EU Cookie Law as of May 2012

You may have seen in the media that a new cookie law has come into force for the UK. And you may have heard that at the last minute, they kinda changed the law quite substantially! I wrote various other blog posts on my company blog at the time, but here’s a summary:

What are cookies?

Cookies are typically tiny text files which are stored on your computer so that a website can use it as a reference to your preferences. Maybe to say “Hello xxx” next time you visit, or remember that you like the font at a certain size, or to recall what was in your shopping basket last time you were here.

They can be vital for websites which allow you to log in, or place items in a shopping bag – as you click from the page to page the website will refer back to the cookie to remember what it needs to.

Why is this law even in existence?

Well, because cookies remember stuff about you, they can remember more than you might like them to. For example, ad networks might use them to recall the fact that yesterday you were looking at a certain website, so how about today when you’re on a different website they remember the one you were on yesterday and show you ads for it?

There’s no harm in that specifically, but it does make you feel kinda uneasy to know that huge companies can track your movements around the web and know what you’re looking at when.

Cookies are also how sites like voucher sites earn a living – a cookie is planted on your computer when you click through on one of their voucher codes so that the site you go on to shop from knows that they refered you and can pay them a commission.

So there are privacy issues surrounding some cookies, hence the law. However, overall cookies have a bad press as evil information tracking stalker technology whereas in reality they just help lots of websites function.

Asking the public to opt into Cookies:

In May 2011 the UK Government gave all the websites in the land 12 months to bring their websites up to scratch with some new directives. There, of course, isn’t an official channel for them to distribute this information through, and in reality it was a while before word really got around everywhere just from bloggers and the odd viral video filtering through to the mass of web companies and developers. Hence there being a bit of a buzz around it in April/May 2012 when it was about to really kick in. There was also uncertainty as to whether websites would need to do much themselves, or whether browsers would make cookie information clear to Internet users.

The law stated that you couldn’t use cookies on your website until the visitor has explicity “opted in” to your use of cookies – they had to specifically say they were happy for you to use cookies on your website before you could deploy any functionality which used them.

So you’d do this by maybe having a tick box at the top of your page, or popping up a little box over the screen asking the visitor to “opt in”.

The ICO – Information Commissioner’s Office, the folks behind this regulation, opted for one such tick box approach:

Our personal approach, over at 18a, was to use CookieCuttr to display a bar along the top of our website asking people if they were OK with cookies. Until you say you’re OK with cookies, we don’t use Google Analytics on our 18a website (more on that later) and we don’t show you Facebook share buttons or Google+ icons etc. (more on those 3rd party cookies later too).

However, this is extra development for a lot of websites – development which lots of small businesses might not have funds to pay for. It can also be quite wordy (an early version of the ICO’s tick box certainly was) and just confuse visitors or get in their way.

Anywho, the law was coming into force and whilst lots of people were ignoring it, lots of people were also acting on it and bringing their websites inline.

However…

There was much concern in the web and business community that asking people to OK important functionality could be hazardous to people’s use of websites and ultimately to UK online trade. There were also a lot of websites not conforming – including Government websites.

So on the 25th May 2012 the ICO updated the guidelines, and rather than forcing people to “opt in” you could now rely on “implied consent”. This changed everything. No longer did you have to get someone to specifically say “yes I’m cool with that” before placing a cookie – now you could just give them lots of information and allow them to say no if they wanted to.

Different adaptions:

One of the first adapations I saw of implied consent was on the BBC website. When you first get there, you’re shown a bar along the top of the screen telling you that they use cookies but giving you the option to change your cookie settings if you want to.

Meanwhile BT have been praised for a neat little pop up which appears, asks if you’re happy with things, and fades away a few seconds later. Personally I wonder if their wording of “No thanks” is as perfectly clear as it could be in a world where people are being asked if they want to allow cookies or not… they mean (I believe) “no thanks I don’t want to change my cookie settings” but I think it would be easy to take that as “No thanks I don’t want cookies”.

Necessary cookies:

The ICO however, always made an exception for necessary cookies. They used the example of shopping baskets which rely on cookies.

