Since this blog post was published, the ICO has updated their advice for UK websites, now recognising implied opt-in as a valid form of consent. More information on the implications of this change can be found here.
The EU e-Privacy directive
There’s been a lot of coverage of cookie regulations recently, as the UK government’s Information Commissioner’s Office (ICO) prepares to uphold complaints against companies found breaking the e-Privacy Directive. Despite all this talk, there is still confusion regarding what’s covered in the regulations, how to adhere to them and how far the ICO will go with enforcing the law. In this post I’ll try to provide some clarity on the situation.
Summary of the directive
The first question is what has actually changed? Last year the EU issued an e-Privacy directive demanding that website operators obtain user permission before storing cookies (data files) on their device, legislation that is about to be implemented as law by the UK government. Although popularly termed the “Cookie law”, in fact all ‘non-essential’ tracking technologies, such as HTML5 local storage and Flash cookies, are covered in the directive.
Public perception of this law is positive, but this is likely to be down to the lack of understanding as to what cookies are and how they are used; the same survey showed that 75% had not heard of the e-Privacy directive before. So what are cookies anyway? Essentially, they’re very small text files that are stored on user machines when they visit certain web pages, gathering information about user behaviour.
Why cookies matter
Websites often rely on cookies to generate targeted advertisements in order to pay for the “free” content that users enjoy and some website features, such as allowing users to personalise a site’s homepage or styling, or remembering what a user has placed in an online shopping basket, will not function properly without cookies. Furthermore, site improvements are often based on anonymous user statistics; without cookies for all visitors, the usefulness of these web analytics may be greatly reduced. Responsibility for third-party cookies, such as those produced by Google Analytics and the Facebook “like” buttons, also fall to the owner of the site they’re used on. So if you have options for sharing the articles on your site, you will need the user’s permission in order to do so.
This law has been criticised by many for being heavy-handed, and a survey conducted by Econsultancy and Toluna revealed that 82% of marketers feel it is a threat to the web (showing nearly a 180° view to that of the public). This seems to stem from the fact that, rather than look at which cookies are actually intrusive, the law is requiring the user’s permission to use any at all.
When the law came into effect on the 26th of May 2011, the ICO stated that they would not prosecute anyone for a period of 1 year. This grace period is nearly up, and most websites are still not ready.
What are the options?
There are three broad options for dealing with the privacy law – do nothing, assume an opt-out policy, or get the users to actively opt-in (this is assuming that removing all cookie-use on your site is not an option, of course – true for the vast majority of websites).
Whichever option you decide on, an audit of all the cookies used on your site is the first thing you should do (you can find information on how to conduct and audit, and tools to help, on sites such as Silktide and CookieLaw). List them out and rank them according to the four categories defined in the ICC guide. This will help you determine the best course of action for your website:
A. Do Nothing
Reports suggest between 90-95% of websites have yet to comply with the regulations, and exactly how this law is going to be enforced has yet to be defined. The potential fines are extremely large, up to £500,000, although some sources are suggesting that the ICO will focus on responding to complaints rather than actively searching out non-compliant sites.
Educating the user about the cookies on your site and how to turn them off is another option. This assumes that the client has accepted the cookies by not turning them off in their browser.
You could increase the visibility of the link to your terms and conditions, or provide a link to a section of your site explaining, in layman’s terms, what cookies are and how they are implemented across your site.
Update: Following the ICO’s change to the regulations made on Thursday (24th May), this method of “implied opt-in” now constitutes valid user consent to cookie use.
There are many different ways of actively requesting a cookie opt-in, some more intrusive than others:
- A pop up or dialogue box, while fairly unmissable, is very disruptive to the user experience and flow of your website. Requiring your users to give permission to something that many of them will not understand is a huge barrier and will almost certainly cause drop-off.
- Something less obtrusive would be a thin bar across the top or bottom of your site, which would stay there until the user agrees to allow cookies. There’s a great free, open-source, example at Silktide.
What are others doing?
Here are some great examples of websites that have attempted to comply already.
- John Lewis: This is an example of the implied opt-in. They have a whole section explaining what cookies are, how they are used, and a list of all the cookies used on the site.
- BT: This has a pop up which disappears after a short delay. Clicking on the link at the bottom of the page takes you to a page where you can use a slider to adjust the level of cookie use you want.
- ICO & All Things D: Both these sites use a bar across the top of the site. All Things D only show the warning once, and do not give the user the option to opt-out. It’s assumed by carrying on, the user has given consent.
What are our clients doing?
We are typically observing that clients are adopting a “wait and see” stance, which appears to be the prevailing mood of many companies and sites at the moment. If you’re using cookies that soley for anonymous analytics and those required for site functionality, enforcing an opt-in policy could be extremely detrimental to your ability to provide users with appropriate, relevant content; as this article illustrates, approximately 90% of the visitors to the ICO’s own website refused to be tracked when given the choice.
It’s predicted that most of the government’s own websites will not even be compliant by the 26th of May, and it’s believed that the ICO will largely try to avoid prosecution, focusing on the larger abusers, which it’s said is who this law is intended to target. This fact is supported by the recent news that the ICO will be contacting 50 of the largest UK websites to find out what they are doing to meet the directive.
As part of the announcement, the ICO’s deputy commissioner and director of data protection David Smith said, “Businesses have to make their judgements and take their decisions, and in doing that the more intrusive a cookie is the more likely it is to engage our attention. If all they’ve got is website analytics it’s not all that likely that they will end up facing enforcement action from the ICO as we have a lot of other priorities before we’d ever get to them”. So it seems that if you’ve got nothing to hide, to you’ve got no reason to fear.
- ICC UK Cookie guide: This is the best resource I’ve found on all the different options available, and the different classes of cookie.
- The ICO (Information Commissioner’s Office) is the independent authority set up in the UK to uphold this law.
- A humorous, but easy to understand video about the law and why the law could be bad for internet businesses in the UK.
- Econsultancy have a great article on what they have done in order to comply and their reasoning behind it.
- The Guardian have a good article on the new law and details of how they’re dealing with it.
- BBC news have a story on the fact that the majority of government sites will not comply by the 26th of May 2012.
- There’s also a similar story from The Register.