The EU Cookie Law – What it means to you

On 25th May 2011 an amendment was introduced to UK law via ‘The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011’, based on changes to Article 5(3) of the ‘E-Privacy Directive’ from the EU. These amendments introduced new requirements on how cookies and other similar technologies are to be handled on websites (see the appendix for the exact wording of the new legislation). In summary, websites must provide more comprehensive information about cookies, and users must give their consent for them to be used.

The Information Commissioners Office (ICO) is responsible for enforcing this legislation, and has published guidance about how to comply with it (see [1]). However they have stated that they will not actively enforce it until after 25th May 2012 [2]. Even after that there will not be a wave of enforcement actions against companies that do not comply – it is more important to demonstrate that steps are being taken to gradually improve compliance. This report aims to outline the implications of this legislation, provide examples of tools and solutions used by other sites, if you would like to learn more about how this might impact your website, please do not hesitate to contact us.

About Cookies:

Cookies are small files that are stored on a user’s computer when they visit a website, and can be used to store user preferences, details relating to the current user’s session (e.g. shopping cart contents), or for tracking purposes – e.g. to find out how many users visited the site and what pages they visited. Note that the legislation does not explicitly apply to cookies – however cookies are the technology that would be most heavily affected by it.

It may be helpful to consider the various types of cookies that are used by a typical site – see [3] for some examples. Also see [4] for more detailed examples of specific elements on a website that could be affected. Finally, the International Chamber of Commerce (ICC) has released a guide to cookies (see [5]), which proposed grouping them into the following categories: ‘Strictly necessary’, ‘Performance’, ‘Functionality’, and ‘Targeting / Advertising’. It can be useful to group cookie types in this way, as a means to establish how intrusive they might be.

Achieving full compliance with this legislation will be extremely challenging to implement (see the section below for some of the potential issues). Indeed, it is very easy to get bogged down in the technical details of how best to comply with all aspects of it. In reality though, it is more important to try and embrace the ‘spirit’ of the law (which is to increase user’s awareness of how cookies are used on a website, and improve their privacy as a result), rather than the letter of it. The ICO’s own guidance states that non-intrusive cookies are unlikely to be a priority, and lists some ‘quick wins’ that could be implemented easily to help improve compliance [1].

Potential issues to consider:

Existing functionality:

A good proportion of  sites use ‘session cookies’ – i.e. cookies that are set up when a user first visits the site, and that are retained up until the end of the end of their browser session (i.e. when they close their browser). These are used for various purposes, such as checking whether or not the user is logged in, and keeping track of any items in their basket when placing an order.

It is worth mentioning that the legislation does include an exemption for cookies that are ‘strictly necessary’ for the site to work as intended. However the ICO has stated that this exemption has to be interpreted narrowly [1], and the unique ID associated with session cookies can be cross-referenced against other data, and used for all kinds of other purposes – such as tracking user activity on a website.

A number of ecommerce sites track the exact stage of the order process any users have reached, and link this to any contact data supplied. This allows the website to identify users who have dropped out of the order process prior to completion – and then contact them directly, offering incentives to proceed with the order. Whilst this is of course extremely beneficial from the website owners perspective, it is hard to argue that this kind of activity is ‘strictly necessary’ for the websites to function. In cases like this, the same session cookie is used for multiple purposes, some of which are strictly necessary, some which aren’t. It is probably safest therefore to regard session cookies (and any similar cookies) as subject to the legislation. So for many ecommerce websites to achieve full compliance therefore, substantial re-engineering of some functionality could potentially be necessary.

User experience considerations:

To obtain consent for using cookies may be highly disruptive to the user’s experience of using a website. The most effective solution to guarantee compliance would be to display a popup on every page, asking whether cookies can be used. However this is likely to be incredibly frustrating for users who visit. To prevent the popup from appearing every time a page is viewed, a cookie would probably have to be set after it has been shown the first time – ironically potentially violating the very law that is being upheld!

Another solution would be to display a prominent banner on every page asking the user if cookies can be used. The ICO’s website uses this approach:

However, this is still very disruptive to users visiting the site, not to mention that it does not fit in well with existing designs. Attempting to find a solution that causes as little disruption as possible is therefore important.

