In this post we provide ideas for UK website owners on how to deal with their obligations under the new EU e-Privacy Directive.
EU Cookie Law Obligations
Since the situation is a little confused, we’ve been trying to work out the best advice we can give to clients on how to deal with this new legal requirement. Here is the extent of our thinking so far.
This is our current understanding. We’re not lawyers but this is how it seems to us. We offer the suggestions below as just that: suggestions. Use them at your own risk. If they are wrong, and you’d like to help us correct them, please join in the debate by clicking “Leave a comment” below.
Whilst the rules came into force in the UK on 26 May, 2012, there’s no need to panic, the Information Commissioner’s Office (ICO) says so. At the time of writing, they’re working with organisations the size of Amazon and the banks to get them to toe the line first. It’ll take a while. First Direct had complied when we checked a few days ago; Santander had not.
Cookie Law Requirements
- declare to each new visitor that you use them;
- explain what they are;
- describe how you use them;
- obtain consent before storing cookies on a user’s computer or mobile device.
For UK-based companies it’s slightly less onerous, because our Information Commissioner has adopted the principle of implied consent. In other words, you do not have to stop users browsing your website until they specifically consent. You can make it all clear and then assume consent if the user takes no further action.
The Big Problem With the e-Privacy Directive
Can you imaging what would happen when somebody arrives at your website? They’ll see a big panel saying, “Do you consent to us using cookies Yes or No.”
Given that a percentage of the population haven’t a clue what a cookie is, and even more don’t understand the implications, many people will bail out at that stage. This would lose potential customers and increase your bounce rate, which lowers your page rank.
Companies that have already tried the dead stop approach have experienced serious loss of traffic.
What You Need to Do
- help the user understand what they are;
- tell users what you do with them;
- explain how to opt out, or stop them being used.
Having done all that, and having provided the opportunity to opt out by changing browser settings, you can assume consent and let the website work as normal. You can even deposit a cookie so you can make it less obvious next time.
Cookies are also used in security scripts, to recognise a visitor, when he or she logs in, and display only that visitor’s private information. In this case, you may be able to identify an individual and you may be holding some personal data about them.
Cookie Law Solution Examples
Each company should, for each of its websites,
- Decide on a strategy for complying with the law;
- Implement the strategy;
- Monitor compliance regularly.
Here are just a few examples. If you follow the links to the example sites, and you don’t see their cookie banners, you probably visited them before and they left you a cookie.
This is the BBC‘s solution – a banner across the top of your browser window. It offers hyper-links to:
- “Continue” – assume consent;
- “Find out more” – go and read a full explanation;
- “Change your cookie settings” – where you can opt out of the four different cookie types
If you ignore the banner and browse to another page, you won’t see it again, even when you start a new session. Because it dropped a cookie.
BBC Cookie Law Example
The Information Commissioner’s Office implements the EU version of the Directive. It insists that you check a box and click a button before you can use the site.
Information Commissioner's Office Cookie Example
This one floats on top of your landing page. It’s a free control you can download and use, from Edinburgh digital marketing agency, Civic.
Please also click here for our own approach to cookies. It explains the different categories of cookie.
More Cookie Law to Follow
The UK is, we’re told, ahead of the game in implementing the EU e-Privacy Directive. Our “assumption rule” for first party cookies isn’t approved by the EU. It remains to be seen what stance the EU will take, what other countries do, and what you need to do for European visitors.
We are also aware that the ICO is talking to browser developers with a view to getting them to change the way they handle cookie settings.
And, as the population at large get to understand cookies better, the requirement for every website to explain so much about them will reduce, too.
It’s all a bit of a mess, really, and there’ll be more work to do in the future – bank on it!
Your Next Step
Want some help? Get in touch!