As the UK government enforces regulations around cookies, confusion abounds around the new laws. But don’t panic, SAS’s Dean Parker is on hand with a dose of clarity…
A word of warning before you read on: I'm not a lawyer. This is my interpretation of both official and unofficial sources. Any decisions you take in dealing with this law should be made after seeking proper legal advice.
The situation in a nutshell
The legal situation
The law will help protect people's privacy and was prompted in part by concerns about online tracking of individuals and the use of spyware.
Governments in Europe had until 25 May 2011 to implement these changes into their own law. The UK has revised its Privacy and Electronic Communications Regulations and provided a 'lead-in' period up until 26 May 2012 in which website owners must comply.
What is a cookie?
Does the new law only apply to cookies?
Despite being labeled 'Cookie legislation', the law covers any technology that stores information on a user's device. This means that you - or your web designers/developers - also need to think about newer technologies such as HTML5.
What does the law say?
In short, the law says that if you're setting up cookies you must tell people that the cookies are there, explain what they are doing and obtain their consent to store a cookie on their device.
Consent is the heart of the matter: you have to gain it before a cookie is activated (although it does accept that many sites set cookies as soon as someone enters them).
There's some ambiguity around the issue of 'implied consent'. To be safe assume that you must rely on people making a positive choice to accept cookies rather than assuming they have done so by reading a notice about them (which you can't be sure they've read in the first place).
After you've gained consent things get easier.
If you've got several connected websites you can look at just obtaining consent in one place. You don't have to ask for it again once it has been granted, unless the cookies or the way you use them changes significantly (which needs a cookie to work…). You do, however, need to provide a way for people to withdraw consent at any time after they have given it.
Are there any exceptions to this rule?
An important exception is sites whose function depends on cookies - instances where cookies are 'strictly necessary'.
So, if the functionality of your site depends on a shopping basket or log-in then you probably don't need to gain consent for these. It's also likely that some cookies that help modern sites serve content will also be exempt from the consent rules.
How will the law be enforced?
That's the million-dollar question. There's still a lot of ambiguity over how best to interpret the law and its guidance notes, but some things are for certain…
If you've not done anything yet, you're lagging behind.
The Information Commissioner's Office (ICO) expects organisations to be acting now to comply. If they were to receive a complaint about a website during the 12 month lead-in period, they would expect a realistic plan to be compliant in the future.
Don't ignore it!
In the words of the ICO
"As the lead in period comes to an end organisations will need to be able to demonstrate they have taken sensible, measured action to move to compliance. If a website has not achieved full compliance at the end of the period the Information Commissioner will expect a specific and clear explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen."
But your honour…
We can expect a little leniency in some areas.
In fact, the ICO itself has precisely this issue.
"We have recently become aware of this cookie. We are working with the supplier of our content management system to remove it or, if it can't be removed, to find another solution."
And although we know that cookies used by tracking tools such as Google Analytics are covered by the new law, there appears to be a relaxed attitude to this at the moment.
This is important because if people are given the option of not accepting these types of cookies, your investment in analytics could come to nothing.
Anyhow, the quote below suggests that the ICO has more toxic fish to fry.
"Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
What is everyone else doing?
Very little. There's been a big backlash on blogging platforms from industry professionals and there is still a huge amount of ambiguity over the ICO guidelines. 'Wait and see' is the common response.
What about other countries in the EU?
At the moment only the UK has published any guidance at all, and it's possible that other EU member states will set different laws. If that's the case, website owners may need different solutions for different parts of the EU. Could be interesting.
What do I need to do?
There are three simple steps to follow before you rush into changing your websites:
- Check the type of cookies you use and how
- Assess how 'intrusive' they are
- Decide on the best option*
These are pretty straightforward tasks that your web design or development team should be able to carry out.
What are my options?
There are three different approaches for owners of corporate and B2B websites.
- Do everything in your power to gain consent for cookies by interrupting (and potentially harming) the user experience of your site.
- In the middle is another option that blurs the boundaries slightly. It's a little more complex than the first two - get in touch and I'd be happy to talk it through.
Whichever approach you decide to take, it needs to be informed by a good understanding of the role cookies play on your site and with advice from either your legal team or SAS.
*I have a presentation that looks at the issues in more details - please get in touch if you'd like me to share it with you.
News & Events
20 January 2012
New launch: Home Retail Group corporate website
09 December 2011
New launch: The Crown Estate corporate website
03 November 2011
New launch: J Sainsbury corporate website
01 March 2012
Future proofing your corporate digital strategy