Your guide to a successful online business!

You might remember that in May last year some new EU rules came into force. Dubbed the ‘EU cookie law’, the legislation says websites have to get permission from users before storing pieces of information called cookies on their computers.

What are cookies?

Cookies are small text files which websites place on visitors’ computers. They’re typically used to identify that particular visitor and provide them with a better experience. Cookies are a crucial part of many website functions which we take for granted.

For instance, it’s usually cookies which allow online shops to remember what items you have in your shopping trolley. They’re also used to keep you logged in to a website, or to provide valuable usage statistics and information to website owners.

If you run a website, it almost certainly uses cookies. Their most likely function is to monitor visitor numbers and behaviours through tools like Google Analytics. They may also be used to display relevant adverts to visitors, or – if you sell online – to power key parts of your online shopping system.

What the cookie law says

Although the cookie law came in last year, the Information Commissioner’s Office (ICO) decided to give websites a year to implement the rules. The deadline is 26 May 2012 – after that date, websites which don’t comply with the law could be fined up to £500,000.

The implications of the new cookie law could be far-reaching, yet there’s still a lot of confusion about how the rules should be interpreted and what websites need to do to comply. As a result, many websites are taking a ‘wait and see’ approach.

In short, the new rules require websites to get permission from visitors before placing any cookies on their computer. Permission must be informed and overt, which means you have to ask visitors outright if you can put cookies on their computer, and explain clearly what the cookies are used for.

You can’t bury the information in your website’s terms and conditions and leave it at that.

The only exceptions to this are cookies deemed essential to providing functions visitors have asked for. But you can’t rely on this to cover many of your cookies.

The ICO guidance on the new law (PDF link) says that “this exemption is a narrow one”. It’s certainly not likely to cover cookies for analytics purposes, which is one of the most common uses of cookies – particularly for smaller websites.

Implementing the cookie law

Even with the May deadline fast approaching, hardly any websites have done anything obvious to comply with the cookie law.

The few which have begun seeking permission tend to use messages displayed at the top of the screen or overlaid on the website’s pages.

As you’d expect, the ICO website has an opt-in message at the top of every page. And BT has begun displaying a message (right) to explain a bit more about its cookies, although it’s debatable whether this is a proper opt-in.

But by and large, most websites are keeping their cards close to their chest. That’s understandable, when you look at the commercial implications: when the ICO added an opt-in message to its website, measured visitors dropped by about 90%.

That didn’t mean the site was receiving fewer visitors – it just meant people weren’t opting in to cookies, so the ICO couldn’t track what those people were doing.

For sites which rely on accurate visitor data to make money, the implications are significant. Adding an opt-in could leave them at a disadvantage to competitors, which is why there’s a real reluctance on the part of website owners to be the first to move.

The bare minimum

It’s looking very unlikely that many websites will have implemented a cookie opt-in by 26 May. But that doesn’t mean they won’t be doing anything at all. In fact, the ICO – which is responsible for enforcing the rules – has suggested that the most important thing is to take steps in the right direction. If you can show you’re moving towards full compliance then you’re unlikely to be targeted.

As a bare minimum, it’s important to have an understanding of what cookies your website uses and plan how you might implement an opt-in.

It’s useful to know exactly what cookies your website uses anyway, and you can do this relatively easily using tools like Bitstorm View Cookies or Attacat Cookie Audit. These will show you what cookies your website creates as you move through the pages.

The harder bit is working out how you would create an opt-in function on your site. As we’ve seen, most websites display a message to users – but the tricky bit is creating the back-end logic to ensure cookies are only set once people have given their permission.

If you’re not adept with computer code, you might need some help from a web developer to accomplish this. There are some ‘plug and play’ tools available, like Optanon and this tool from Wolf Software (designed for sites using Google Analytics), which could make things easier.

Don’t do nothing

Although there is still a fair amount of uncertainty around the new law, it’s fair to say that doing nothing is not a good option. In the long-term, people’s attitudes and understanding of cookies may change – and web browsers may include settings to help provide a consistent opt-in.

But for now the onus of complying with the law falls very much on individual website operators. And while the chance of being prosecuted may be small (at least to begin with), doing nothing at all is a dangerous move. To start with, review guidance from the ICO (PDF link) and try and establish what cookies your website currently uses.

Was This Article Useful?

Let Others Know

Leave a Reply

14 Responses

  • sara sylvester

    This is terrifying!
    I only keep a website to show my arts and crafts and (with a vague hope that someday, someone will buy something – it hasn’t happened yet)!
    If it comes down to legislation and modifying what I can do with my website, then I won’t be renewing!

    Too much hassle and worry for a person who doesn’t sit at the computer all day long.

    April 19, 2012 at 5:07 pm
  • Steve Wright

    Ok, so I’m continually reading different things about this.

