This post explains how to comply with the EU cookie directive which came into force on May 26th 2012. If you have not taken action or want to review the measures you have put in place, this post gives some background and provides recommendations to help you comply with the law without losing website traffic unnecessarily.
How to comply, with NO pop-ups, NO scary messages and NO broken features: In my opinion, most websites (like this one) can comply without loss of website traffic, and last minute update from the Information Commissioner’s Office (ICO) strengthens this point of view.
UPDATE: at the last minute, the ICO changed their stance to allow “implied consent” vindicating the approach I recommend here. This post has been updated to reflect changes to the guidance made be the ICO on 24th May 2012 (a day before the deadline!)
EU rules now oblige almost every website “catering for EU citizens” (ICO guidance) to take specific measures to help users understand and consent to the use of any cookies stored when visiting the website. It seems likely that only a small proportion of websites will need to obtain explicit consent in order to comply with guidance issued by the UK’s ICO, though the situation may be different in other EU jurisdictions, and you should consider the implications of this for your business. This post addresses only compliance with the UK ICO.
If you are outside the EU, don’t assume you can ignore this:
The EU Cookie Directive applies to websites hosted inside and outside the UK, and to any organisation catering to citizens of the EU.
What To Do? : recommendations and solutions are suggested in this post, so you should read it, assess which recommended measures apply to you, and do what is needed in order to comply with the law. EU directives have legal force, and are routinely applied to both EU and foreign entities. The EU takes a strong line on privacy issues, so all website owners are advised to take this issue seriously.
Disclaimer : The information here is provided in good faith (with references you can follow up), but I don’t accept responsibility for decisions or actions you take, if you base them on what I provide here. To be sure you comply, please refer to official sources such as the ICO website for detailed information and guidance on compliance with the EU cookie directive and Privacy and Electronic Communications Regulations.
Deadline : The Information Commissioner’s Office has delayed enforcement in the UK until 26th May 2012, so we can expect action to start soon, though resource limitations are likely to mean this will be focussed on the more serious, and/or high profile violations.
Updated ICO Cookie Guidance
The remainder of this post contains page number references to ICO Guidance On The New Cookies Regulations.
The ICO guidance states:
“Those setting cookies must:
- tell people that the cookies are there,
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device.” (p8)
Updated ICO Guidance : In a last minute change (Cookie Guidance v.3, issued 24th May 2012) the ICO made a crucial change allowing implied consent, which means that explicit or prior consent are not mandatory. Here is the crucial wording:
“Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.”
This means that compliance clearly does not require pop-ups or cookie disabling, though it may of course be deemed necessary in particular cases, such as for sensitive personal information:
“While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant. Website operators need to remember that where their activities result in the collection of sensitive personal data such as information about an identifiable individual’s health then data protection law might require them to obtain explicit consent.”
The guidance proceeds disingenuously to suggest that the confusion that has lead many to think that “led some to believe that an explicit, opt-in style consent would be required for every cookie each time it was set” was due to “early reporting on the new rule” whereas it was in fact due to people following the letter of the guidance from the ICO.
The ICO guidance goes on to elaborate on what might be considered “implied consent”, but I have to say it is still confusing and we are still left in a situation of having to wait and see what is and isn’t accepted in terms of enforcement. This is very unsatisfactory, but there it is. However, the change in guidance is without doubt a move that strengthens the case for the recommendations made in this post.
I see no need to alter my recommendations in the light of the v.3 ICO guidance. I believe that the late change in the guidance them more likely to be appropriate, and undermines the case some have made for website owners to provide invasive pop-ups and complicated UI for disabling cookies. Some may well need to do so, but I explain below what I suggest for the majority, and why I believe this is appropriate.
Who Must Comply
Examples of who must comply are “organisations based in the UK even if their website is hosted abroad,” and anyone with websites “designed for the European market” or “providing products or services to cusomers in Europe.” (p11)
That means you, right?
Keypoints and Comments
Some key extracts from the ICO cookie guidance:
- Information: “You must provide clear and comprehensive information about any cookies you are using” (p8). However, this rule has been in place since 2003 and so far hardly anyone complies. At least, I’ve never come across a page that says what cookies a website uses and what they are for, have you? Also, I am not aware of any enforcement action to date!
- Consent: “You must obtain consent to store a cookie on a user or subscribers device” (p8). Hardly anyone is complying with this yet (in January 2012), and while you are supposed to obtain consent before storage, this is often impractical. At time of writing, even the ICO’s own website violates this provision. The ICO website happens to be the only website I know that is attempting compliance at this time.
- Exemptions: are granted where there is little risk to user privacy. For example if cookies are needed for delivery of a service for which remuneration is involved (p9). Example exemptions are given including a shopping cart, security in banking website, and for improving performance (e.g. load balancing) (p10).
- Non-exempt: Example non-exempt cookies are given too: analytics, advertising related, and per-user customisation. (p10)
How To Get Ready For The EU Cookie Directive
What Are Your Options?
