What is a Cookie, and why do I need to know?
The ‘EU Cookie Law’ came into force earlier this year. Whenever you access a new website, you will generally see a pop-up asking you to accept the use of cookies. So what is a cookie, and why do you need to comply?
Background
In 2009, the Privacy and Electronic Communications (EC Directive) Regulations 2003 were amended with the requirement for gaining consent for storage or access to information stored on a subscriber or user’s terminal equipment. In short, it means that everyone operating in the digital environment (yes, that’s you) now needs to get consent from the user for the use of cookies and similar technologies used to track users online or to collect user information.
That’s why it’s been dubbed the ‘cookie law’ but, in fact, it affects more than just cookies: it could also cover email tracking, social buttons, embedded web services, etc.
A cookie is a small, usually temporary file that is downloaded to a user’s machine when they access most websites. Cookies do not damage the computer and users can, if they know how, set their browser to notify them when they receive a cookie which enables them to decide if they want to accept it or not.
Cookies by themselves cannot be used to discover the identity of the user. They are, however, extremely useful to the website owner who collects anonymous information such as demographic data and browsing patterns. The data is used in aggregate form to help audit the usage of the website and improve the service provided.
As a minimum, most of your websites will have a tracking application, such as Google Analytics, which offers valuable insight into how many visitors come to your site, what keywords they use to find you and what content they look at, etc. These applications deploy cookies in order to provide you with this information. Some websites, especially ecommerce sites and/or those that carry third party advertising, deploy many more cookies and other technologies to monitor visitors’ behaviour. Most of the information gathered is anonymous, but still falls within the regulations.
According to the new laws, those setting cookies must:
- tell people that the cookies are there
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device.
The deadline for compliance in the UK – 26th May 2012 – has long since passed, but confusion still reigns among smaller online businesses (and some of the larger players too!).
So what was the Problem?
In effect, the law says that you cannot drop a cookie on to a website visitor’s PC or other device without their prior, informed consent. The only definite way to comply is to give users information about the cookies and ask for their consent to use them every time they visit your website. Most organisations quickly realised that this would be unworkable, leading to a loss of visitor data for the website owners and a poor experience for users. Most users faced with this question would either ignore it (effectively meaning that consent was withheld) or actively withhold consent because they do not understand what all this cookie stuff is about. The Information Commissioner’s Office tried this approach on their own website and immediately lost 90% of their visitor data! It would render website tracking software like Google Analytics pretty useless.
Strict compliance required informed, active consent. However, the guidelines published by the ICO imply that they will only take enforcement action against those sites who are openly abusing their users’ privacy and
“Whilst he does not consider they are exempt from the rules, the Commissioner is… unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action”.
So What Can You Do?
One of the most sensible approaches we’ve seen is outlined in Econsultancy’s article ‘Econsultancy’s solution to EU e-Privacy Directive compliance‘. There’s no need to repeat everything here but, in short, they have:
- reviewed the documentation and advice available
- undertaken a cookie and privacy audit to check what they currently have in place and what they actually need
- added a more prominent link to their privacy policy on their website
- updated the content of their privacy policy.
The last two bullets are steps toward complying with the law by ensuring that cookie and privacy policies are informing website users of the types of data stored and what it’s used for. This approach will probably be sufficient for most small businesses whose main exposure is website visitor tracking. Their helpful article points to examples of the changes they and other businesses (including John Lewis and BT) have made in order to comply, so do check it out.
How is it Working Now?
Most businesses have chosen the ‘implied consent’ method on their websites. Typically this means that a conspicuous message about cookies is displayed, usually towards the top of the page, warning the visitor of the presence of cookies and allowing them to disable them if they wish. If the user clicks ‘okay’ or just continues to use the website without actively opting out, their consent to the use of tracking cookies is ‘implied’.
Five months on, evidence suggests that the new cookie laws have not caused the havoc that was envisaged. Indeed, according to Econsultancy’s more recent blog, data collected since May 2012 suggests that the prominent on-site cookie notices, together with an initial high degree of media attention, have served to educate people in general about cookies and how they are used. Thankfully, it appears that the more people understand about cookies and the more control they are given over the collection of data, the more comfortable they are with tracking – and that’s a good thing for everyone.