Cookie Law – a practical guide
The Cookie Law was introduced on 26th May 2011 but is enforceable from 26th May 2012 . New laws came into force in the UK that affect most web sites infact around 92% of all websites are illegal – probably including yours! If you use Google Analytics you are affected.
It is all to do with cookies (see below for definition of a cookie) and the personal information that they track. The law is trying to protect the user however it is struggling to find a practical way to do it and as a consequence it seems to be trying to impose regulations that really are not practical or enforceable.
- The truth is it is a Sledge hammer to crack a nut, however I prefer some other analogies that I have seen on the issue:
- It’s like banning all music just to stop another Justin Bieber album being released.
It’s like banning children from talking to stop bullying.
The law is causing a lot of consternation as the law is essentially unenforceable, there are no real solutions, but we are all expected to comply. I have tried to provide an explanation of the situation with some practical recommendations as to what businesses should do.
What is a cookie?
Wikipedia describes a computer cookie as ‘a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browser.’
Cookies are tiny text files stored on your computer when you visit certain web pages. Cookies cannot carry viruses or install malware – they simply track activity and data.
Are cookies bad ? Some capture data that you may not want to provide. However most cookies are harmless and actually make websites and the internet operate in a user friendly manner.
The legal bit
Let’s start with this as it is the law that is causing all the commotion. If you want to skip this then please do.
If cookies are used in a site, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK Regulations) provide that certain information must be given to that site’s visitors and the user must give his or her consent to the placing of the cookies.
The UK Regulations implemented into UK law the provisions of the amended E-Privacy Directive of 2009. The Directive required that the new laws be implemented into the laws of all EU Member States by 25th May 2011. The UK is only one of three member states to meet this deadline.
There is a requirement under the amended E-Privacy Directive and the UK Regulations to
- tell users about cookies and what you are going to use their information for; and
- obtain their consent to the placing of the cookies..
The Data Protection Act also requires users to be provided with certain information.
Some cookies are exempt. Legal wording cookies that are not ‘strictly necessary for a service requested by a user’ e.g. cookie that remembers what someone has put into a shopping cart. This is integral to the functionality of a site.
General tracking cookies such as Google analytics does not fall in this category.
Why has this law been introduced?
The law is all about protecting the individuals privacy which is totally commendable objective and one I whole heartily agree with. However the way that this is being implemented is the issue.
Why is this important now?
The UK complied with the EU directive on 26th May 2011 however they provided a year grace before any enforcement (the IOC is the enforcement body). We expected some clarification on the various issues in the last year but nothing has changed and now the threat of enforcement has got the attention of business and website owners.
The IOC can fine organisations up to £500,000 if they “seriously Breach” the new legislation.
What does it mean (to the letter of the law)
All websites should stop using Cookies or ask for permission.
What does it mean (practical)
The law provides no real or practical guidance or recommendations on how to comply with the law, so what are the options?
1. Do nothing – ignore the law
It is generally seen that this law is unenforceable and past activity shows that you would be asked to change your site rather than to be fined straight away. I suspect that the IOC will go after large sites that impact lots of people – Amazon, Google, ebay etc. There will be test cases to set precedents about this law. These companies are being defining by their silence at the moment.
2. Stop using cookies
Impractical – as this would mean you would have to stop using services like Google Analytics and you cannot control third party cookies.
3. Ask for permission
This carries a huge overhead in terms of your site to implement permissions. Even the IOC (governing body) does not implement this very well. This could also have a severe impact on usability of the site.
Here is a tongue in cheek example of what this could mean for your site. http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html
This useful video outlines all the issues in 2 1/2 mins!
This is the first step and is the minimum that most website owners should do. The IOC have stated that they will look more favourably on companies that have made an effort to comply.
If you want to be fully comply then you need to
1. Audit your site and understand what cookies you use
2. Provide a mechanism (popup or accordion) that allows the visitor provide consent to using cookies or to disable them.
This can impact the way your site operates and the information (i.e. Analytics) that you then receive.
I hope that this Cookie Law Practical Guide is useful – Please remember, though, that it is intended as general information only. We are not giving legal advice.
Please contact us if you wish to discuss the implication of this new Cookie Law on your website.