Are you cookie compliant?

Last May, the EU Privacy and Communications Directive came into force which stated that all non-essential cookies used on websites must be clearly identified to the website’s users and that the website users must consent to the cookies being used (on an opt in basis).

The Information Commissioner’s Office (ICO) gave UK website owners a year’s grace in order to become compliant with the new law and that period expired on 26 May 2012.

What is a cookie?

A cookie is a small text file that helps organise and store browsing information. Common examples of non-essential cookies include Google Analytics which provides anonymous tracking data about website users, affiliate links, Google Adsense, cookies used to recognise a website user when they return to a site and cookies for advertising. Examples of essential cookies are those used to remember the goods a user wishes to buy when the user checks out, cookies for internet banking security and cookies that help pages to load more quickly.

Why was the law introduced?

The EU was concerned about consumers not being aware that their surfing behaviour is being monitored and data being stored for advertising purposes. Such behavioural advertising is carried out mainly with the use of “persistent” cookies. Hence the legislation seeks to impose a duty on website owners to tell their users about the cookies on the site and only be able to use such cookies with the website user’s informed prior consent.

What you need to do to comply

Firstly you need to identify what cookies are being used on your website. You can purchase cookie audit software for this purpose or undertake a free audit at http://www.attacat.co.uk/resources/cookies#axzz1vh2JkIxb However please note that such software tools are not 100% reliable.

Otherwise you can clear your browser cache, go onto your website and then look at the stored cookies. Then identify which are from your site and which are from a third party site. You then need to identify what purpose the cookies serve, do they contain personal information and whether they are being used to track the user and if so the lifespan of the cookie. You should also check any WordPress plugins that you have on your site.

Then you need to obtain a cookie policy and insert the details of your cookie audit into that policy and add it to your website. You can obtain a free cookie policy from http://www.lawyers4mumpreneurs.com/%20/articles/data-protection/are-you-cookie-compliant

The final step is to obtain consent from your users to the use of non-essential cookies. If the only cookies on your site are essential then you do not need to obtain consent, but as most of you will at least use Google Analytics (which is non-essential), you will need to obtain consent.

Until 25 May 2012 (ie one day before the grace period expired), it had been thought that consent had to be on an opt in basis (such as a website user ticking a box to consent to the use of cookies). This had been the problematic part of the Regulations as there was no recommended solution as to how to obtain consent from website users. Some possible options included:

http://www.heartinternet.co.uk/eu-cookie-law.html

This site provides free code so that you can add an opt-in button that looks like this:

Or you could try http://www.civicuk.com/cookie-law/index

The site provides free code that when added to your website brings up the following opt-in box in the bottom right corner of your website.

If you have a wordpress site, you could try the EU Cookie Directive WordPress Plugin which not only displays an opt-in message at the top of your site but also lists in your admin panel the cookies you have installed. The opt-in message is customisable.

However on 25 May 2012, the ICO (perhaps under pressure from business lobbyists who argued that opt in consent would overly restrict businesses in times when UK businesses need every help they can get) issued new guidance that stated that consent may be implied.

What this means is that for step 3 of your compliance with the Regulations, rather than having an opt-in pop up as per the above examples, you simply need to state in your cookie policy that by continuing to use the website, the website user agrees to the use of cookies on the website.

What will happen if I’m not compliant?

The ICO has the power to fine you £500,000 if your website is not compliant. However this is very unlikely. Firstly the ICO will not have a team of investigators tracking down non-compliant websites.

Secondly, even if there is a complaint made against you, the ICO has commented that as long as website owners are “moving towards compliance” and are not “wilfully avoiding the regulations”, the ICO will work with website owners to help them be compliant rather than fine them. Indeed a Cabinet Office spokesman has commented that “the majority of government department websites will not be compliant with the legislation” by 26 May 2012.

Now that the ICO has issued guidance stating that implied consent is sufficient, it is actually quite an easy task for you to comply. Just carry out a cookie audit, assess how intrusive your cookies are and have a cookie policy on your website.