The so-called EU Cookie Law is not so much a law as a directive, resulting from the Privacy and Electronic Communications (EC Directive) Regulations 2003, which was updated in 2009 to cover cookies. European governments had until 25th May 2011 to write local laws that force websites to ask users for consent before storing cookies on the user’s PC.
The Information Commissioner (the UK’s guardian of citizens’ privacy) did implement the law but gave a 12 month grace period so that websites would have time to comply. That grace period ends on 26th May 2012, and most websites still haven’t even heard of the law, let alone thought about how to become compliant.
The Information Commissioner (IC) has been extremely helpful and consultative over the past year and has expressed a desire to be understanding and sympathetic to website owners, who face an onerous task.
What the Directive says and what the IC says
The law is designed to protect users from having cookies stored on their computer unless they expressly consent. This means you cannot serve ANY cookies – not even a Google Analytics one – if they do not click something or tick a box to say they are happy to accept cookies. The IC has implemented this method on www.ico.gov.uk using a box at the top of the site, which is persistent on all pages until you tick the box to agree to cookies.
Once you tick the box, conset is given and the website starts serving cookies. Consent need not be obtained again. It’s worth noting that consent is per computer/device, not per person, despite the law implying it is to protect personal privacy.
The IC, Christopher Graham, has given guidance to website owners that accepts how difficult it is to just turn off cookies. The IC guidance says this, “The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes it difficult to obtain consent before the cookie is set. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.”
Keep calm and carry on serving cookies?
In recent days, internet professionals have been pointing to the implementation by FT.com, which has also been adopted by a number of other websites. What they do is serve a pop-up message on all their pages giving you the opportunity to read about their cookies. The pop-up only stops appearing on the site when you click the “close” link, which also acts as you giving consent. (See note at the end of this article.)
The beauty of this method is that it tells the user how to disable cookies using the browser’s built in tools and doesn’t require the website owner to do all kinds of jiggery pokery in the back end. Not truly compliant with the letter of the law, but it is compliant with the IC’s interpretation of the spirit of the law. In his blog post of 13th December 2011, Christopher Graham advised, “Two general questions that might help in this regard might be, ‘is my website doing anything that my users don’t know about?’ and ‘am I confident that I am giving them appropriate options?’”
If the EU bureaucrats had actually been proper internet users instead of bureaucrats, they would probably have realised that the Directive and its expectation of websites turning off cookies was nigh on impossible anyway. After all, you might be able to work out how to turn off your own cookies, but what about third party cookies from Facebook, Twitter, ad networks and any number of external companies whose widgets you may be serving into your website?
The most logical way to give users control over cookies is to tell them how to manage cookies in their browser.
How to switch off cookies the easy way
The IC clearly intends for websites to go to the “off by default” option at some point in future, when this is technically feasible, so if you want to explore that option now, how can you do it?
You should note that if you block all cookies served from your website, including Google Analytics, it will suddenly look like you have no traffic. The ICO website reportedly “lost” 90% of its traffic in Analytics reports once it turned cookies off. That means only 10% of visitors, theoretically, opted in.
Have a look at the Cookie Law website, where there is advice and help for running a cookie audit. Also, Civic UK has created a pretty smart piece of code that will make it easy for you to plug in a cookie consent module which sits in the bottom corner of your website.
It has to be said, though, that you still have some technical hoops to jump through if you are using a custom CMS but users of WordPress, Magento and other content management systems will find the Civic UK tool very useful indeed.
FT note: As I write this article, the FT.com solution is working on www.ft.com but it is not appearing on sub-domains such as markets.ft.com or video.ft.com. However you implement your policy, remember all sub-domains need to be included.