Third party services:

Our websites include a lot of functionality provided by third parties. One major example is the usage of Google Analytics to track visits to the sites. Such services may set cookies as well – something we have very little control over. The ICO claims that Analytics cookies are subject to the legislation, but are highly unlikely to be prioritised during enforcement [1]. Interestingly, other government departments claim that the usage of Google Analytics is ‘essential’ to operate their websites and is therefore exempt [6]  – however it could be risky to rely on this assertion!

Other third party services include social media buttons, feeds from other websites (e.g. recent Twitter updates), embedded videos from services such as YouTube, embedded Google maps, embedded third-party advertisements, third-party ‘heatmap’ scripts, etc – all of these could potentially store tracking cookies simply as a result of users visiting our websites, thus preventing our website from being compliant. Unfortunately in most cases it is impossible to avoid this, except by not using the services in question (at least until the user has given their consent) – which creates a more negative experience for visitors.

Types of Consent:

The ICO would prefer consent to be obtained prior to any cookies being set on a site [1]. In reality though, this could be very difficult to achieve – for example as discussed above, session cookies are often set as soon as a user visits a site, and changing this could require a huge amount of re-engineering work. For such cases, the recommendation is that ‘websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies’ [1].

A related issue is whether users need to explicitly consent to cookies being set, or whether this can just be inferred. Based on the ICO’s guidance (including the implementation examples they have provided), implied consent may be acceptable – but only if there is a clear shared understanding about what is being agreed to [1]. Therefore, if clear information is provided about cookies, and prominent links to this are placed in appropriate places, this may well be sufficient to achieve compliance. Other recent statements from the ICO also tend to support this viewpoint [7].

The reason this is important, is that requiring explicit consent before any cookies are set  is not only highly disruptive for visitors, but also could be very difficult to implement – and in the long run could have a huge detrimental impact on the site. One very good example of this is the ICO website itself – since they introduced the banner at the top asking about cookies, they experienced almost a 90% drop in the number of visitors reported by Google Analytics [8]! It is highly unlikely that any of our clients would accept analytics statistics relating to only 10% of the people who visit their website…  For this reason, a strong recommendation is to rely on implied consent as far as possible.

Next Steps and Auditing tools:

A very important step that should be completed is an audit of your website, to find out what cookies are being used on them at present. This is a challenging task in itself, owing to the number of cookies set by third parties. Thankfully, a number of tools are available to perform much of this work automatically:

Examples of browser plugins that can be used to log cookie usage on a website:

http://www.attacat.co.uk/resources/cookies#axzz1v3IgbL8m

https://addons.mozilla.org/en-US/firefox/addon/cookie-manager/

http://www.cookielaw.org/get-started-with-optanon.aspx

Third party services that provide cookie auditing:

http://cookieq.com/CookieQ/AuditRegister

http://www.cookiecert.com/

The reason that it is important to audit your website in this way is that part of the legislation requires you to provide clear and comprehensive information about what data is being collected – and merely attempting to implement a solution without actually knowing what cookies are being set will not be sufficient to comply with this. Furthermore, it would make it easier to determine which cookies are more intrusive, and prioritise implementing consent mechanisms for these. Finally, for more complex websites where it will take a lot of time to become fully compliant, it would be a good way to demonstrate that action is being taken to work towards it.

Existing Approaches and Solutions:

One of the challenges associated with this legislation is that there are very few existing examples of implementations on high profile UK websites, making it hard to determine what can be considered ‘best practice’. Indeed, a recent survey of 55 major British companies revealed that only 5% of the websites were compliant [9]. However, [10] does include some examples of existing implementations.

By far the best implementation so far is visible on the BT website (http://www.bt.com). This works using the ‘Implied Consent’ approach described above – the first time the user visits the site, a fairly inconspicuous notification message appears on the bottom right:

Note that this is cleverly worded – if the user takes no action at this stage, they are presumed to have accepted the usage of cookies. Furthermore the message disappears after a few seconds, and never appears again when they visit the site. However, if they click on the ‘Change Settings’ button, a popup appears with a slider which can be adjusted to determine which types of cookies should be stored when they visit the site (this popup can also be accessed by clicking on the ‘change cookie settings’ link below the footer). There is also a link to a page containing much more detailed – yet easy to understand – information about cookies collected on the site, including a full list of all cookies broken down into separate groupings as recommended by the ICC (see above).

