How to get your website to comply with the new Cookie Laws
The new cookie laws came into play last week and I know there’s a lot of hocus pocus around what we should be doing as business owners. So who better to offer their expert opinion than the lovely Suzanne Dibble, award winning lawyer and generally all round helpful person. I’m going to hand over to Suzanne to take things from here.
Last May, the EU Privacy and Communications Directive came into force which stated that all non-essential cookies used on websites must be clearly identified to the website’s users and that the website users must consent to the cookies being used (on an opt-in basis). The Information Commissioner’s Office (ICO) gave UK website owners a year’s grace in order to become compliant with the new law and that period expires on 26 May 2012.
What is a cookie?
A cookie is a small text file that helps organise and store browsing information. Common examples of non-essential cookies include Google Analytics which provides anonymous tracking data about website users, affiliate links, Google Adsense, cookies used to recognise a website user when they return to a site and cookies for advertising. Examples of essential cookies are those used to remember the goods a user wishes to buy when the user checks out, cookies for internet banking security and cookies that help pages to load more quickly.
Why was the law introduced?
The EU was concerned about consumers not being aware that their surfing behaviour is being monitored and data being stored for advertising purposes. Such behavioral advertising is carried out mainly with the use of “persistent” cookies. Hence the legislation seeks to impose a duty on website owners to tell their users about the cookies on the site and only be able to use such cookies with the website user’s informed prior consent.
What you need to do to comply
Firstly you need to identify what cookies are being used on your website. You can purchase cookie audit software for this purpose or undertake a free audit at http://tagcert.com/pricing_free or http://www.attacat.co.uk/resources/cookies#axzz1vh2JkIxb orhttp://www.cookiecert.com/ However please note that such software tools are not 100% reliable.
Otherwise you can clear your browser cache, go onto your website and then look at the stored cookies. Then identify which are from your site and which are from a third party site. You then need to identify what purpose the cookies serve, do they contain personal information and whether they are being used to track the user and if so the lifespan of the cookie. You should also check any WordPress plugins that you have on your site.
Then you need to obtain a cookie policy and insert the details of your cookie audit into that policy and add it to your website. You can obtain a free cookie policy from our free cookie policy page.
The final step is to obtain opt in consent from your users to the use of non-essential cookies. If the only cookies on your site are essential then you do not need to obtain consent, but as most of you will at least use Google Analytics (which is non-essential), you will need to obtain consent.
This is the problematic part. There is no recommended solution as to how to obtain consent from website users. Here are some possible options:
http://www.heartinternet.co.uk/eu-cookie-law.html
This site provides free code so that you can add an opt-in button that looks like this:
Or you could try http://www.civicuk.com/cookie-law/index
The site provides free code that when added to your website brings up the following opt-in box in the bottom right corner of your website.
If you have a wordpress site, you could try the EU Cookie Directive WordPress Plugin which not only displays an opt-in message at the top of your site but also lists in your admin panel the cookies you have installed. The opt-in message is customisable.
Whichever option you go for, the opt-in message should appear on whichever page of the website the user lands on.
Information about the cookies and consent to the placement of cookies must be obtained before the cookie is placed and/or before information stored in the user’s terminal equipment is collected. However, the ICO acknowledges that in practice many websites set cookies as soon as a user accesses the website. This makes it difficult to obtain consent before the cookie is set. The ICO therefore advised that wherever possible websites should delay setting cookies until users have had the opportunity to understand what cookies are being used and to consent to their use. Provided that you have a prominent notice on the homepage alerting users to the use of cookies (with a link to more detailed information) and which asks them to indicate whether or not they consent to that use, the website may then set cookies when the user moves on to another page of the same site even if the user fails to indicate his preference by ticking the relevant box. However, the other page must include a notice that allows the user easily to opt-out of the use of cookies. So it is best to include the cookie policy link in your website’s header or footer in a prominent colour.
What will happen if I’m not compliant on 26 May 2012?
The ICO has the power to fine you £500,000 if your website is not compliant. However this is very unlikely. Firstly the ICO will not have a team of investigators tracking down non-compliant websites. And secondly, even if there is a complaint made against you, the ICO has commented that as long as website owners are “moving towards compliance” and are not “wilfully avoiding the regulations”, the ICO will work with website owners to help them be compliant rather than fine them. Indeed a Cabinet Office spokesman has commented that “the majority of government department websites will not be compliant with the legislation” by 26 May 2012.
So if you don’t want to go so far as to have an opt-in pop up on your website, then at the least and so that you can show that you are “moving towards compliance”, you should carry out a cookie audit, assess how intrusive your cookies are, decide on the best solution and have a cookie policy on your website.
Go to our free cookie policy page for your free cookie policy.
Copyright Suzanne Dibble 2012. Suzanne Dibble is a multi-award winning business lawyer who specialises in e-commerce law. Suzanne has vast experience ranging from acting for plc’s on billion pound projects to helping micro businesses with their day to day business law requirements. To find out more about Suzanne and read the many testimonials from happy clients please see www.lawyers4mumpreneurs.com.
