EU Cookie Law Deadline, May 26th 2012

15th May, 2012 in Website Policy 12 Comments

Udpate: May 26th 2012: The ICO changed the requirements at the very last minute stating it is OK to assume consent for cookies, but a clear link to instructions on how to remove or block cookies needs to be shown. This means you no longer have to block cookies and ask to allow them (which is great news!), but you do have to make it clear you use cookies and inform the user how to remove or block them. We recommend using an unintrusive pop up at the bottom of the website not to lower the user experience of the website. 

The Directive

The EU Cookie Law deadline of May 26th is approaching by which time all websites need to confirm to the EU Cookie Law directive. 

What are cookies? 

A cookie is a small file stored on a users computer by the browser when they visit a website that leaves cookies. The browser can read a users cookies and send information back to websites that a user visits. Cookies are primarily a mechanism for websites to remember things that a browser had done there in the past, which can include having clicked particular buttons, logging in, or having read pages on that site months or years ago. Cookies can also be used to track users browsing patterns, such as those left by Google Analytics that all our customer websites have. 

You can read more information here http://en.wikipedia.org/wiki/HTTP_cookie

So what’s the issue with cookies? 

It’s possible that cookies can be used on commercial websites to target advertising at users based on browser and internet patterns and history. It is possible this has privacy implications and so the Information Commissioners Office (ICO http://ico.gov.uk/) has created a policy to prevent this happening. 

What does the policy require? 

Although cookies can be turned off by a user on a per browser basis, due to said privacy concerns, the ICO has decided a user must opt in to receive cookies rather than opt out. The EU cookie law which comes into force on May 26th 2012, requires websites to gain consent from visitors to store or receive any information on a computer or any other web connected devices (e.g. smartphone or tablet). The cookie law has been designed to protect online privacy of customers by making them aware, and giving them a choice, about the amount of information collected by websites. After May 26th 2012 if a business is not compliant, or is not visibly working towards compliance, it will run the risk of enforcement action and a possible fine of up to £500,000.

What are the implications?

In order to comply, when a user visits your website they should be presented with an option to accept cookies before any cookies are left on their machine. The cookies need to be explained in a clear Privacy Policy. Google Analytics requires cookies so this will stop collecting data until a user accepts the cookies. Any cookie required for the website to function (i.e. shopping basket, login forms) are exempt and are OK to be created. 

What do I need to do?

Most content management systems, including the systems we provide to our customers, leave cookies on a users machine. In theory, these cookies need to be prevented from being created until a user agrees to accept cookies

Your web developer will need to make some changes to your website code to prevent the cookies being created and, if you need cookies, add in an option for the user to accept cookies (an unobtrusive pop up box is common). If this is not implemented, then you need to be able to show you are actively working toward implementing it. 

In addition to this a clear Privacy Policy needs top be created to explain what data and cookies the website collects, and what the website owner does with the data. 

What has Amity implemented? 

We have disabled all cookies our website except Google Analytics. We believe Google Analytics to be an essential service for the operation and function of our website and therefore exempt (note this is our opinion and not those of the ICO). Why? Because we use Google Analytics to ensure our website is performing well, functioning properly, and stays competitive. It allows us to continuously improve these aspects which in turn allow us to provide our products and services to a level customers expect.

We have also implemented a Privacy Policy that clearly defines our use of cookies and other data we collect. 

If you need any help implementing these actions please contact us for more information. 

Comments
Picture of Laurence Cope

Laurence Cope 15th May, 2012 at 15:51 pm

Check out the ICO website statistics after they implemented the cookie block which prevented google analytics leaving cookies http://chinwag.com/blogs/sam-michel/cookiepocalypse-implementing-new-law-drops-use-90

Picture of Laurence Cope

Laurence Cope 15th May, 2012 at 15:54 pm

P.S. At the time of posting, the ICO website was brought down by Anonymous http://www.ico.gov.uk

Picture of Laurence Cope

Laurence Cope 17th May, 2012 at 21:47 pm

Government's own websites are unlikely to meet the deadline even and it would be unlikely they would pursue website owners who do not comply unless a complaint is made... which is unlikely http://www.bbc.co.uk/news/technology-18090118

Picture of Simon Davies

Simon Davies 18th May, 2012 at 18:02 pm

Why is it then that you also have addthis cookies to your site if all you require is google analytics?

Picture of Laurence Cope

Laurence Cope 18th May, 2012 at 20:46 pm

Hi Simon... A very good point you have raised! I fail to mention in my post that third-party add-ons may also leave cookies, such as the AddThis toolbar above for social network sharing. Add-ons can easily be overlooked and may not appear on all pages. These cookies will also fall under the directive and need to be blocked or consent requested. Luckily AddThis provide some code to not leave cookies, and that is what we have implemented here. So AddThis cookies are not created on this site.

Picture of Wolf Software

Wolf Software 20th May, 2012 at 14:50 pm

We have created a complete suite of solutions both free and commercial for people who want to gain compliance via an active consent mechanism.



http://demos.dev.wolf-software.com

Picture of Jamie Blacker

Jamie Blacker 21st May, 2012 at 16:38 pm

From the ICO: "Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."

See the full pdf here: http://tinyurl.com/ICO-regulations



Also, I can't vouch for how accurate it is, but there's a much nicer designed version of that document released by the ICC here: http://tinyurl.com/ICC-cookies

Picture of Anthony Wieser

Anthony Wieser 26th May, 2012 at 12:19 pm

Just a question about the facebook like button above.

How do you know that the facebook iframe doesn't drop a third party cookie? Maybe it doesn't today, but it might tomorrow.

Picture of Jamie Blacker

Jamie Blacker 28th May, 2012 at 11:00 am

According to .net magazine, http://tinyurl.com/netmagcookies

"Implied consent via notice If your site doesn’t feature advertising and uses cookies for functional purposes (accessibility, Facebook Like buttons and Google Analytics), then you may be fully compliant if you have a cookie notice displayed clearly on your website referencing details on your privacy page. You will need to make sure this notice remains up to date when new features are added."



Personally, I think an up to date privacy policy is good enough for the time being. Until the ICO clarify some of their points I don't think they can reasonably take action so long as you're making steps to being compliant. With the whole of the EU needing to comply, surely it's just a matter of time before social services (and analytics) come up with a no-cookie solution.



Some relieving statistics from the ICO's own website by the way: http://tinyurl.com/ICOStats

Picture of Laurence Cope

Laurence Cope 29th May, 2012 at 11:43 am

The ICO has updated their policy at the last minute. They have now stated "implied consent" is acceptable. This means you do not need to ask for consent before leaving a cookie, but make it clear to the user that their actions will result in cookies being set (and ideally informing them how to block them). The privacy policy page is not enough on it's own. So we recommend a message added somewhere, (the pop up could still be used) but no need to block cookies which is a huge relief. See here for more info http://bit.ly/MXGoHO

Picture of Andrew Harvey

Andrew Harvey 25th July, 2012 at 14:54 pm

We have created a simple solution (flyout banner) / cookie policy and site audit at a very low cost.

Picture of Laurence

Laurence 20th March, 2017 at 10:07 am

ICO website link is broken, they have not redirected old links to new ones. So here is an updated link https://ico.org.uk/media/for-organisations/documents/1545/cookies_guidance.pdf

Leave a Reply

Recent