How the Cookie Crumbles
The European Parliament has cracked down on a number of traditional elements of the marketing mix in recent years, taking a look at advertising on social networks, pricing display on websites, and email marketing for instance. In 2011, it turned its eye to website cookies, and issued a new directive – with a deadline for compliance of May 2012. With just a few months to go, Dean Parker – client partner at our London-based agency SAS – helps clarify some of the confusion and ambiguity around the law and suggests how best to deal with it.
I’ve had lots of clients recently ask about the new cookie legislation, so thought it would be useful to put some thoughts down on paper. A word of warning though – I’m not a lawyer so the text below is only my interpretation of what I have read from both official and unofficial sources. Any decisions you take in dealing with this law on your website should be made after seeking proper legal advice.
The new law is intended to help protect people’s privacy, prompted in part by concerns about online tracking of individuals and the use of spyware.
Governments in Europe had until 25 May 2011 to implement these changes into their own law. The UK has revised its Privacy and Electronic Communications Regulations and provided a ‘lead-in’ period up until 26 May 2012 in which website owners must comply.
What is a cookie anyway?
In reality, a cookie is a small text file which is stored by the user’s browser and it only contains data, not code, so it can’t contain a virus or spyware. There are lots of different types of cookies but I won’t bore you with the details now.
Does the new law only apply to cookies?
No, despite often being labeled ‘Cookie legislation’, the law covers all technologies which store information on the device of a user. This is an important point as you, or more probably your web designers/developers, also need to think about newer technologies such as HTML5.
What does the law say?
In short, the law says that those setting cookies must tell people that the cookies are there, explain what the cookies are doing and obtain their consent to store a cookie on their device.
The important bit is that the law says that you have to gain consent before the activity has occurred (although it does accept that many sites set cookies as soon as someone enters them).
There’s some ambiguity around the issue of ‘implied consent’ but to be safe you should assume that you must rely on people making a positive choice to accept cookies rather than assuming they have done so by reading a notice about them (which you can’t be sure they’ve read in the first place).
After you’ve gained consent things get a little bit easier. If you’ve got several connected websites you can look at just obtaining consent in one place. You don’t have to ask for it again once it has been granted, unless the cookies or the way you use them changes significantly (which ironically needs a cookie to work!). You do however need to provide a way for people to withdraw consent at any time after they have given it.
Are there any exceptions to this rule?
How will the law be enforced?
That’s the million dollar question! There’s still a lot of ambiguity over how best to interpret the law and guidance notes but some things are for certain…
If you’ve not done anything yet, you’re already lagging behind. The UK’s Information Commissioner’s Office (ICO) expects organisations to already be taking steps to comply with the rules and if they were to receive a complaint about a website during the 12 month lead-in period, it would expect a realistic plan to achieve compliance going forward.
“As the lead in period comes to an end organisations will need to be able to demonstrate they have taken sensible, measured action to move to compliance. If a website has not achieved full compliance at the end of the period the Information Commissioner will expect a specific and clear explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen.”
13 December 2011
However, there are some areas where we expect a bit more leniency.
“We have recently become aware of this cookie. We are working with the supplier of our content management system to remove it or, if it can’t be removed, to find another solution.”
Also, although we know that cookies used by tracking tools such as Google Analytics are covered by the law, there appears to be a relaxed attitude to this at the moment as you will see from the quote below. One might say they’ve got bigger fish to fry! This is important because if people are given the option of not accepting these types of cookies, your analytics could become obliterated and therefore of little use going forward.
“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
13 December 2011
What is everyone else doing?
Very little to be honest. There’s been a big backlash on blogging platforms from industry professionals and there is still a huge amount of ambiguity over the ICO guidelines. There’s obviously a lot of ‘wait and see’ at the moment.
What about other countries in the EU?
At the moment only the UK has published any guidance at all, and it is possible that the other EU member states will set different laws. If that’s the case, website owners may need different solutions for different parts of the EU. Great!
What do I need to do?
There are three very simple steps to follow before you go rushing head first into changing your websites:
- Check the type of cookies you use and how
- Assess how ‘intrusive’ they are
- Decide what solution is most appropriate
Only by understanding what cookies your site uses and how they work will you be able to determine the most appropriate solution for your organisation. This is a relatively simple task that can be done by your website design or development team.
What options do I have?
There are probably three different approaches for owners of corporate and B2B websites to consider.
As I said earlier, whichever approach you decide to take, it needs to be informed by a better understanding of your individual circumstances and advice from your legal team or SAS can help you out with this if needed.
Dean has over 15 years’ communications industry experience across digital strategy, interaction design and user experience. He has advised on and led projects for clients across a wide range of platforms and technologies – websites, online reporting, intranets, interactive television services, DVDs and interactive kiosks. At SAS his clients have included GlaxoSmithKline, 3i, BP, BBA Aviation, Aviva, Diageo, KPMG Sainsbury’s, Ernst & Young, Slaughter and May World Economic Forum, Strutt & Parker, Standard Chartered Bank and Land Securities. He can be reached at email@example.com