You may have heard about the “Cookie Law” recently.
This article explains what you need to know about the legislation, and what to do to ensure compliance.
What is the “Cookie Law”?
Cookies are small text files set on your computer at the request of a website, and are sent back to that website on subsequent visits until the cookies expire.
Cookies are used to implement any feature that remembers you between visits.
Examples include shopping carts and password-protected content.
In 2009 the European Parliament passed directive 2009/136/EC, amending the previous E-Privacy Directive of 2003.
Reflecting concerns about the use of tracking cookies (cookies whose sole purpose is to track which websites you are visiting in order to target advertising at you), the new directive requires websites to obtain visitors’ consent for non-essential cookies.
European directives are not law in themselves; they instead require EU member states to amend their national laws to achieve the aims of the directive.
Problems with the directive have meant that few member states have done so to date, with the United Kingdom being one of the few exceptions.
The United Kingdom government passed The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 in response to the directive.
What are the problems?
The law makes an exception only for cookies deemed ‘essential’.
The Information Commissioner's Office published guidance stating that this includes cookies used for shopping carts, but not cookies used for collecting statistics (such as Google Analytics).
In a recent interview, Dave Evans of the Information Commissioner's Office admitted that "exemptions for strictly necessary cookies were not drawn widely enough".
A request under the Freedom Of Information Act revealed that following the change visitor numbers reported by Google Analytics dropped by 90%, implying only 10% of visitors accepted cookies.
These restrictions on cookies — cookies that web companies regarded as entirely reasonable and that are used on the majority of websites — meant that the law was universally ignored.
As a result the United Kingdom government delayed the deadline for implementation by a year, until 26th May 2012.
In the approach to the deadline, the Government Digital Service published an article stating that they regard Google Analytics as ‘essential’ and ‘minimally intrusive’, and hence exempt under the law.
This has reduced, but not eliminated, the problems caused by the law.
What do I need to do?
Option 1: Do nothing
While we explicitly cannot recommend ignoring the law — it is, after all, the law, and there are potential financial penalties for non-compliance — the vast majority of websites have not taken any action to comply with the law, including the majority of the government’s own websites.
The general opinion amongst web companies is that the law will not be enforced in the face of widespread non-compliance.
In a recent interview, Dave Evans of the Information Commissioner's Office stated “we know that not every website can just switch its website off on May 25 and implement changes” and that “all of our enforcement actions are likely to be in the form of negotiations”.
Option 2: Gain implied consent
The day before the new law came into force, the Information Commissioner's Office updated its guidance to state that implied consent is a valid form of consent in many cases.
A cookie is used to remember if the visitor has already seen the message; the message is therefore displayed only on their first visit.
This approach has the advantage of being minimally intrusive and shows that an attempt at compliance has been made.
All 'Websites for Startups' sites created following the legislation coming in effect display such a message.
If you have an older it’seeze site and would like to display such a message, please contact us.
Option 3: Gain explicit consent
The following uses of cookies on 'Websites for £99' websites are exempt:
The webshop and password-protected pages
These uses are explicitly exempted under the law
As mentioned above, the Government Digital Service regards analytics as ‘essential’ and ‘minimally intrusive’, and hence exempt under the law.
The following uses of cookies on 'Websites for Startups' websites require consent:
YouTube, Dailymotion, and Hark embedded media players
This media players set a cookie when the play button is clicked.
You can therefore gain consent by adding a statement to the effect of “By clicking the play button, you consent to YouTube/Dailymotion/Hark setting a cookie in your web browser”.
The Facebook Like Box component
This component embeds a page on facebook.com.
The embedded page sets several cookies.
We do not not have control over these cookies, so you would need to remove the component to comply with the law.
Sharing buttons (Like, +1, and AddThis)
These bespoke features, which you may have asked us to add to your site, use code provided by the associated companies (Facebook, Google, and Clearspring Technologies respectively) which sets cookies.
We do not not have control over these cookies so you would need to ask us to remove the buttons to comply with the law.