The new EU cookie law is due to come into effect in the UK on 26th May 2012. The Law has been in effect for over a year in the rest of the EU but the UK was given a one-year extension to conform.
Who is responsible for it?
The Information Commissioners Office (ICO) are responsible for enforcing the UK law and have the power to issues website owners fines up to £500,000 for serious breaches.
Who needs to conform?
The new EU Cookie Law applies to all countries within the EU, which is quite obvious, but what isn’t really that clear is that even countries outside of the EU may also need to conform.
For example if you are a website in the USA (or any other country) but you are targeting / selling to people in the UK you would also need to comply. This, I believe, will be one of the biggest hurdles for the ICO when it comes to enforcing the new rules.
Video Guide
To help get you ready for the law, we’ve put together a video guide. Alternatively you can browse the key points below:
What this means:
This means that before 26th May 2012 you will need to have something in place where you make it clear to your website visitors a chance to opt in (consent) rather than opt out (remove consent). You also need to tell them what cookies you are collecting and what you are using them for along with their degree of intrusiveness.
How websites gain consent is open to interpretation but it could mean anything from clicking a button, subscribing to the website’s service or dismissing a banner, toolbar or popup. There is also ambiguity over whether the consent needs to be gained prior to any cookies being set.
Not all cookies are baked the same:
Some cookies do not require consent to be gained; these are cookies that are strictly necessary for the site to function and are classed as ‘essential’:
- Essential Cookies are cookies that are strictly necessary for websites to serve their function such as cookies for shopping baskets, log-ins and security.
- Non Essential cookies are used for advertising such as affiliates, tracking and analytical purposes too.
What you need to do:
- Read the Guidance on the new cookies regulations from the ICO
- Check what cookies your website is using, we like Ghostery but other plugins are also available
- Update your privacy / cookie compliance policy to include a list of your cookies (for example Department for culture media and sport and GOV.UK) including what they are used for and you must ensure your privacy policy is easy to find.
- Pick a solution to use to gain consent (we have listed some below that we like)
- For goodness sake test to ensure your site still works in different browsers when you finish
3 Solutions:
- Cookie Control – This is our choice for compliance due to the customisations you can make to it and also it is totally free. They have different plugins for WordPress, Drupal 7 and Magento not to mention a standard website version which features a menu in the bottom of the website. But the main reason we love them is they support it very well and we even had a call with them to sort a issue we ran into, now that is service!
- Cookie OK – If you have a WordPress website and are looking for a simple WordPress plugin with a top banner display then this plugin could fit your needs.
- The Cookie Collective is a managed system where for a yearly fee it updates and alerts you to changes in your cookies so you can make the required amends.
Why I believe the ICO have got it all wrong:
I believe that they have got this all wrong, I understand the arguments for privacy and making things clear for website users with regards to what information is being stored, and what it is used for. But I disagree with how it is being implemented as I believe that the majority of website owners won’t even have a clue about the new law and their requirement to conform to it.
It is also unlikely to solve the problem – they are trying to improve security ( as well as privacy) for web users but I think it is unlikely anyone with harmful cookies is going to implement a consent option.
An easier solution:
Wouldn’t things be so much easier if the very few browsers in use today just had a simple feature that managed cookie compliance? That way users could do as they do today and say “hey just want to surf and im not interested and don’t want to be bothered with all this” or “actually I don’t want to share this information sign me out to everything” or even “Mr browser please let me pick my preference site by site or cookie by cookie”.
This way on every site it would be clear not just on the ones who either a) care or b) know about the new law, as I believe you will see well under 10% of websites conform to this or make any effort to conform. It is also very likely this will only be big companies scared of the ramifications and big fines. Because really are the ICO going to go after a two page mom and pop site with no revenue because they don’t conform? I don’t think so.
We will be using Cookie Control for the Koozai website and are ready to go live with it on the 25th, so what will you be doing to conform? Or will you not? I would love to know so either comment below or tweet me.
Image Source
Freshly baked chocolate chip cookies via BigStock
Share this post
Ben NormanFounder and Chairman
Ben’s the big boss, so we can’t pick on him. He’s a bit of all-round digital marketing geek and loves coming up with new unique strategies. Ben lives and breathes the industry so we’re not sure what else he does with his time. We don’t even think he sleeps.
If this stupidity has been active in the EU for over a year now, does anybody have any evidence or knowledge of Court Cases having been brought by the EU Courts for non-compliance. You would think that there would be a few by now and, if so, what was the outcome and level of fines (if any !!)??
Thanks for the article and resources.
It would make more sense to make the giving permission part compulsory.
See, if you only show a strip or similar with a link to your policy and the option to give permission without making this compulsory before allowing people to continue using your site, people could easily ignore that, and then if something goes wrong, they could later claim you never asked them for permission.
Regardless of how likely that is to happen, it’s not worth taking chances.
So when someone comes on my website, the first thing they’ll see is a modal pop-up opening with an explanation that my business has to solicit their permission in order to comply with the EU cookie law, the required information in laymen terms for them to read, and a ‘I agree to give permission, continue to website’ button. They will not be able to close the modal pop-up until they’ve clicked on this button. The only other option they have is to close the browser tab or go to another website.
Harsh.
Horrid UX. Having said that, it’s lousy UX to expect me to fill out two compulsory fields so that I can post a comment (it’s an inconvenient interruption), yet it’s done on many sites and many people still comply if they feel they have something important to say. All I will be asking for from my visitors is to click a button. Whether they actually read the policy is up to them. If they feel it’s important to browse my site, they only need to click ONE button.
Will I still lose some readers or clients? Probably.
But it keeps my business safe from the ICO, whether or not they’re likely to fine me for breaking the law.
I’m damned if I do and damned if I don’t.
I’m erring on the side of caution because not every website visitor is going to be turned off by the fact I’m abiding by a law that some Eurocrat dreamed up.
I’d rather lose some visitors than be hit with a fine. It’s a no-brainer in my book.
My question is, will I need to show the modal box again to a returning visitor when they’ve already given permission the last time they visited? Perhaps I should add another check box saying, “Please don’t ask again.”
By the way, the EU cookie law is being talked about all the time on Twitter so awareness is spreading. Check out the #cookielaw hashtag to see for yourself. Whether that means the law will be significantly improved or abolished, I’ve no idea. But if people don’t know about it, they soon will.
Nice post, I think I will suck it and see, after all we all know what happened to the ICO when they implemented cookie opt in, I think this could be construed as very anti competitive as non eu companies will still be able to track and we all know the value of analytics in seo. Do you know how many eu sites have implemented this, and how?
notice there is no mention anywhere (in the law that is) about flash cookies.
I believe they don’t fall under current proposed legislation.
And to top it off, have you ever tried deleting your flash cookies? If not, try it now, and post how long it took
Flash cookies are included, as is web beacons as already stated how they will address the law will take ages to set precedence.
I’d love to see how they are going to enforce this on anybody except a few BigCo test cases…..
Definately, it’s practially impossible to police. As there’s so many different methods of implementation it’s not like they can just search a site code to see where it isn’t included.
Not to mention that the tracking codes could be hidden in includes. What happens if someone at the ICO views a site, accepts cookies and then someone else on the same IP comes along? In theory they won’t see the pop-up and if it’s hidden in the code, they won’t find that either.
Also the punishment doesn’t fit the crime. £500,000 is extreme and does signify that it’s mainly a punishment for the mega brands. It would cripple most businesses.
7 Comments