Do I Change My Site In The UK To Comply With New Cookie Laws?
People are generally vaguely aware that debates have been taking place in Europe over new legislation which principally affects the use of “Cookies”. European legislation is inevitably more complex than elsewhere because of the way it is drafted by the European Commission and then individually interpreted, translated and re-drafted by each country. Today, I’m focusing […]
People are generally vaguely aware that debates have been taking place in Europe over new legislation which principally affects the use of “Cookies”. European legislation is inevitably more complex than elsewhere because of the way it is drafted by the European Commission and then individually interpreted, translated and re-drafted by each country. Today, I’m focusing on the implementation of this legislation in the UK.
The short answer to the question, “Do I Need To Comply?” is “Yes” and you do need to make changes to your site. If what you wanted to hear was a “Maybe” or a “No”, then I’m afraid you’re just going to have to read the rest of this post to find out how to mitigate the impact where you can.
The Effective Deadline Is May 25th 2012
In the UK, the Cookie legislation, as well as privacy issues and email legislation, are overseen by a body known as the Information Commissioner’s Office or ICO. The UK legislation technically came into force on the 25th May 2011 through an Act of Parliament known by the snappy name of “The Privacy And Electronic Communications (EC Directive) (Amendment) Regulations 2011.”
However, businesses were given a full year to comply, which therefore means compliance is needed by the 25th May 2012.
In its guidance document, ICO explains that, “These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognize them via the device they are using, without their knowledge and agreement.”
So why not just do that?
Well, the key problem is that a typical website uses not just one but several cookies and each one would need to be accepted by the user. Even the UK’s ICO does accept that “Implementing these rules requires considerable work in the short term but compliance will get significantly easier with time.” Compliance could involve changing many systems and incurring considerable effort and cost.
So how do we obtain consent in order to comply with the legislation? The first main point is that consent has to be “Opt In,” it cannot be implied. The user has to knowingly accept the use of the cookie.
Note these words in ICO’s guidance document, “It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area.”
Sending Users To Browsers To Change Settings Is Not Enough
The ability to change browser settings is also specifically mentioned as a route which can be used to achieve compliance – but this also doesn’t mean that you can simply rely on the user’s ability to change their settings themselves.
In order for browser settings to be a suitable form of compliance, the website must identify that their browser is set up to allow cookies of certain types (but not others) and there must be some form of prompt, a pop-up message for example, where the user can confirm their acceptance of or implement a change of the settings. The Commissioner, however, does not think that this will be a suitable route of compliance for some time.
By the way, these regulations apply to ALL cookies, so you cannot say that your cookie expires at the end of a session to comply.
The “Strictly Necessary” Defence
There is only one significant means of complying with the legislation which allows a website publisher not to seek the consent of users and that is if the cookie is “Strictly Necessary”.
This applies when the functionality of the website cannot be achieved without the cookie such as keeping the contents of a shopping cart available for a combined purchase at the end of the process.
However, it has been made very clear that the “Strictly Necessary” rule does NOT apply to analytics.
Gaining Consent At Login
ICO clearly expects that websites where a login is required to use services, that the login will identify if cookies need to be used and will give the user the opportunity to tick a box to ensure compliance. However, this consent needs to be sought before or immediately after cookies are used — a delay is not regarded as satisfactory.
What If I Host Outside The UK?
Neither the law or the guidance is very clear in this respect. If the organization is UK-based, the laws will clearly apply whether the website is hosted in the UK or overseas. Those corporations outside the UK or Europe are advised that their users in the UK will expect clear information about cookies too.
What Action Will Be Taken For Non-Compliance
The Information Commissioner at ICO has said that ICO will take a proportionate response which seems to be mean that organizations will first be given the opportunity to comply. But be aware that penalties of up to £500,000 can be applied by the commissioner to offenders.
Best To Audit Your Cookies Now
By the way, ICO’s recommendation is that you undertake a full audit of the cookie’s you use now to ensure you comply with the law. Such an audit involves checking:
- Which cookies are used?
- What’s the purpose of the cookies?
- Do cookies link to other personal information?
- What data do the cookies hold?
- Session cookie or persistent?
- Lifespan of the cookie?
- First or third party?