Making the right impressions

EU Cookie Directive: What, Why, Who, When and How?

Article 1:

That new EC Cookie Directive law thing

EC Cookie Directive

Lots of fear, uncertainty and doubt about the new EC Cookie Directive… and lots of wrong information out there, too.

Here’s the only information you ought to read, direct from the ICO. Basically, in a nutshell, you can’t drop a cookie onto someone’s machine without asking first. No – letting the user opt-out isn’t acceptable. They must consent first.

Open “private browsing” or “incognito mode” on your browser, and visit bt.com to see apparently a “good way of doing it”. A pop-up DIV at the bottom-right of the screen, basically saying “if you go any further, we’ll drop cookies on your system, or you can control them all here if you want”.

A lot’s been written about the pointlessness of this EU law – not least “how can we remember if a user doesn’t want a cookie dropped on their machine without using, er, a cookie”. It will do nothing other than damage EU online businesses.

For Zoo Design, my own online business, I’ve decided to do four things:

1. Make it really clear when you log in that you are consenting to a cookie being put on your machine, so we can tell who you are.

2. Make it really clear what other cookies we use on our website.

3. Not ask for consent for those that do not contain personal information. Which includes Google Analytics, any advertising beacons, and even Google/Twitter/Facebook buttons. None of these contain personal information – merely anonymous information about all internet users who use your machine. (Unless, of course, you log into Twitter, Facebook etc).

4. Make it really clear how you can opt out of everything – by repeating the simplest advice of using “incognito” mode, or “private” mode, on your web browser: which removes cookies every time you use it, and automatically signs you out of everything.

That third thing is probably rather contentious: it’s a very liberal reading of what’s going on. But the ICO is primarily concerned with personal information and personal data – and I’m registered under the Data Protection Act and take personal data very seriously. However, Google Analytics and AdSense cookies, etc, are anonymous, and will only ever contain personal information if you deliberately log in to Google services (and even then Google claims not to link Analytics or AdSense with your Google account anyway). The same goes for Twitter and Facebook too. And the ICO go out of their way to say, in their advice: Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

As I say in the final paragraph of our cookie information: “we also want to make sure that we know what you like so we can do it more often, and that advertising messages are relevant and useful for you, rather than an irritation.”

The cookie directive is madness, nonsensical and dreadfully thought out. As has already been proved, users don’t understand what cookies are, and 90% of them actively block Google Analytics and the like, if they’re given a confusing opt-in message.

I’ll be interested to see how the rest of the industry approaches the issues it kicks up.

Later

I’ve also added a little note in the header (“Hello, new user! We use cookies. Read more”) for new users to Media UK. It’s linked to the existence of the __utma cookie that Google Analytics drops.


Article 2:

Like it or not, the deadline for complying with the EU cookie directive is drawing very close. No matter how nonsensical this law seems, the sad reality is that it’s the law – and website owners have no choice but to comply. With the deadline for compliance now less than two months away, the aim of this post is to give you all the facts you need to know, including practical suggestions for ensuring that your site is in line with the new regulations. I’ve put my personal opinion at the end; clue: like everyone else, I think this law is ludicrous!

What is the EU cookie directive?
For those not already aware, the supposed aim of this legislation is to increase online security and data privacy, giving users more control over what data can be held about them. It addresses concerns with how personal information is held and used. Some users – albeit a small minority – are concerned with what they see as the development of a ‘Big Brother’ society in which their every move is being recorded.

The legislation forces websites to be transparent about how they are using cookies, detailing exactly what information each cookie holds and how long it will be held, and requires them actively to request permission from their users before cookies can be used.

Previously, the law dictated that websites had to explain how they were using cookies and how users can ‘opt out’. Most sites did so in their Privacy Policies, but this isn’t enough under the new law: users now have to ‘opt in’, having been made fully aware of the implications of doing so.

 

Who needs to comply with it?
The law applies to all Member States of the European Union. However, even websites outside the EU are required to comply with the law if they are targeting Member States. For example, a site based in the USA that sells products to consumers in the UK, or that has a French-language version of its site aimed at users in France, will still have to comply.

Why do I need to comply with it?
Put simply, because it’s the law! Many have speculated that the law will be hard to enforce, but the penalties for non-compliance could be severe. The maximum monetary penalty for non-compliance is £500,000, which could apply in situations where deliberate contravention of the legislation leads to substantial damage or distress. There are of course less severe penalties for more minor contraventions, including an information notice, undertaking (which commits the organisation to specific actions to ensure compliance) and an enforcement notice.

What does this mean for my website and analytics?
Quite apart from the initial hassle of making practical website changes to comply with the law, websites will face a whole host of possible problems as a result of complying with this legislation. Cookies are used extensively to improve user experience – things like remembering preferences such as font size and language, or what’s in the user’s shopping basket on e-commerce sites. Although webmasters will be allowed to use cookies without permission in instances where it is strictly necessary to do so for the functionality of the website and where that action is explicitly requested by the user (i.e. where a feature requested by the user wouldn’t work without the use of a cookie, such as the shopping basket on an e-commerce site), it’s likely that user experience will suffer for those who say no to cookies.

The good news is that the UK Government has come out and said that the use of analytics is “essential” – see this useful post on Econsultancy for more information. Let’s hope the EU agrees, otherwise analytics is doomed.

