The Cookie Law

On 26th May 2012 a new law concerning EU websites comes into force. It’s being dubbed ‘The cookie law’ and is a is a piece of European Union legislation that has been adopted in the UK. This article provides a summary of the cookie law and how it affects customers of BF Internet.

What’s a cookie?

Some websites store small amounts of data on your computer called ‘cookies’ to remember if you’ve been to the website before. They also enable you to use online services more easily.

Does my website use cookies?

Probably, yes. If you use ecommerce, or your website has some sort of log-in area (a members area or account area) your website will use cookies to remember when a user has logged in. If you use Google Analytics to track visitor trends you will use cookies too. If your website is a brochure website without any online transactions you probably don’t use cookies.

What’s the law?

In simple terms, a website can’t store cookies in the browser unless the user is provided with clear information about the purpose of the cookies and has given his or her consent. The full version of the law can be found in this PDF on the Information Commissioner’s Office (ICO) website, on page 7.

This sounds like it will affect many websites but crucially, additional guidance was released by the ICO in December 2011 outlining an exemption where the cookie is “essential to provide the service requested by the user“. This exemption includes ecommerce functionalitywhen a user of a site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button“. Although the word ‘essential’ is a bit subjective, we take the exemption to include user log-in areas too. Session cookies (which expire when the browser is closed) are “considered less privacy intrusive than persistent cookies” so aren’t likely to be affected, depending on how they are used.

Does this affect me / my website?

There is a lot of scaremongering and misinformation circulating regarding the cookie law. It’s likely you’ll receive emails or calls from companies who can sell you a service evaluating your website for compliance etc. or hear rumours over the next couple of months. These companies have a financial interest in ‘helping’ you be compliant, so make sure you take them with a pinch of salt and give us a call if you’re unsure.

Some specific examples have been given by the ICO of cases where cookies are affected by the law and changes will be required:

  1. Cookies used for analytical purposes to count the number of unique visits to a website for example (meaning Google Analytics)
  2. First and third party advertising cookies (meaning Google Adsense or affiliate systems)
  3. Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored (this might affect a small number of bespoke websites)

I think I’m affected by the law, what next?

At the moment there’s no clear direction from the ICO on the best way to comply with the new law so the next steps are a little unclear.

In the case of points 1 & 2 above, as a user of Google’s services it would be prudent to keep watch on the relevant blog pages in the links section below. Any enforcement action is likely to be directed at Google rather than the millions of websites using their services, so it’s likely Google will take the lead with a solution. As of their last update in December 2011 Google “is working with various entities in the EU to figure out what the implications are because some clarity is missing [from the EU directive]” and when ready they’ll be posting guidelines on the Analytics blog.

If you use a third-party system on your site that isn’t provided by Google, it would be wise to contact the provider first for their advice, then give us a call.

In the case of point 3, you should contact us first to discuss how you use the cookies affected by the law and what the next steps are. Initially it might be wise to watch the big online retailers and website publishers (Amazon, Microsoft, BBC, etc.) to see what they are doing and how a standard solution emerges.

We would also recommend keeping watch on the ICO website for announcements made offering further official guidance (link below).

I would like to know more

It’s very sensible to carry out your own research on the topic, but please bear in mind that the ‘cookie law’ has evolved since first conceived in 2009 and the guidance issued by the ICO in December 2011 changes significantly how websites are affected. Carrying out a search for ‘cookie law’ can bring back a lot of information that is out of date. You will also find advice which is inaccurate or simply not true. We would recommend that you read the official guidance from the ICO first and foremost (in this PDF). We will also keep our customers up to date via posts on our blog and newsletters.

Further reading:

There is an update here.