Do I Change My Site In The UK To Comply With New Cookie Laws?

People are generally vaguely aware that debates have been taking place in Europe over new legislation which principally affects the use of “Cookies”. European legislation is inevitably more complex than elsewhere because of the way it is drafted by the European Commission and then individually interpreted, translated and re-drafted by each country. Today, I’m focusing […]

on February 7, 2012 at 10:35 am | Reading time: 6 minutes
Chat with SearchBot

People are generally vaguely aware that debates have been taking place in Europe over new legislation which principally affects the use of “Cookies”. European legislation is inevitably more complex than elsewhere because of the way it is drafted by the European Commission and then individually interpreted, translated and re-drafted by each country. Today, I’m focusing on the implementation of this legislation in the UK.

The short answer to the question, “Do I Need To Comply?” is “Yes” and you do need to make changes to your site. If what you wanted to hear was a “Maybe” or a “No”, then I’m afraid you’re just going to have to read the rest of this post to find out how to mitigate the impact where you can.

The Effective Deadline Is May 25th 2012

In the UK, the Cookie legislation, as well as privacy issues and email legislation, are overseen by a body known as the Information Commissioner’s Office or ICO. The UK legislation technically came into force on the 25th May 2011 through an Act of Parliament known by the snappy name of “The Privacy And Electronic Communications (EC Directive) (Amendment) Regulations 2011.”

However, businesses were given a full year to comply, which therefore means compliance is needed by the 25th May 2012.

In its guidance document, ICO explains that, “These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognize them via the device they are using, without their knowledge and agreement.”

The most important word in that quote, and in the document itself is “Consent”. Generally speaking, you can assume that if you warn users that you are using Cookies to do anything at all, and then give them the opportunity to opt in and accept the use of cookies, then you are pretty much guaranteed to be compliant. In fact, that is pretty much the whole of the regulation summarized in one paragraph!

ICO Demonstrates Its Own Use Of Consent For Cookies

ICO Demonstrates Its Own Use Of Consent For Cookies

So why not just do that?

Well, the key problem is that a typical website uses not just one but several cookies and each one would need to be accepted by the user. Even the UK’s ICO does accept that “Implementing these rules requires considerable work in the short term but compliance will get significantly easier with time.” Compliance could involve changing many systems and incurring considerable effort and cost.

We mustn’t forget that virtually all major tracking and analytics systems depend on cookies, so the non-use of cookies would create a further degree of inaccuracy in the data lovingly analysed by us all.

So how do we obtain consent in order to comply with the legislation? The first main point is that consent has to be “Opt In,” it cannot be implied. The user has to knowingly accept the use of the cookie.

Note these words in ICO’s guidance document, “It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area.”

Sending Users To Browsers To Change Settings Is Not Enough

The ability to change browser settings is also specifically mentioned as a route which can be used to achieve compliance – but this also doesn’t mean that you can simply rely on the user’s ability to change their settings themselves.

In order for browser settings to be a suitable form of compliance, the website must identify that their browser is set up to allow cookies of certain types (but not others) and there must be some form of prompt, a pop-up message for example, where the user can confirm their acceptance of or implement a change of the settings. The Commissioner, however, does not think that this will be a suitable route of compliance for some time.

By the way, these regulations apply to ALL cookies, so you cannot say that your cookie expires at the end of a session to comply.

The “Strictly Necessary” Defence

There is only one significant means of complying with the legislation which allows a website publisher not to seek the consent of users and that is if the cookie is “Strictly Necessary”.

This applies when the functionality of the website cannot be achieved without the cookie such as keeping the contents of a shopping cart available for a combined purchase at the end of the process.

However, it has been made very clear that the “Strictly Necessary” rule does NOT apply to analytics.

Gaining Consent At Login

ICO clearly expects that websites where a login is required to use services, that the login will identify if cookies need to be used and will give the user the opportunity to tick a box to ensure compliance. However, this consent needs to be sought before or immediately after cookies are used — a delay is not regarded as satisfactory.

What If I Host Outside The UK?

Neither the law or the guidance is very clear in this respect. If the organization is UK-based, the laws will clearly apply whether the website is hosted in the UK or overseas. Those corporations outside the UK or Europe are advised that their users in the UK will expect clear information about cookies too.

What Action Will Be Taken For Non-Compliance

The Information Commissioner at ICO has said that ICO will take a proportionate response which seems to be mean that organizations will first be given the opportunity to comply. But be aware that penalties of up to £500,000 can be applied by the commissioner to offenders.

Best To Audit Your Cookies Now

By the way, ICO’s recommendation is that you undertake a full audit of the cookie’s you use now to ensure you comply with the law. Such an audit involves checking:

  • Which cookies are used?
  • What’s the purpose of the cookies?
  • Do cookies link to other personal information?
  • What data do the cookies hold?
  • Session cookie or persistent?
  • Lifespan of the cookie?
  • First or third party?
  • Check your privacy policy covers your cookie use?

One thing is clear: you need to provide very obvious and clear references to cookies on your website as a bare minimum – hiding this information in the privacy policy will definitely not wash!

Opinions expressed in this article are those of the guest author and not necessarily Search Engine Land. Staff authors are listed here.

Add Search Engine Land to your Google News feed.    Google News

Related stories

New on Search Engine Land

About the author

Andy Atkins-Krüger
Contributor
Andy Atkins-Krüger founded Webcertain – the multi-language international search marketing services business that runs the International Search Summit alongside SMX in Europe – and also includes the in-house business which specializes in supporting internal agencies within big groups with the specialist language needs.

Related topics

ContentSEO

Get the must-read newsletter for search marketers.

Topics

Our events

About

Follow us

© 2024 Third Door Media, Inc. All rights reserved.

Third Door Media, Inc. is a publisher and marketing solutions provider incorporated in Delaware, USA, with an address 88 Schoolhouse Road, PO Box 3103, Edgartown, MA 02539. Third Door Media operates business-to-business media properties and produces events. It is the publisher of Search Engine Land the leading Search Engine Optimization digital publication.