Our 18a website and this website, talkingweb.co.uk, both have a cookie which is set the second you visit the site and can’t not be set otherwise the site wouldn’t work. It’s part of the MVC framework we build our sites on. It’s to allow user accounts of those who need to log in so it doesn’t effect you if you’re not logging in, and we tell you what it collects on our cookie information page, but it has to be there.

The ICO have warned however, that this loophole isn’t to be exploited – it really is just for cookies which are essential to a site working. A shopping basket that can’t remember your products as you click from one page to the next would be rubbish. And a screen before you visited talkingweb.co.uk saying “are you OK with a harmless cookie? Otherwise you can’t go any further” would be a real detriment to a lot of websites.

I was interested to see how the BBC classify their cookies on their cooking information page and I was particularly interested to see how long their “necessary” cookies list is, starting off with their own analytics package for counting their visitors.

Google Analytics:

It’s the topic of Analytics – particularly Google Analytics – which is causing some of the most debate around the new cookie law. Many people class their analytics – visitors tracking software – as necessary and essential to their business. The ICO however, apparently don’t (from what I’ve read elsewhere online). And really, if this law is to stop the invasion of your privacy, lettingone of the biggest companies in the world with eyes all over the Internet off the hook, maybe kinda defeats the purpose.

But a LOT of people use Google Analytics, so what should they do? Well, in the original plans, you’d have had to ask people if they were OK with you using Google Analytics on their visit before you deployed it. Now, you could tell people you’re using it under implied consent but if they’re not happy about it, let them change it. However, that involves development from a coder – even if it’s just to put on one of the javascript little services that’s popping up around and abouts – so lots of people aren’t.

So really, for a lot of websites, their way of letting a visitor opt out is to ask them to leave. Or tell them how to turn off cookies in their browser.

We don’t use Google Analytics on TalkingWeb.co.uk just because I didn’t want to worry with any cookie business, so right now we’re just relying on server stats to check our visitors. On our 18a company website though, when we ask you if we’re OK to use it, we offer a link to Google’s own page about the cookies involved with Google Analytics. We’ve got to provide the information about 3rd party cookies, but I don’t want to write any info on what Google does with the info it harvests! I’ll most certainly leave that to them, as they could change it any time.

http://www.google.com/policies/privacy/ads/#toc-analytics

Third Party Cookies:

Google Analytics is an example of a Third Party cookie – a cookie set when a visitor lands on your website, but it’s not a cookie that’s yours / you’re in control of / you’ve created.

Other examples are the Facebook Like button or Google+ share icon.

They are activated when a visitor lands on your site though, so you do need to deal with them under this new law.

Strictly speaking, you should let people choose to turn these on or off… or at the very least, give people information about what they are. More cookies are set if a visitor to a website with a Facebook Like button is logged into Facebook at the same time, so that could be seen as consent anyway as they’ve chosen to login to Facebook… but Facebook (outside the EU so not under the jurisdiction of this law) should make that clear from their site – when you’re logged into Facebook, it can track you around the web.

Transparency:

The main point that comes across strongly from the ICO, is that you’ve got to be informative and clear. Their issue is with the general public not understanding what cookies are for and websites explaining themselves.

They also say the information has got to be very readibly available – they reference things not being stashed away in the normal privacy policy in your footer, but a cookie information page being clearly highlighted in the header of your page (as above in red – top right).

Each cookie your site sets should also be explained to the visitor, listing what information it stores about them.

Does your site use cookies?

If you use Google Analytics, then your site uses cookies. As does it if you use Facebook Like buttons. For cookies which aren’t so obvious, you can get plugins for your browser such as the Web Developer plugin for Firefox. If you’re using Chrome, you can right click on a page and choose “Inspect Element” and click on the cookie tab.

In summary:

1. You need to be very clear and obvious on your website about what cookies you use, why you use these and what information they collect about your visitors.

2. You need to give people the choice to “opt in” to these cookies before you place them or tell people very clearly that by using the website you are assuming their consent.

3. If you assume consent, then ideally give people the option to “opt out” of any cookies they don’t want you to use.

4. You can direct people to this page to help them turn off cookies from your browser.

Useful further reading and watching:

How to turn off cookies in you browser – TalkingWeb