    Your post here appears to be saying that analytical cookies won’t be a problem (our company use one that lets us know entrance and exit, IP address and company if it can be associated, keyword used to find the website, country etc. etc.), but I’m reading others that say otherwise.

    I would read the PDF they provide but I simply don’t have the time nor the patience as, as usual, they don’t lay things out in a straightforward enough way. This is going to affect a lot of websites and cost companies a lot to make these changes so some more clarity on the official body’s part would be very useful. Even if it’s just a breakdown.

    April 19, 2012 at 5:13 pm
  • Josh

    Surely the better option would be to require browsers to offer more control over accepting cookies; after all, it’s the browser allowing cookies to be stored.

    I think each site having to have their own opt-ins would confuse people.

    April 19, 2012 at 6:01 pm
  • Will

    I don’t think the legislators have truly thought through just how much this law is going to disrupt internet browsing. Almost every website these days uses cookies, even if just for Analytics. This means that for every UK website that people visit, they’ll be asked if they’re prepared to have a cookie stored on their PC. Absolute madness.

    Given all the hysterical misleading stories in the press about Google and privacy, a majority of people will be inclined to click no. This is going to have a huge impact on UK businesses and prove to be a real pain for website users generally.

    I will be amazed if very many site owners bother to comply, and even more amazed if website users themselves are prepared to put up with the popups/alerts for very long.

    April 19, 2012 at 7:58 pm
  • Anita

    Thanks so much for the very good post.

    I wish that there was something clear, that covered all that was needed for your website, that you could just add to your site, with the least amount of stress, and doesn’t cost too much. There are so many discussions on what you must do, everyone has an opinion.

    I want to make sure that I abide by the law, and not knowing for sure what to do, is one extra thing to be concerned about, for small businesses.

    April 19, 2012 at 10:45 pm
  • john archie clare

    the EU continues to discust me with their badly thought out and in most cases ridiculous rules and laws that most of us don`t want,don`t need and often don`t understand first Bananas now Cookies they only need to tread on our grapes of wrath and they`ll have another war on their hands,I really believe we should get out of the Euro disaster zone before we lose out altogether.

    April 19, 2012 at 11:23 pm
  • John

    Thanks for the comments everyone.

    @Steve Wright: sorry if I wasn’t clear on the Google Analytics point. Just to clarify, most of the guidance I’ve read and all the people I’ve spoken to have said that analytics cookies are not covered by the ‘essential cookies’ exception.

    That means that you would have to get permission from a visitor before storing analytics cookies on their computer.

    April 20, 2012 at 9:35 am
  • JohnB

    The ICC is the best guidelines of the cookie laws I’ve seen personally – it actually relates to the real world!

    April 20, 2012 at 11:17 am
  • Andrew

    The EU is full of bureaucratic nonsense, this is just another example. The EU and the Euro is one big failure, which is run by idiots who do not have a clue.

    April 20, 2012 at 1:36 pm
  • Mark

    Listen, we all know that many websites abuse the fact that “cookies” can be used to target “hits” on websites or pop-up online media we are NOT interested in and the reason for this is to atract potential sales or to obtain page impressions or click-throughs. The new law ia in place to protect the end user and why not? At the end of the day to actually have a cookie notification notice appear on your site clearly defines to your visitor that you are in fact legitimate and that you are providing a website that protects and honors their privacy. It is not a hard thing to do and can in fact be implimented into a website relatively easily. We need to appreciate that the internet is a mindfield of “negatives” and people will always abuse any systems when money is involved. Offering a potential visitor a choice is something we all at some point complain we don’t have, now we do. This is a positive move forward and just as simple to use as closing a marketing pop-up that many of us experience every day.

    Embrace this and turn it into a positive rather than jump to conclusions, this is to protect all us of us not persecute website owners. There are many wwebmasters capable of implimenting the correct tool to protect your site and the users for a few pounds.

    It’s long overdue in my opinion.

    April 20, 2012 at 6:23 pm
  • Andy

    One thing which I am struggling to find an answer to is whether the EU Law is a blanket law. As in if you host and run a website from the UK then all visitors no matter what country they come from will have to be presented with the option to opt-in to cookies before setting any. Or whether for those visitors which come from outside the EU you don’t need to bother and can employ cookies without asking first. If the latter is true then it won’t be complete chaos but if you have to show the cookie opt-in to all visitors no matter where they are from then it is going to wreck things for many.

    April 20, 2012 at 10:17 pm
  • Sam Spruce

    Unfortunately this is simply the inside-out people screwing things up. What do I mean? To put it simply they can’t be bothered to understand reality and design things that work the way they want so they try to force the world (and other people) to behave the way they want. It doesn’t work and it is the wrong side of the humanitarian moral divide! Put another way – control freaks dictating to other people or simply bullies.

    April 21, 2012 at 11:26 am