- Do Nothing. While I don’t advise this option, “wait and see” might be considered a relatively low risk for several reasons. Firstly, looking at the web it may turn out to be the default position for a lot of websites, and so there may well be safety in numbers! You might also consider it favourable that so far there appears to have been little enforcement of earlier provisions. However, take note that the landscape has changed significantly in recent years, so privacy issues are I think much more likely to be enforced (cf. privacy violations by Google street view to name one high profile example). One might choose to gamble that the big boys will have to comply first, and to wait and see what they do, and what happens if they don’t. You might expect they are more likely to be taken to task than a small organisation. Personally, I think there is some merit in wait and see, but you will have to take the consequences should it turn out badly for you. Don’t complain to me, because I do not advise doing nothing!
- Be Ready To Comply When Challenged. A much less risky strategy is to have something implemented, tested and ready for activation, so that you can comply the moment someone official knocks on your door. This is similar to “wait and see” but designed to reduce the risk of you suffering sanction for non-compliance and let’s you see what happens in practive before doing anything that damages your website traffic. So again, very much at your own risk.
- Act By May 26th 2012. To reduce risk further you should do something by May 26th (or as soon after as possible), but I would suggest you avoid messing with your website user experience unless absolutely necessary. Why? Because to do so will lose you website traffic and break important parts of your website. That’s hardly doing visitors a favour is it! So for example, I would avoid popups and scarey messages like the ones at the ICO at www.ico.gov.uk. They have added an simple opt-in consent banner for every page. Here is what it looks like:
Once consent is obtained, you can enable cookies and hide the banner, but if people disable cookies they will have this banner displayed forever! No, I think there is a much better and pragmatic solution that shows willing and is in the end in the best interests of users, and that is the approach followed by the Department of Culture Media and Sport (which happens to oversee the ICO). This is in line with the principle of “implied consent”, clearly allowed by the updated ICO cookie guidance (v.3 May 2012).
I think you would be unwise to do nothing, but I don’t believe many people need to go the way of the ICO (banners & popups). You should avoid damaging your website traffic with this kind of measure if at all possible. My recommendations are described next.
Recommendations For EU Cookie Law Compliance
Include A Suitable Privacy Statement: This is the minimum I recommend, and I think is also sufficient for most websites for the time being. But not just “a privacy statement” you need “a suitable privacy statement”! If you have normal access logs for maintenance and security, analytics that does not allow individuals to be identified, and where personal or identifiable information is not shared (e.g. for targetted advertising), this seems enough for now. It is open, transparent, shows willing and will not adversely affect your website traffic.
This is what most websites have been doing for years: serving users adequately, and without adversely affecting user’s privacy. The directive is I think not aimed at what has always been accepted and done far more good than harm (if any), and so I take the measures to be more aimed at protecting users from more recent developments, such as tracking across websites, building up profiles on individuals, and using this to place control of their web experience in the hands of third parties, without their knowledge or consent. That, we must all see as inappropriate, and requiring consent. The question is where and how to draw a line that provides effective and enforceable protection, without undermining the good experience that users will want preserved.
So the model I am personally following is to include a “suitable” privacy statement. It is also the model being followed by the Department of Culture Media and Sport (which oversees the ICO). To achieve this easily on all my websites I created a WordPress plugin. I just installed it on each of my websites, and that’s it. I’ve made this plugin available free so if you have a WordPress website you can use the same approach yourself (see EU Cookies Plugin). If you don’t have WordPress I can implement something similar for you (see EU Cookie Services).
Websites Requiring Consent: If your website is using cookies in ways which you think require “explicit consent,” you should first consider changing this to avoid this necessity. Only if you can’t avoid this should you then follow the model of the ICO (but I encourage you to come up with some better wording, and a less intrusive banner!).
Monitor Enforcement Practices: Whatever you do, it will be enforcement practice that determines what we have to do in the end, so you should also keep an eye on this in the coming weeks and months. One way will be to follow me on Facebook or Twitter, or subscribe to my Newsletter.
Deciding What To Do About Website Cookies
You might find this recent BBC article useful, which makes some interesting observations on the likely attitude and ability of enforcement by the ICO: Cookies: Majority of government sites to miss deadline (BBC). One might easily conclude enforcement will be limited to gross abuses or very high profile cases. The article suggests that there will be a light touch so long as you show willing (e.g. with a decent privacy page), and with serious sanction reserved for cases of willful evasion. We’ll see!
Help With EU Cookie Law Compliance
WordPress Websites: For WordPress websites I have created a free plugin which automatically adds a privacy statement for your website. You can install it free yourself, or pay a small fee for me to install and test it for you. Then read the privacy statement and make sure you aren’t doing anything outside what is stated.
Get the EU Cookies Plugin here: theWebalyst.com EU Cookie Services
Non-WordPress Websites: If you don’t have a WordPress website, I can create a similar page for you. To find out how much this will cost, reply to this email with your website address and tell me you’d like me to quote for a standard EU cookie page.
If you have questions please leave a comment, or contact me for a quote.