What the EU cookie law means for you
You might have noticed that quite a few sites have suddenly started asking you if you want to accept their cookies. If you’ve been wondering why, it is because the law that governs how you use cookies and similar technologies for storing information on someone’s computer or mobile device has recently changed.
The EU’s e-Privacy Directive was actually updated on 26 May 2011, but we were all given a year to get our act together and comply with the new regulations (although it seems most people didn’t react until the very last minute, if at all).
So what does this all mean? Well, on the face of it the regulations sound reasonable – website owners are expected to make it clear to their visitors what information they are collecting about them and why, and to give them an opportunity to opt out if they are not happy.
Much of this is nothing new, of course. If you are asking people to submit their details to you, then you should already know that a privacy policy that outlines what you are doing with that information is a necessity.
The difference is that the regulations now stretch to cover cookies, which are just tiny bits of text generated by websites and stored in the web browser. Cookies can be used to collect basic information about the visitor, identify whether they have visited a particular page before and so ensure that the right content is presented as necessary. Users are usually oblivious to cookies doing their stuff and – for the most part – they are completely harmless.
The regulations exclude cookies that are “strictly necessary” for the operation of the site – so those cookies that remember the contents of your shopping cart or those needed for security and such like. What it does catch are those unseen cookies collecting information about your browsing habits – where you are located, what you are looking at, what kind of device you are using and so on. This data is not held at a personal level, but it could be used to serve you ‘targeted’ advertising or for market research. Some people might see this as a bad thing, so now the regulations say everybody should be given an opportunity to opt out if they want to.
You might think that you are safe and do not need to do anything with your site to comply with the regulations, but the law also covers those cookies used by traffic monitoring services like Google Analytics. Although you might believe that measuring this data is vital for the effective management of your website, traffic analysis is not considered “strictly necessary”.
There are other features you might have on your site that also fall foul of the regulations, including the facility to post comments on a blog and social media sharing buttons. See www.cookielawinfo.com for a helpful summary of what is and isn’t covered.
So, given that most websites will use Google Analytics and other services that use cookies, most of us should now be asking our users whether they are happy to accept them.
The usual method for this is to highlight a message in the header or footer of your site that asks people to accept cookies. This acceptance should then be remembered for future visits so the message no longer appears – just like you can see on my site (or not, if you have accepted it).
Now I haven’t disabled the cookies on my site, waiting for acceptance before they are used. I am going with the “implied consent” approach. This means I am assuming you are happy with the cookies I am using, because you are continuing to use the site after I have brought them to your attention. I have also made it clear that you can opt-out if you like and offer direction on how to do that. This seems to be in line with the guidance, although the official interpretation isn’t particularly clear. Some sites have taken a stronger approach and won’t let you in at all until you have accepted the cookies, but as a user I find that quite annoying and it could just be confusing to some.
If that all sounds a bit beyond you, then the very least you should do is make sure you have a cookie policy page that outlines exactly what cookies are used and tells people how they can remove them should they wish to do do. That stretches the “implied consent” argument a bit and doesn’t really comply with the regulations, but at least it shows some effort to protect the privacy of your users. If you are not a big business or public body, then I think it’d be extremely unlikely that any fine would be imposed for any breach.
You can get more official guidance from the Information Commissioner’s Office.
Of course, the other option is to remove “non-essential” cookies from your site, including those for traffic monitoring. I wouldn’t recommend that, as it can be extremely useful to analyse all that data about your visitors to measure performance and to help improve the site further.
One unfortunate side-effect of this legislation is that some people will inevitably reject harmless cookies or switch on the new ‘do not track’ option on their browsers. This will mean that all that helpful traffic data will be (even) less accurate and make it seem like visits to your site are in decline…
UPDATE: I have since come across No Cookie Law, a site that is campaigning against the regulations governing cookies. I broadly agree with the points it makes – I’m all for improving online privacy, but I’m not sure the new directive has been thought out properly. It could end up doing much more harm than good.