It seems as though the dust is finally settling on the long-running EU Cookie Law saga. Certainly it’s a story with enough twists and turns over the last few months to prompt a number of blogs from me on the subject…
- Cookies & Your Website – 17th Jan
- Cookie Audit – 16th Mar
- EU Cookie Law: Another Twist – 29th Mar
- EU Cookie Law: Implied Consent – 28th May
I’m beginning to look like the guy on the right!
From a starting position of dire consequences for those websites that were not completely and fully compliant, the ICO have been slowly but surely retreating back to a much fairer and more equitable position. The result is that today it’s relatively easy for website owners to make changes to their website that will give visitors all the information and choice that the act intends them to have. How? Read on and find out.
EU Cookie Law: A Laudable Goal?
Before I describe one way to achieve compliance for your web site, I would like to say that I am all for the sentiment behind the new legislation, even if the implementation has not been carried out very well. Someone browsing a website should be able to find out what tracking cookies are being used there so that they can make an informed decision as to whether or not to allow them.
Of course the vast majority of cookies on websites are used for valid and non-threatening reasons, such as:
- retaining login information during a browsing session
- maintaining a shopping cart during a browsing session
- allowing for automatic login across sessions (‘remember me’ function)
- effective website analytics (usually just placing a unique identifier in a cookie)
- and so on…
Some of these, which are essential to a website’s functionality, have always been recognised the legislation. Others, such as analytics cookies, have been in a grey area that has only recently been clarified.
Of course, there have been cookies that, to a lesser or greater extent, have crossed a line that many users would consider too intrusive. For instance, Facebook have been able to track your browsing activities if you visit a website that has one of the almost ubiquitous ‘like’ buttons. As far as I know that’s still the case.
A very interesting place to find out some more about the companies utilising cookies for advertising purposes is the Guardian’s ‘Tracking the Trackers’ page.
What does Compliance Look Like?
Now the dust has settled, it seems as though the ICO are unlikely to take a website to task if they find the following:
- If any cookies deemed non-essential (i.e. for most sites that means they have other than shopping cart or login cookies) then the user is presented with a notice informing them of this
- Ideally, a list of cookies used by the site
You do not have to implement a means of allowing visitors to use your site without cookies (although if this can be done easily then it might be a good option depending on your circumstances). However, you may take a view that certain cookies, particularly 3rd party cookies, are likely to cause some visitors to steer clear of your site, and so make a decision to remove the feature that has introduced the cookies in the first place (e.g. embedded adverts are a frequent cause of these cookies being set).
How to Achieve Compliance
If you’ve decided that, instead of using someone else to help you achieve compliance (hint, hint) then there are a few steps you can take to do it yourself:
- Perform an audit
You can do this in a very manual using your browser. Firstly, clear all the existing cookies, then visit every page on your website, and carry out every possible task. Then go back and look at all the cookies that have been set. There’s more information on this process here.
Alternatively, you could install the ‘Ghostery‘ browser plugin/extension. This pops up a little window every time you visit a site with a list of the cookies that have been set.
This is definitely an area where you should seek professional advice. If you have used a legal expert to draw this up in the first place, then you need to go back to them for a revision. However, there are web-based providers of generic policies too, which should be fine if your website is relatively standard in functionality.
You policy is also where you should consider putting a list of cookies (gleaned from the audit in step 1), or a link to such a list.
- Add a pop-up notification about cookies
As you might expect, a number of providers have sprung up recently offering different solutions in this area. If, like many, your website is WordPress-based then you are spoilt for choice. A couple of nice solutions you might want to consider are:
Of course, you should review your site’s cookies on a regular basis. Whilst you may not make any significant changes, it’s possible that a 3rd party may change the cookies that are placed in visitor’s browsers.
Remember, the EU Cookie Law is intended to make life safer for those visiting websites, but it doesn’t have to mean that you compromise your business.