When do I need to comply with it?
The law actually came into force last year, on 25 May 2011. However, it was recognised that webmasters need time to bring their websites in line with the law, and a grace period of one year was granted. This means that by 26 May 2012, all websites will have no choice but to comply with the law.

How do I comply with it?
To comply with the new cookie legislation, it will be necessary to make changes to your website to make information about your use of cookies transparent and prominent, and to allow users to give consent to the use of cookies. Note that:

  • If you have more than one website, you can gain permission for cookies in one place, providing you make it clear what websites the permission applies to.
  • If you change your use of cookies significantly following initial permission, you’ll need to ask for permission again.

It’s a good idea to start by auditing your use of cookies. Look out for the following:

  • Ascertain which cookies are being used, their purpose and what data they hold.
  • Find out whether they can be linked with personal data such as username, email address etc.
  • Establish whether they apply to the session (just that visit) or if they’re persistent (applying to future visits as well).
  • Establish how long they last.
  • Establish whether they’re 1st or 3rd party, and if the latter, who is setting the 3rd party ones.
  • Check that your Privacy Policy includes accurate and clear information on each cookie being used, and in a way that a layman can understand.

Gaining consent can be done in a variety of ways. As the ICO points out, the method you use to gain users’ consent depends on what your cookies are doing and also on your relationship with your users.
Settings-led consent

This involves gaining consent when a user makes a change that affects how the site works for them. For example, this could mean asking the user if they want the website to remember a particular language setting and gaining consent for cookies to be used for this purpose.

Feature-led consent
This applies in instances where cookies are used to remember what content a user viewed the last time they visited the site, to enable content to be tailored to them – for example, remembering what videos they viewed last time they visited. In such cases, your site should make clear to the user that taking a particular action will result in a cookie being used. This could mean, for instance, highlighting cookie use when a user turns on a particular feature and requiring consent before the change is applied.

Consent for functional/analytical cookie use
Cookies used to collect anonymous information about how visitors use your site still need user consent. This is relatively straightforward if a user has to log into your site, but more complicated where they do not. You’ll need to make absolutely clear to users what cookies are being used, what they’re being used for, and asking for consent. Below are some suggestions on how you can go about this.

The practicalities
A number of software solutions are already on the market to allow webmasters to comply with the law without affecting the look and feel of their site. One example is http://civicuk.com/cookie-law/configuration.

Other options suggested by the Information Commissioner’s Office include:

  • JavaScript pop-up box – explaining cookie use and offering ‘yes’ and ‘no’ options for consent. This isn’t a very nice solution though, as we all know how much everybody hates pop-ups and most browsers automatically block them anyway.
  • Splash page – a big SEO no-no.
  • Banner – shown along the top of the page to first time visitors with a tick box to allow users to consent, with cookies disabled until the visitor ticks to indicate consent.
  • Footer bar – similar to the banner concept, this would be displayed along the bottom. If they do not click yes or no, but continue to use the site, consent can be inferred because they have seen a clear message but are still continuing to use the site. A smaller message could be maintained throughout the site in such instances, to remind users of the fact that the site is using cookies.
  • Remember preferences – enhance the wording of your ‘remember preferences’ such as language or font size to ensure that it’s clear that a cookie will be required to do so.
  • Flag changes to terms and conditions – an option where users have to log into their account. They would need to give ‘specific and informed’ consent to these pages, so consent cannot be assumed just by changing the terms and conditions they agreed to when they signed up. You’ll need to get a positive indication that consent has been granted, as they log in and before they are able to proceed to their account.

In addition to this, the law also requires you to make your privacy policy more prominent, rather than hiding it away. This could be a question of making the font bigger, moving it from the footer to the header, or changing the wording to indicate that it includes information about cookie use.

BT.com has implemented quite a comprehensive response to the cookie law today, if you’re in need of some more inspiration…

My opinion
Researching this law in detail, I found myself becoming rather angry at what I see as a pointless bit of European bureaucracy that has little real value and, on the contrary, is disruptive to both users and webmasters. From a user perspective, one might pose the question: how many people are so concerned about data protection that they take the time to read a website’s privacy policy? From being able to use a website without interruption, the user will now find themselves faced with information about cookies that the vast majority are likely to have no wish to read, and will be forced to state their agreement to the use cookies that enable features that most would rather happened as a matter of course.

There will of course also be users who react the opposite way; if the information about cookie usage is not worded carefully, it risks sparking paranoia in some, who will then not agree to cookie usage and their user experience of a website will be lessened. This introduces frustration into what might otherwise have been a seamless user journey, and that in turn means that they may be less likely to come back.

What does the future hold?
The hope is that in time, the Government will work closely with browsers such as Firefox to find a way around the issue of having to ask for consent. Ed Vaizey, Minister for Culture, Communications and Creative Industries, has confirmed that the Government is already liaising with browser manufacturers over how to enhance browsers to provide information on cookies as well as user-friendly settings. But at the moment, he says, browsers simply aren’t sophisticated enough to assume consent. Furthermore, an increasing number of users are browsing the web through mobile devices, without using a browser, so it’s likely that we’re heading towards an international standard of online privacy that applies to mobiles as well.

Further reading and useful resources