Andi Smith

Complying With The EU Cookie Law

Recently I've been looking in to how the EU Cookie Law affects web sites serving users in Europe. The law was introduced into EU legislation in May 2011 and comes into effect in the UK on 26th May 2012. While this law currently only effects European countries, it is likely that the US will follow suit and implement a similar law in the years to come.

Disclaimer: I am not a lawyer, not am I a representative from any authority on cookies. These are my interpretations of the cookie law and (like all my blog articles) these views do not represent the views of my employer or associates. If this subject matter is of interest to you, it is important that you do your own research on the cookie law to ensure your website is complying with the law.

The cookie law is a new EU privacy legislation that requires websites to provide clear and comprehensive information about the cookies being stored; and obtain consent from visitors in order to store or retrieve any information about the user.

In the UK, this becomes law on 26th May 2012 and sites that do not comply could be fined up to £500,000.

Before we talk about what cookies are good or bad, let's quickly recap on the different types of cookies. Cookies can either be permanent or session based; and they can either be first party or third party.

  • Permanent Cookies are cookies which outlast the user's session. So if a user closes their browser or turns off their computer, they will still be remembered when they return to the site.
  • Session Based Cookies only last until the user closes the browser window.
  • First Party Cookies are cookies which are hosted on the same domain as the website the user is visiting.
  • Third Party Cookies are not hosted on the domain the user is currently visiting, but are actually hosted on another domain.

Although it is dependent on the functionality the cookie is providing, as a general rule permanent third party cookies are the most intrusive types of cookie, whilst session based first party cookies are considered the least intrusive.

Intrusiveness of Cookies

In the browser, there is currently no way to filter out a type of cookie - you can only block all cookies from a particular site.

If you are unsure what types of cookies are present on your website, sites such as CookieCert can help with this process and quickly give you an understanding of the problem. CookieCert analyses your site to evaluate how many first party, third party, permanent and session based cookies are being used. It also provides a tally on HTML5 and Flash 'cookies' (such as local storage) which could also be considered harmful to users' privacy. Please be aware that CookieCert may not be able capture cookies at all stages of the users journey (such as when the user is logged in).

Cookie Cert for AndiSmith.com

Browser Developer Tools can also help with a cookie audit. In Chrome and Safari, click the "Resources" tab to see a list of cookies used on the current site organised by domain. In "Opera", the storage tab provides this information.

What Types of Cookies Are Effected?

So how do you comply with the cookie law in the UK?

ICO Guidelines

The ICO (Information Commissioner's Office) say that all cookies that do not facilitate the transmission of communication, or are not strictly necessary for a service requested by a user need to be consented to or removed.

Strictly Necessary Cookies

Strictly necessary means that storage of or access to information should be essential to the user journey. The ICO would class the following types of content as "strictly necessary":

  • Transaction specific (such as shopping baskets)
  • Security (such as online banking)

Transmission of Communication Cookies

Cookies for the transmission of communication would include:

  • Stop multiple form submissions
  • Load balancing

Other Cookies

All other cookies would require consent from the user. These cookies would include:

  • Embedded third-party content and social media-plugins
  • Advertising campaign optimisation
  • Web analytics / metrics
  • Personalised content / interface (such as remember me)

GDS Guidelines

In a strange twist, the GDS (Government Digital Service) have recently posted a document which slightly differs in opinion from the ICO's own guidelines. They believe the new law is not specifically about cookies, but about privacy; and that website owners should focus their efforts on the most intrusive types of cookies.

Moderately Intrusive Cookies

The GDS class the following types of content as moderately intrusive (and therefore requiring attention):

  • Embedded third-party content and social media-plugins
  • Advertising campaign optimisation

Minimally Intrusive Cookies

The following would be minimally intrusive:

  • Web analytics / metrics
  • Personalised content / interface (such as remember me)

Exempt Cookies

The following would be exempt from changes to privacy regulations:

  • Stop multiple form submissions
  • Load balancing
  • Transaction specific (such as shopping baskets)
  • Security (such as online banking)

How Does This Affect Analytics?