This is a very elegant solution which does as much as possible to be as transparent about the usage of cookies and comply with the directive, whilst still being very subtle and not negatively affecting the user experience too much. One could argue that even this approach isn’t strictly compliant (i.e. it only indirectly gains the user’s consent, and only works if JavaScript is enabled – if not, cookies will be stored as before. Also, some of the cookies marked as ‘essential’ might be debatable). However, the fact that an organisation as large as BT have adopted this approach does raise confidence that it would stand up to scrutiny by lawyers – and a simplified solution of this nature could work very well on our sites.

Existing Scripts and Plugins:

A number of scripts and plugins have been made available that could ease implementation of cookie compliant solutions on our websites. Some examples are below:

Cookie Control – http://www.civicuk.com/cookie-law/index

Cookie Consent – http://silktide.com/cookieconsent

CookieQ – http://cookieq.com/CookieQ

cPrompt – http://michaelwright.me/cPrompt

CookieCuttr – http://cookiecuttr.com/ (non-free WordPress plugin also available)

Optanon (payment required) – http://www.cookielaw.org/optanon.aspx

In addition, a few cookie consent WordPress plugins can be used (note that plugins like this are not as readily available on other platforms, so if you do not have a WordPress website you would need to adopt other approaches.

EU Cookie Directive Compliance Plugin – http://wordpress.org/extend/plugins/cookiecert-eu-cookie-directive/

EU Cookie Directive – http://wordpress.org/extend/plugins/eu-cookie-directive/

Cookie Control – http://wordpress.org/extend/plugins/cookie-control/

However, virtually all of the scripts and plugins above appear to have significant limitations:

  • It appears they are all geared towards the ‘opt-in’ explicit consent approach, which interferes with general site usage and is not recommended for the reasons discussed above (see the ‘Types of Consent’ secton).
  • They require existing scripts/embedded content to be modified in some way to ensure they function correctly – e.g. to prevent 3rd party scripts or content from being loaded, or certain actions involving cookies from being executed until the user has given consent. This requires a good knowledge of what elements on each site cause cookies to be added – which reduces the time-saving  benefits of using 3rd-party solutions.
  • Most or all of them are JavaScript-based (with the possible exception of the WordPress plugins), and have little control over cookies added via other means. For example session cookies may still be added without consent – and in some cases these may not be ‘strictly necessary’, as discussed above.

These limitations dramatically reduce the benefits of using these scripts and plugins. Overall therefore the general recommendation is against using them, except in cases where we are confident they meet our needs precisely, or they are requested directly by a client. It is very important to make sure that in-house solutions are as straightforward and easy to implement as possible however – a high level of re-usability is essential.

References:

[1]     http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx

[2]     http://www.ico.gov.uk/news/blog/2011/half-term-report-on-cookies-compliance.aspx

[3]     http://www.cookiecert.com/news/cookie-law-by-example.php

[4]     http://silktide.com/cookielaw/about/what-is-affected

[5]     http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf

[6]     http://econsultancy.com/uk/blog/9416-eu-cookie-law-uk-government-crumbles

[7]     http://www.cookielaw.org/blog/2012/4/4/cookie-law-update-from-the-ico.aspx

[8]     http://econsultancy.com/uk/blog/8210-q-a-lbi-s-manley-on-preparing-for-the-eu-cookie-laws

[9]     http://www.kpmg.com/uk/en/issuesandinsights/articlespublications/newsreleases/pages/long-way-to-go-for-uk-institutions-with-majority-yet-to-comply-with-eu-cookie-law.aspx

[10]  http://www.malcolmcoles.co.uk/blog/eu-cookie-law-examples-of-sites-already-implementing-it/

Appendix:

Below is the exact wording of the new EU legislation relating to cookie storage [emphasis added]:

A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information;

(b) has given his or her consent.

There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

[Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) – see [1]]

Credit: This post was written by Generate UK Senior Developer Patrick Hathway.



About

Hello, thanks for visiting our blog. I spend far too much time online, messing around with Twitter, LinkedIn, Empire Avenue and pretty much any other platform that takes my attention. My role is to work with our customers to ensure they have a joined up objective based digital marketing strategy… No digital marketing strategy? Let’s talk…

Comments

comments

Powered by Facebook Comments

Posted on by Mike in Digital Marketing, Ecommerce, Featured, Internet Marketing, Web News

About Mike

Hello, thanks for visiting our blog. I spend far too much time online, messing around with Twitter, LinkedIn, Empire Avenue and pretty much any other platform that takes my attention. My role is to work with our customers to ensure they have a joined up objective based digital marketing strategy... No digital marketing strategy? Let's talk...