As the UK government enforces regulations around cookies, confusion abounds around the new laws. But don’t panic, SAS’s Dean Parker is on hand with a dose of clarity…

A word of warning before you read on: I'm not a lawyer. This is my interpretation of both official and unofficial sources. Any decisions you take in dealing with this law should be made after seeking proper legal advice.

The situation in a nutshell

Most UK websites are breaking the law through their use of cookies. There is a 'grace period' but it finishes in May, so time is running out to take action.

The legal situation

From May 2011, a new privacy law came into effect across the EU. It requires that websites ask visitors for consent to use cookies. Until now sites have been able to use cookies as long as they tell people about them - usually a role fulfilled by privacy policies.

The law will help protect people's privacy and was prompted in part by concerns about online tracking of individuals and the use of spyware.

Governments in Europe had until 25 May 2011 to implement these changes into their own law. The UK has revised its Privacy and Electronic Communications Regulations and provided a 'lead-in' period up until 26 May 2012 in which website owners must comply.

What is a cookie?

A cookie is a small text file stored by the user's browser. It's put there to remember browsing information. Because of cookies, your web browser can remember you are logged in, whether you've visited a site before and what your preferences are. Even though most corporate or B2B websites don't use cookies to target you with ads, most do use them to track visitors to their site and for social media plug-ins like Facebook or Twitter.

Does the new law only apply to cookies?

No.

Despite being labeled 'Cookie legislation', the law covers any technology that stores information on a user's device. This means that you - or your web designers/developers - also need to think about newer technologies such as HTML5.

What does the law say?

In short, the law says that if you're setting up cookies you must tell people that the cookies are there, explain what they are doing and obtain their consent to store a cookie on their device.

Consent is the heart of the matter: you have to gain it before a cookie is activated (although it does accept that many sites set cookies as soon as someone enters them).

There's some ambiguity around the issue of 'implied consent'. To be safe assume that you must rely on people making a positive choice to accept cookies rather than assuming they have done so by reading a notice about them (which you can't be sure they've read in the first place).

After you've gained consent things get easier.

If you've got several connected websites you can look at just obtaining consent in one place. You don't have to ask for it again once it has been granted, unless the cookies or the way you use them changes significantly (which needs a cookie to work…). You do, however, need to provide a way for people to withdraw consent at any time after they have given it.

Are there any exceptions to this rule?

An important exception is sites whose function depends on cookies - instances where cookies are 'strictly necessary'.

So, if the functionality of your site depends on a shopping basket or log-in then you probably don't need to gain consent for these. It's also likely that some cookies that help modern sites serve content will also be exempt from the consent rules.

But if you use them for Google Analytics (or any other analytics package that uses cookies), first or third party advertising or personalisation (e.g. recognising a user when they return to a website), you will in theory need to gain consent before using them.

How will the law be enforced?

That's the million-dollar question. There's still a lot of ambiguity over how best to interpret the law and its guidance notes, but some things are for certain…

If you've not done anything yet, you're lagging behind.

The Information Commissioner's Office (ICO) expects organisations to be acting now to comply. If they were to receive a complaint about a website during the 12 month lead-in period, they would expect a realistic plan to be compliant in the future.

Don't ignore it!

The Information Commissioner has powers to force organisations to comply with the law. In serious cases they can impose fines - although formal action would only be considered when organisations refuse to take steps to comply or have been involved in a particularly intrusive use of cookies without telling individuals or obtaining consent.

In the words of the ICO

"As the lead in period comes to an end organisations will need to be able to demonstrate they have taken sensible, measured action to move to compliance. If a website has not achieved full compliance at the end of the period the Information Commissioner will expect a specific and clear explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen."

ICO Guidance on the rules on use of cookies and similar technologies, 13 December 2011

But your honour…

We can expect a little leniency in some areas.

If the technology you are using to run your site  - your content management system for example - uses cookies, change would be costly and complicated and we'd expect some leeway.

In fact, the ICO itself has precisely this issue.

"We have recently become aware of this cookie. We are working with the supplier of our content management system to remove it or, if it can't be removed, to find another solution."

And although we know that cookies used by tracking tools such as Google Analytics are covered by the new law, there appears to be a relaxed attitude to this at the moment.

This is important because if people are given the option of not accepting these types of cookies, your investment in analytics could come to nothing.

Anyhow, the quote below suggests that the ICO has more toxic fish to fry.

"Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."

What is everyone else doing?

Very little. There's been a big backlash on blogging platforms from industry professionals and there is still a huge amount of ambiguity over the ICO guidelines. 'Wait and see' is the common response.

What about other countries in the EU?

At the moment only the UK has published any guidance at all, and it's possible that other EU member states will set different laws. If that's the case, website owners may need different solutions for different parts of the EU. Could be interesting.

What do I need to do?

There are three simple steps to follow before you rush into changing your websites:

• Check the type of cookies you use and how
• Assess how 'intrusive' they are
• Decide on the best option*

These are pretty straightforward tasks that your web design or development team should be able to carry out.

What are my options?

There are three different approaches for owners of corporate and B2B websites.

• Do everything in your power to gain consent for cookies by interrupting (and potentially harming) the user experience of your site. 
• Given that most corporate or B2B websites don't use cookies in an 'intrusive' way, a more pragmatic approach is to beef up the privacy information you offer to users - and make sure you point them towards it. 
• In the middle is another option that blurs the boundaries slightly. It's a little more complex than the first two - get in touch and I'd be happy to talk it through.

Whichever approach you decide to take, it needs to be informed by a good understanding of the role cookies play on your site and with advice from either your legal team or SAS.

*I have a presentation that looks at the issues in more details - please get in touch if you'd like me to share it with you.

• Tags:
• Digital, Corporate Reporting, Graduate Recruitment