The ICO guidelines document (PDF) states on page 25 that:

Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices. Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action.

So assuming your analytics are first party (that is, they set a cookie on your domain and not a different domain), this should apply.

So, What is Affected?

Based on this information, it is reasonable to assume that sites with embedded third-party content and social media-plugins and/or advertising campaign optimisation are going to be the most affected by this law. However, even the least intrusive types of cookies require some effort to achieve compliance.

7 Steps To Comply

There are a large number of points that need to be considered with the new law and each website needs to be considered on a case by case basis.

The below steps are numbered in order of implementation difficulty and impact but are by no means a comprehensive guide on how to comply.

The first, and easiest step, is to carry out an audit of your website. That is, create a document listing each cookie used on your website together with the following information about it. Your audit could include the following fields:

  • Cookie Name - The name used in implementation (e.g. UID)
  • Cookie Friendly Name (e.g. Username)
  • Description - The description should provide as much detail about the purpose of the cookie as possible.
  • Potential Intrusiveness to User - Using a guide such as the one provided by the GDS (shown above), each cookie should be rated for its intrusiveness.
  • Expiry - The number of days it takes for the cookie to expire.

Step 2. Updated Your Privacy Policy

Make sure that your privacy policy has a clear section on cookies and how your site uses them. If you want to be 100% transparent, you could include the findings of your cookie audit on these pages, as Dominos and the UK Government do.

Dominos' Cookie Audit

Ensure that you have included a clear link to cookie information on every page. For example, if you currently have a link to "privacy policy" and "terms and conditions" in your footer, you could add a third link directing users to "cookie information". If information about cookies exists on the same page as your privacy policy, use a hash tag to jump the user to this information. Amazon UK and Gov UK have a good example of this.

Step 4. Remove Unnecessary Cookies

Now you've completed your cookie audit, if there are any unnecessary cookies remove them. Try to keep your cookie list to as few as possible.

Step 5. Examine Expiry Dates

For each cookie in your cookie audit, examine the cookie expiry dates and check that they are reasonable. For example, a cookie which remembers a user for two weeks would be considered reasonable, whilst a cookie that remembers the user for 20 years would not. There should be no reason to have a cookie that lives that long, so shorten its lifespan.

There are points in the user journey where it is possible to ask for consent to use cookies. For example, when a user logs in and ticks the "remember me" checkbox - including an additional line of text to inform the user checking this box will also mean they agree to being remembered won't affect your user journey but will bring additional compliance.

Step 7. Alert the User About Cookies

If you do still require use of the most intrusive types of cookies, then your best bet is to provide an alert to the user about cookies. The ICO use one of these on their own site but it is visually displeasing.

Reading further in to cookie law, page 16 of the ICO guidelines (PDF) states that:

Many websites routinely and regularly use pop ups or ‘splash pages’ to make users aware of changes to the site or to ask for user feedback. Similar techniques could, if designed well enough, be a useful way of highlighting the use of cookies and obtaining consent. Using this technique you could ensure you are compliant by not switching on any cookies unless the person clicks I agree. Some users might not click on either of the options available and go straight through to another part of the site. If they do, you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site.

In other words, as long as you provide a clear message to the user about cookies and give them a chance to decline, by using your site you can infer consent. This is the approach Qubit have taken.

BT's impressive settings page

But by far the best implementation I've seen of a cookie prompt is BT.com who prompt the user with a pop-up in the bottom right hand corner. Pressing the "Settings" button then allows the user to configure what cookies will be used.

Conclusion

As I stated at the beginning of the article, if you need to know more about cookies and the law then it really is best to do individual research and involve your companies legal team.

The most important point to take from this article is that it is vital that you take action on your corporate sites to avoid being penalised, and I hope the information listed above can help guide you with that.

The two documents I have referred to in this article are available at:

Additional resources include: