The EU Cookie Law – An Overview
What is the EU Cookie Law
Essentially the EU Cookie Law is the EU e-Privacy Directive that is set to come into action on 26th May 2012 and what it means is that you have to get your visitors informed consent before placing a cookie on their machine. Here is a link to the ICO website detailing the law.
What is a Cookie?
A cookie is a small text file that a website can store on your computer to help keep track of different things, like if you want to stay logged into a website, or your preferences within a website. You can read more about them on this HTTP cookie Wikipedia article.
What is the fuss?
Is is just cookies?
No – The law also affects anything that acts like a cookie, for example:
- Flash Cookies
- HTML5 Local Storage
The ICO has said that it isn’t good enough to just re-implement the tracking some other way outside of cookie storage.
The EU Cookie Law – Tooling Up
There are really two things you are going to really need before getting your site ready for this law.
- To know what cookies you store
- To know what stored cookies fall within the remit of this law
What cookies does my website store?
Ideally your webmaster will know this information, but with so many people relying on third-party tools to make websites it is my experience that you never really know what cookies your own site might be storing.
The best way I have found for finding out what is left behind is to clear all your cookies then use your site, visit each page and complete each action, once you have done this view your cookie information – how you view this information will depend entirely on the web browser you are using, here are some of the more common ones.
- Click on the spanner icon.
- Click on ‘settings’.
- Click on ‘Under the Hood’
- Click on ‘Content Settings’
- Click on ‘All Cookies and Site Data…’
- Browse to your URL and take a look
- Click on ‘Preferences’
- Click on ‘Privacy’
- Click on ‘remove individual cookies’
- Browse to your URL and take a look
What do I do with the cookies that I do store?
The first thing you should do is stop producing cookies for anything that you do not need, over years of development a website could be leaving things all over the place and if you have anything you can remove you should.
With any other cookies you have left you should classify them appropriately as this will determine if you need to comply or not.
How should I classify my cookies?
You should classify your cookies into four categories:
- Essential – Required for your website to function, for example to mark someone as being logged in.
- Non-Essential but harmless – Not essential to core functionality but doesn’t get used for tracking a user
- Fairly Intrusive – Used to track people but do not provide personally identifiable information, for example Google’s Analytics
- Very Intrusive – Used to track people and provide personally identifiable information
What should I do with each type of cookie?
Once you have classified your cookies you will need to plan your next move based on what category they fell into.
You do not need to do anything with these, if they are required for the site to function then they fall out of the remit of this law.
Non-Essential but harmless
You should question why they are being used on your site and if you can use some other technology to achieve the same result, technically these fall within the remit of the EU Cookie Law so you should allow people to opt-out, although it has been mentioned by the ICO now that implied consent is allowed.
The following is a quote from the ICO:
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
You need to work out the best way of allowing people to opt-out of these cookies, unfortunately there hasn’t been one standard implementation of this yet. The important thing is that they are asked before the cookie is set, it is no good to give them easy access to delete a cookie, having said that this is a quote from the ICO regarding when a cookie is sent:
The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes it difficult to obtain consent before the cookie is set. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.