You may or may not know about this, but there is a new EU Directive coming into force on 25th May that will require your website to get consent from users before using certain types of “cookies” that may be used by your website.

The law actually came into effect last year, and sites were given a year to comply. There are penalties for non-compliance.

I’ve left it a little late – apologies, but I’ve just been so busy!  But today I’ve been looking around to try to pull together some information on it for clients, and people in general. I hope this is of use.

This post will explain what cookies are and whether your site might be using them, and provide some resources for finding out more and making your web site compliant.

What are Cookies?

Cookies are little bits of information stored in a user’s web browser that allow websites to “remember” things when the user moves between pages.  A classic example is a shopping cart: once you’ve put the product in the cart you need the site to remember that it’s there. This is done using a cookie.

Is my website using cookies?

The short answer is “probably”.  Even if you’re not using a shopping cart, or any other feature that requires a user’s activity to be tracked you are probably using Google Analytics – surveys show that somewhere between 50% and 90% of websites do, and most of my clients do. And Google Analytics uses a cookie that may (depending on your interpretation of the law) require consent under the new directive.

Other services like Facebook buttons and other add/share devices use cookies too, so these will come under the directive.

What does the new directive/law say?

It basically says that you need to ask visitors to your site for permission to use cookies.

The new law does not apply to all cookies.  Those that are “strictly necessary” for the operation of your site do not need consent.

The definition of “strictly necessary” is said to be pretty narrow though.  It seems to include things like a shopping cart, but not analytics; sharing services like Facebook buttons; and personalisation, such as remembering a change of font size.

Though, it should be added, some (such as the International Chamber of Commerce’s guidance) think that analytics could be seen as falling into the a category that does not need consent.

It’s not even clear what you have to do to achieve compliance, though most solutions proposed involve a pop-up button, a banner at the top or bottom of your site, or a widget that goes in the corner of your site.

Wow! So given that pretty much every website uses cookies. Will this really be enforced?

Opinion is somewhat divided. Lots of people are still asking questions about this subject so lots of people seem to still be thinking about whether to do something to become compliant, and what that might be.

Some think that if there is a very large number of sites that don’t comply then the deadline for compliance may be extended.

In any case, most people seem to think that the government will be lenient in enforcing compliance. In fact, many of the government’s websites are still not compliant!

But who knows?

Can I just turn cookies off?

It’s not quite as simple as that as not all the cookies in your site are provided by you – some are provided by third-party services that you are using, such as the aforementioned Google Analytics and Facebook/Twitter/sharing buttons.

You could remove any cookie-using services, but this would likely remove important functionality from your website.

Are there any other downsides to compliance?

Yes.

  1. Losing information for those who don’t opt in: If you implement a compliance solution that gives people the ability to “opt-in” to cookies, then you probably see a whole load of people choose not to opt in. This means that they may not get full functionality from your website, and you will lose out on important and useful data.Some websites that use advertisement networks may also suffer as those networks use cookies to track users and deliver ad’s.Some sites have seen only 10% of visitors opt in.
  2. Annoying all users regardless: If you use a compliance solution that involves a pop-up, banner, or widget, any user to your site might find this annoying or distracting and go elsewhere.
  3. Cost to implement: Unless you understand the changes and have the technical knowledge to add the appropriate features for compliance to your website, you’ll probably have to pay someone else to do it for you.
  4. Site performance: Most compliance solutions involve running a script of some sort to display the opt-in form/widget/pop-up, and this will involve a small increase in the load-time of your site. This should be minimal though.

What can I do about it?

The key thing is that you need to make your users aware of what cookies are used and why, and allow them to make a choice about whether or not they want to use them.

Well, you have several options:

  1. Do nothing. This is the cheapest, quickest option, but depends on you taking a very small risk and hoping that you don’t get fined for non-compliance.  The guidance on complying issued by the government’s Information Commissioner’s Office says that if you have “considered” the new law and “have a realistic plan to achieve compliance” then this would be handled “very differently to one from an organisation which decides to avoid making any change to current practice”.Given that many of the government websites aren’t compliant you’re probably going to be OK.
  2. Update your privacy policies and terms and conditions. You have a privacy policy, right? Even a simple one? Mine is embedded in my terms and conditions which are linked in the footer of the site. The aim of this fix would be to make such terms more prominent, and to ensure that visitors are aware of them.
  3. Implement one of the EU Cookie Law plugins. Several clever people have created little tools that you can include on your website to ask people to opt-in to cookies. Some technical knowledge will be required to use one of these and you’ll probably have to do an audit of cookies that you’re using first as well. This could be costly and time consuming, but will keep you safe from the law.  I’ve listed some of the tools below.

What SHOULD I do about it?

The answer to that is probably nothing – or at least, read up on the new law and make an informed decision to do nothing.

[I should add that this statement – and, in fact, this entire post – in no way constitutes legal advice and I can not be held liable for any costs or damages of any sort incurred to you by you acting on the information given here. Thanks]

At present the guidelines on what to do vary and the law seems to be far from clear. Many are advocating waiting until the panic is over, some of the bigger companies have implemented compliance, and, maybe, Google have done something with Analytics (or been given an exemption).

I’ll endeavour to provide updates when the guidance becomes clearer.

If course, if you prefer to cover your back then I can probably help you out. Feel free to give me a call to discuss your options.

Where can I find out more?

Here’s a whole load of links that have informed this post, and many others like it, along with links to the tools that I’ve found that can help you become compliant.

If you read just one thing…

I suggest it be Giles Turnbull’s succinct overview of the situation. He does what I’ve tried to do here much better, and he advocates the “Don’t Panic” approach.  I should just send this to all my clients, but by the time I found it I’d written most of this article.

Information and Guidance

Tools

  • CookieCuttr – neat-looking, banner-style jQuery opt-in plugin with WordPress integration
  • Cookie Control – unobtrusive opt-in plugin from Civic UK with lots of options and a comprehensive website too
  • cPrompt – a simple JavaScript banner prompt – free
  • Cookie Consent – free banner-style opt-in prompt that works across all sites that use it
  • EU Cookie Law Plugin for WordPress – premium (but cheap), doesn’t look very nice
  • Optanon – premium software, auditing services and consultancy from The Cookie Collective

Commentary and Analysis