed above are by no means an absolute guide, but they should give you a clearer idea of what the cookie law entails and how you can try and find a suitable solution for your own website.

fluidcreativity
  • Written by on 23rd May 2012 at 09:09
  • “Fluid Creativity is an award-winning, multi-service digital agency based in Manchester.”
  • Google+
  • Andy Warburton

    You do know the ICO have basically said they won’t be fining people over the cookie laws unless they’re used for blatant privacy invasions (like the recent Facebook thing). For the most part it seems that having a basic cookie policy on your site will be more than enough.

    • http://www.nerdsassemble.co.uk/ milliways

      Agreed. Though I think best practice for said policy does include having basic instructions on how to block cookies and/or links to sites like allaboutcookies.org.

      It’s also no practical to put in new bits of code if you’ve set up a basic site through something like WordPress or Tumblr CMS and you really don’t know what you’re doing. Too big a chance that people might break their sites.

      • rachilli

         Hi Andy and Milliways –
        Up until the ICO updated their guidelines last week it was still recommended to take the explicit-consent approach, where we had to ask for the user’s permission before cookies were set. Hopefully the guidance we’ve now been given (see http://ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx).

        I agree that for the moment, putting a basic cookie policy will hopefully be enough. Let’s just hope that things are made a lot clearer in the next few weeks as the policy “takes effect”.

        Thanks very much for both your comments!

  • http://twitter.com/awarburton Andy Warburton

    You do know the ICO have basically said they won't be fining people over the cookie laws unless they're used for blatant privacy invasions (like the recent Facebook thing). For the most part it seems that having a basic cookie policy on your site will be more than enough.

    • http://iqueuefortea.tumblr.com/ milliways

      Agreed. Though I think best practice for said policy does include having basic instructions on how to block cookies and/or links to sites like allaboutcookies.org.

      It's also no practical to put in new bits of code if you've set up a basic site through something like WordPress or Tumblr CMS and you really don't know what you're doing. Too big a chance that people might break their sites.

      • rachilli

         Hi Andy and Milliways –
        Up until the ICO updated their guidelines last week it was still recommended to take the explicit-consent approach, where we had to ask for the user's permission before cookies were set. Hopefully the guidance we've now been given (see http://ico.gov.uk/news/blog/20….

        I agree that for the moment, putting a basic cookie policy will hopefully be enough. Let's just hope that things are made a lot clearer in the next few weeks as the policy “takes effect”.

        Thanks very much for both your comments!

  • http://www.timbarlow.net/ Tim Barlow

    Hi Rachel

    Thanks for featuring our audit tool.  Would be keen to get your thoughts on the new version just released at http://www.attacat.co.uk/resources/cookies – the new functionality now automatically creates a cookie information page and does some classification of cookie types within that.

    The new ICO guidelines (at first glance) look a bit more appealing than before suggesting a “consnet-light” approach along the lines of what Andy is suggesting may well be appropriate in a lot of cases.  Phew.

    • rachilli

       Hi Tim,

      Not a problem – it was a really useful tool and one that I hope will help many others! I’ll take a look at the new version of your tool and get back to you on that. :)

      I agree that the new ICO guidelines look more promising for us in terms of being able to use implied consent – at least it’s more a step in the right direction!

  • http://www.timbarlow.net/ Tim Barlow

    Hi Rachel

    Thanks for featuring our audit tool.  Would be keen to get your thoughts on the new version just released at http://www.attacat.co.uk/resou… – the new functionality now automatically creates a cookie information page and does some classification of cookie types within that.

    The new ICO guidelines (at first glance) look a bit more appealing than before suggesting a “consnet-light” approach along the lines of what Andy is suggesting may well be appropriate in a lot of cases.  Phew.

    • rachilli

       Hi Tim,

      Not a problem – it was a really useful tool and one that I hope will help many others! I'll take a look at the new version of your tool and get back to you on that. :)

      I agree that the new ICO guidelines look more promising for us in terms of being able to use implied consent – at least it's more a step in the right direction!