You may or may not know about this, but there is a new EU Directive coming into force on 25th May that will require your website to get consent from users before using certain types of “cookies” that may be used by your website.
The law actually came into effect last year, and sites were given a year to comply. There are penalties for non-compliance.
I’ve left it a little late – apologies, but I’ve just been so busy! But today I’ve been looking around to try to pull together some information on it for clients, and people in general. I hope this is of use.
This post will explain what cookies are and whether your site might be using them, and provide some resources for finding out more and making your web site compliant.
What are Cookies?
Cookies are little bits of information stored in a user’s web browser that allow websites to “remember” things when the user moves between pages. A classic example is a shopping cart: once you’ve put the product in the cart you need the site to remember that it’s there. This is done using a cookie.
Is my website using cookies?
The short answer is “probably”. Even if you’re not using a shopping cart, or any other feature that requires a user’s activity to be tracked you are probably using Google Analytics – surveys show that somewhere between 50% and 90% of websites do, and most of my clients do. And Google Analytics uses a cookie that may (depending on your interpretation of the law) require consent under the new directive.
What does the new directive/law say?
The new law does not apply to all cookies. Those that are “strictly necessary” for the operation of your site do not need consent.
The definition of “strictly necessary” is said to be pretty narrow though. It seems to include things like a shopping cart, but not analytics; sharing services like Facebook buttons; and personalisation, such as remembering a change of font size.
Though, it should be added, some (such as the International Chamber of Commerce’s guidance) think that analytics could be seen as falling into the a category that does not need consent.
It’s not even clear what you have to do to achieve compliance, though most solutions proposed involve a pop-up button, a banner at the top or bottom of your site, or a widget that goes in the corner of your site.
Opinion is somewhat divided. Lots of people are still asking questions about this subject so lots of people seem to still be thinking about whether to do something to become compliant, and what that might be.
Some think that if there is a very large number of sites that don’t comply then the deadline for compliance may be extended.
In any case, most people seem to think that the government will be lenient in enforcing compliance. In fact, many of the government’s websites are still not compliant!
But who knows?
Can I just turn cookies off?
It’s not quite as simple as that as not all the cookies in your site are provided by you – some are provided by third-party services that you are using, such as the aforementioned Google Analytics and Facebook/Twitter/sharing buttons.
You could remove any cookie-using services, but this would likely remove important functionality from your website.
Are there any other downsides to compliance?
- Annoying all users regardless: If you use a compliance solution that involves a pop-up, banner, or widget, any user to your site might find this annoying or distracting and go elsewhere.
- Cost to implement: Unless you understand the changes and have the technical knowledge to add the appropriate features for compliance to your website, you’ll probably have to pay someone else to do it for you.
- Site performance: Most compliance solutions involve running a script of some sort to display the opt-in form/widget/pop-up, and this will involve a small increase in the load-time of your site. This should be minimal though.
What can I do about it?
The key thing is that you need to make your users aware of what cookies are used and why, and allow them to make a choice about whether or not they want to use them.
Well, you have several options:
- Do nothing. This is the cheapest, quickest option, but depends on you taking a very small risk and hoping that you don’t get fined for non-compliance. The guidance on complying issued by the government’s Information Commissioner’s Office says that if you have “considered” the new law and “have a realistic plan to achieve compliance” then this would be handled “very differently to one from an organisation which decides to avoid making any change to current practice”.Given that many of the government websites aren’t compliant you’re probably going to be OK.
- Implement one of the EU Cookie Law plugins. Several clever people have created little tools that you can include on your website to ask people to opt-in to cookies. Some technical knowledge will be required to use one of these and you’ll probably have to do an audit of cookies that you’re using first as well. This could be costly and time consuming, but will keep you safe from the law. I’ve listed some of the tools below.
What SHOULD I do about it?
The answer to that is probably nothing – or at least, read up on the new law and make an informed decision to do nothing.
[I should add that this statement – and, in fact, this entire post – in no way constitutes legal advice and I can not be held liable for any costs or damages of any sort incurred to you by you acting on the information given here. Thanks]
At present the guidelines on what to do vary and the law seems to be far from clear. Many are advocating waiting until the panic is over, some of the bigger companies have implemented compliance, and, maybe, Google have done something with Analytics (or been given an exemption).
I’ll endeavour to provide updates when the guidance becomes clearer.
If course, if you prefer to cover your back then I can probably help you out. Feel free to give me a call to discuss your options.
Where can I find out more?
Here’s a whole load of links that have informed this post, and many others like it, along with links to the tools that I’ve found that can help you become compliant.
If you read just one thing…
I suggest it be Giles Turnbull’s succinct overview of the situation. He does what I’ve tried to do here much better, and he advocates the “Don’t Panic” approach. I should just send this to all my clients, but by the time I found it I’d written most of this article.
Information and Guidance
- The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 – The amendment to the law in full
- Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites – Public sector guidance from the government (PDF)
- Official Guidance from the Information Commissioner’s Office – this is the official stuff, including the ICO’s original advice and a later guidance document.
- Reason Digital: 5 steps to make sure you are compliant with the EU Cookie Directive – good, plain language assessment, similar to my own
- TorchBox’s Analysis – good advice from a great digital agency – summary: “keep calm and carry on”
- Civic UK’s analysis – part of the Cookie Control plugin website – see below)
- The Cookie Collective – analysis from cookie law consultants – more of a sales pitch
- The International Chamber of Commerce UK’s Guidance – suggests that analytics do not need consent
- CookieCuttr – neat-looking, banner-style jQuery opt-in plugin with WordPress integration
- Cookie Control – unobtrusive opt-in plugin from Civic UK with lots of options and a comprehensive website too
- Cookie Consent – free banner-style opt-in prompt that works across all sites that use it
- EU Cookie Law Plugin for WordPress – premium (but cheap), doesn’t look very nice
- Optanon – premium software, auditing services and consultancy from The Cookie Collective
Commentary and Analysis
- No Cookie Law campaign – information and petition against the law
- A month to go on Cookie Law: Will Google Analytics get a free pass? – Analysis from The Register