Updated guidance on cookies law for websites

From Thursday, 26 May 2011, any company that tracks information about online users has to get consent from visitors to their website in order to do so. But useful guidance on compliance has been hard to come by, so we’ve pulled together all the latest sources of information you need to make an informed decision about what to do on your own website. What are cookies? Cookies are pieces of computer code that allows websites to remember users’ preferences such as what’s in their shopping basket or whether they’re logged into a website. They are also used to anonymously track users’ behaviour. From 26 May 2012, businesses will have to get “overt” consent to put cookies on a visitor’s computer. This consent “must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service.” Penalties for non-compliance From this date, any website found guilty of using technologies to track a user’s browsing behaviour without their consent could face a fine of up to £500,000 from the Information Commissioners’ Office (ICO), a huge increase on the previous £5,000 fine. It has said that, rather than seeking out websites that don’t comply; it will act on complaints about websites and take into account the steps that the business is taking to achieve compliance. Are there any exceptions? The only exception to the rule is if you’re using cookies because it’s “strictly necessary” to deliver a service requested by the user. For example, they would be allowed to ensure that when a visitor puts something in their shopping basket your website remembers it until they have checked out. Does my website use cookies? First of all, you need to establish if your website uses cookies at all and, if so, which ones it uses. One way to find this out is by performing an audit. There are free tools available to do this, including: Optanon (requires Firefox web browser) Attacat (for Firefox) Bitstorm (for Google Chrome) If you don’t know what the results mean, speak to your web designer or an IT professional. The analytics question For most small businesses, the only cookies it will use are those to track what visitors do when they’re on your website, for example, by using a package like Google Analytics. This allows businesses to monitor the performance of its website and make improvements for a better user experience. By asking people to opt in, businesses could receive a fraction of the data they currently get, which may not be representative of their audience as a whole – for example, the ICO itself suffered a 90% fall in recorded traffic in the month after they implemented a cookies opt-in. But now, the UK’s Government Digital Service, the team responsible for the Government’s own online presence, has come out to say that they believe web analytics cookies are “minimally intrusive” and tend to be controlled by the “first party”, i.e. the owner of the website, so therefore should not be affected by the rules. They’ve backed this up with a statement from the ICO itself, which says: “Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.” So, as long as you’re up-front about which analytics cookies you’re using, you could take the view that you should be safe. After all, even a Government department says it is. However, elsewhere in the ICO’s guidance document, it advises that analytics cookies are “unlikely to fall within the exception” of cookies which are “strictly necessary”. So taking this approach is a gamble. Displaying cookies opt-in messages If you do choose to display an opt-in message on your website, there are two ways you can do this: With a short message at the top or bottom of your page that is there until the visitor opts in or out. With an overlay message that appears over the top of your page when a new visitor arrives. This can be dismissed either by opting in, opting out entirely or dismissing the message (opting out temporarily). Either option will require some technical knowledge, so you will probably need to get your web designer or an IT professional to do this for you. Ready-made solutions include : Optanon – offers an annual license and the software can be tailored to your website. Wolf Software – offers a free solution for websites using Google Analytics. Keep the message used in your opt-in simple and to the point. The problem with this law is that many people don’t actually know enough – or care enough to find out – about cookies. Explain the reason for the opt-in in simple language. For example, Optanon’s Cookie Collective website says “This website works best using cookies which are currently blocked. Allow cookies?” However, they also provide a link to more information for those who want it. What steps should I take next? Unfortunately, there is no perfect solution to the cookies conundrum. It may not be much comfort, but organisations of all sizes are in the same boat and everyone seems to be taking a ‘wait and see’ approach. In a blog post from December 2011, the ICO said that, if it approaches an organisation they expect it to be able to tell the ICO what it is doing to become compliant and how long it will take. It says “Exactly what you tell us will depend on who you are, the sophistication and complexity of your website and who your users are but we will expect that you can tell us something.” So, we suggest that it would be wise to do an audit of your site, take advice from your web designer or another IT professional and choose a suitable solution, in case you need to use it.
Time is ticking for businesses to ensure that their websites complies with an EU Directive on the use of cookies. We’ve pulled together all the latest sources of information you need to make an informed decision about your own website.