People are generally vaguely aware that debates have been taking place in Europe over new legislation which principally affects the use of “Cookies”. European legislation is inevitably more complex than elsewhere because of the way it is drafted by the European Commission and then individually interpreted, translated and re-drafted by each country. Today, I’m focusing on the implementation of this legislation in the UK.

The short answer to the question, “Do I Need To Comply?” is “Yes” and you do need to make changes to your site. If what you wanted to hear was a “Maybe” or a “No”, then I’m afraid you’re just going to have to read the rest of this post to find out how to mitigate the impact where you can.

The Effective Deadline Is May 25th 2012

In the UK, the Cookie legislation, as well as privacy issues and email legislation, are overseen by a body known as the Information Commissioner’s Office or ICO. The UK legislation technically came into force on the 25th May 2011 through an Act of Parliament known by the snappy name of “The Privacy And Electronic Communications (EC Directive) (Amendment) Regulations 2011.”

However, businesses were given a full year to comply, which therefore means compliance is needed by the 25th May 2012.

In its guidance document, ICO explains that, “These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognize them via the device they are using, without their knowledge and agreement.”

The most important word in that quote, and in the document itself is “Consent”. Generally speaking, you can assume that if you warn users that you are using Cookies to do anything at all, and then give them the opportunity to opt in and accept the use of cookies, then you are pretty much guaranteed to be compliant. In fact, that is pretty much the whole of the regulation summarized in one paragraph!

ICO Demonstrates Its Own Use Of Consent For Cookies

ICO Demonstrates Its Own Use Of Consent For Cookies

So why not just do that?

Well, the key problem is that a typical website uses not just one but several cookies and each one would need to be accepted by the user. Even the UK’s ICO does accept that “Implementing these rules requires considerable work in the short term but compliance will get significantly easier with time.” Compliance could involve changing many systems and incurring considerable effort and cost.

We mustn’t forget that virtually all major tracking and analytics systems depend on cookies, so the non-use of cookies would create a further degree of inaccuracy in the data lovingly analysed by us all.

So how do we obtain consent in order to comply with the legislation? The first main point is that consent has to be “Opt In,” it cannot be implied. The user has to knowingly accept the use of the cookie.

Note these words in ICO’s guidance document, “It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area.”

Sending Users To Browsers To Change Settings Is Not Enough

The ability to change browser settings is also specifically mentioned as a route which can be used to achieve compliance – but this also doesn’t mean that you can simply rely on the user’s ability to change their settings themselves.

In order for browser settings to be a suitable form of compliance, the website must identify that their browser is set up to allow cookies of certain types (but not others) and there must be some form of prompt, a pop-up message for example, where the user can confirm their acceptance of or implement a change of the settings. The Commissioner, however, does not think that this will be a suitable route of compliance for some time.

By the way, these regulations apply to ALL cookies, so you cannot say that your cookie expires at the end of a session to comply.

The “Strictly Necessary” Defence

There is only one significant means of complying with the legislation which allows a website publisher not to seek the consent of users and that is if the cookie is “Strictly Necessary”.

This applies when the functionality of the website cannot be achieved without the cookie such as keeping the contents of a shopping cart available for a combined purchase at the end of the process.

However, it has been made very clear that the “Strictly Necessary” rule does NOT apply to analytics.

Gaining Consent At Login

ICO clearly expects that websites where a login is required to use services, that the login will identify if cookies need to be used and will give the user the opportunity to tick a box to ensure compliance. However, this consent needs to be sought before or immediately after cookies are used — a delay is not regarded as satisfactory.

What If I Host Outside The UK?

Neither the law or the guidance is very clear in this respect. If the organization is UK-based, the laws will clearly apply whether the website is hosted in the UK or overseas. Those corporations outside the UK or Europe are advised that their users in the UK will expect clear information about cookies too.

What Action Will Be Taken For Non-Compliance

The Information Commissioner at ICO has said that ICO will take a proportionate response which seems to be mean that organizations will first be given the opportunity to comply. But be aware that penalties of up to £500,000 can be applied by the commissioner to offenders.

Best To Audit Your Cookies Now

By the way, ICO’s recommendation is that you undertake a full audit of the cookie’s you use now to ensure you comply with the law. Such an audit involves checking:

  • Which cookies are used?
  • What’s the purpose of the cookies?
  • Do cookies link to other personal information?
  • What data do the cookies hold?
  • Session cookie or persistent?
  • Lifespan of the cookie?
  • First or third party?
  • Check your privacy policy covers your cookie use?

One thing is clear: you need to provide very obvious and clear references to cookies on your website as a bare minimum – hiding this information in the privacy policy will definitely not wash!

Opinions expressed in the article are those of the guest author and not necessarily Search Engine Land.

Related Topics: Channel: SEO | Legal: Regulation | Multinational Search

Sponsored


About The Author: is a linguist who has been specializing in international search since 1997 and is the CEO of WebCertain, the multilingual search agency and Editor-in-Chief of the blog Multilingual-Search.com. You can follow him on Twitter here @andyatkinskruge.

Connect with the author via: Email | Twitter | Google+ | LinkedIn



SearchCap:

Get all the top search stories emailed daily!  

Share

Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.

Comments are closed.

 

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest

 
 

Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States

Europe

Australia & China

Learn more about: SMX | MarTech


Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!

 


 

Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide