The EU Cookie Directive

A stack of chocolate chip and hazelnut cookiesYou may be aware that on 25th May last year the EU brought into effect a new Cookie Directive; UK companies have until the 26th May 2012 to comply – a day now known as next Saturday. So, what is this likely to mean for you and your website?

What’s the new Cookie Law say?

The law applies to any website that uses cookies. Before you use cookies, you must gain informed consent from the visitor to do so. If they do not give consent, then you cannot use cookies for that visitor. Previously, the law only required you to inform users that your site used cookies and that they could be turned off in the visitor’s browser.

Of course, the new law isn’t anywhere near as simple as that. This article aims to give you a basic idea of what’s going on and where you stand. Ultimately though, it’s going to affect everyone differently, so you’ll need to take whatever further steps are required to reassure yourself your business is covered.

What are Cookies again?

Cookies are small text files that are saved to the visitor’s computer when they visit a website. They allow the site to recognise that visitor and track them. The data they contain might just be a code used to recognise that person, or they might contain a lot more.

Does my Website use Cookies?

Most websites do use cookies and they’re an important part of how the modern web works. They are so prevalent we often don’t think about them, but like any tool they can be misused.

The chances are if you own a modern website it does use cookies. If your site allows people to log in, or has a shopping cart of any kind, it will use cookies to do that. If you use Google Analytics or similar software to analyse your site visitors you are also using cookies. If you have adverts on your site provided by a third party, they are probably using cookies too – and you are responsible for their cookies if they’re on your site. Only if your site is completely static, meaning that users can’t interact with it in any way other than deciding which page to visit, is it unlikely to use cookies.

The good news is that cookies which are deemed “strictly necessary” for a service requested by the visitor are allowed. This should include login and shopping cart cookies, provided that the information held by the cookie is only what that function requires. You couldn’t use the visitor’s login as an excuse to use analytics cookies – unless they have given informed consent.

What’s going to happen?

So, if your site fails to comply with the new Directive on 26th May will you have EU Cookie Stormtroopers breaking down your door? The answer seems to be a confident “No”, and not just because EU Cookie Stormtroopers don’t work weekends.

The government body behind the UK implementation of the law, the ICO (Information Commissioners Office), have given some guidance on how they will enforce the new Directive. In fact, it turns out they don’t even employ stormtroopers, just a team of investigators. While the 50 largest and most prominent UK websites will be getting a letter about compliance, most businesses will not.

Active ICO investigations will initially be driven by multiple user complaints about a site. Also, the ICO may target specific sectors where they feel their investigations will most benefit internet users’ privacy. Investigations will apparently be focused on getting businesses to improve their compliance rather than punishing failure; more serious action will only take place where businesses refuse to move towards compliance. It is likely that one of their first tasks will be getting UK government websites to comply, as the majority currently don’t.

So what should I do?

Given all of the above, the main point to take away from this is don’t panic; you don’t have to be 100% compliant by the end of the week. You should assess your situation soon and start moving towards compliance.

Investigate your Site

The first step is to find out what cookies your website uses. If you use a standard CMS they may provide online documentation of this. For example, if you have a WordPress site you can find out about the cookies it uses on their website. Remember though that any plugins you have installed can also use cookies; even Plugins which allow you to conform to this directive can use cookies to track who has consented.

If your site was created by a web designer you might be able to find out more from them, but they may well charge for this; if they perform a proper audit of your site to check for cookie use this could take significant time, and very few developers have their cookies documented as well as the WordPress team.

Alternatively, you can use your browser to check your site for cookies yourself. If you use the Firefox browser, in Options under the Privacy tab there is a “Remove individual cookies” link (on the Mac it is in Preferences and is a Show Cookies button instead). Others browsers should have similar facilities. This will show you which cookies you have from your site, although it might not be clear what they’re used for. Make sure you perform a full range of appropriate actions on your site (click links – especially social networking ones, log in, use your shopping cart, etc.) to find cookies that are triggered in specific circumstances.

Make a Plan

Once you have an idea what cookies you use you can begin to decide what action to take.  The good news is you’ve already shown yourself to be moving towards compliancy and once the Directive takes full force in the UK we should get more feedback on what is good practice to follow.

Some companies are changing their Privacy Policy to be Privacy & Cookies. They are using that page to tell people more about the cookies on their site and have decided that if they display a link to this information prominently enough they are complying with the directive. Others feel that a tick box the visitor must use to give consent is required; the downside of this is the impact it will have on a visitor’s first impression of your site.

There’s no right answer at the moment, although detailing your cookies on your Privacy Policy is certainly a good step forwards. Have a look at what other UK sites are doing, especially those similar to yours, but beware ones that are ignoring the new law; that is certainly the wrong answer.

I’ll return to this topic in the near future with updates and look at some of the options available to bring your site into compliance.

N.B. This article does not constitute legal advice of any kind and it is your responsibility to ensure you understand this legislation and how it affects you and your site. You might want to visit for more information.

This entry was posted in Blog. Bookmark the permalink. Both comments and trackbacks are currently closed.